4

I'm currently on a pentest and I've come across a URL parameter which is vulnerable to Expression Language (EL) injection and I can prove that by accessing properties such as ${pageContext}.

However, it appears that I have access to Java object properties but I'm not able to call methods. I know people have been able to do this but it seems that whenever I insert parentheses the application prevents the Java execution.

Is there anything that I am obviously missing or any ideas how I can overcome this issue?

Sample of payloads that I have tried:

${pageContext.servletContext.serverInfo} - Works
${requestScope[%27javax.servlet.forward.servlet_path%27]} - Works

${param.foo} - Works
${param.foo.toUpper()} - Fails
Anders
  • 64,406
  • 24
  • 178
  • 215
DarkMantis
  • 746
  • 1
  • 7
  • 19
  • 1
    Does [this](http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/) help? – paj28 Jun 06 '16 at 18:49
  • Unfortunately I have already read that and to be honest probably most of the articles online, before posting this question. Thanks anyway though! – DarkMantis Jun 07 '16 at 07:55
  • 1
    Ok, is this a remote pen test? Do you have SSH access to the server? I guess the first step is to figure out exactly what EL you're hitting - I think it varies by container (Tomcat, Glassfish, etc.) and version. Can probably fingerprint using variables you can read if you don't have SSH. Also, figure if any characters are filtered before hitting EL. My hunch is that code execution isn't possible in your scenario, but I'd give it a bit more testing before concluding that. – paj28 Jun 07 '16 at 22:35
  • Yes, this is a remote pentest but its a blackbox test so I don't have access to the SSH creds. I will see what I can find from more digging around. Thanks for the info! – DarkMantis Jun 09 '16 at 09:33

0 Answers0