Overview
Summary
This writeup talks about a successful collab that I did with Dark9T (@UsmanMansha) on a private program hosted on Bugcrowd. We ended up able to bypass Akamai WAF and achieve Remote Code Execution (P1) using Spring Expression Language injection on an application running Spring Boot. This was the 2nd RCE via SSTI we found on this program, after the 1st one, the program implemented a WAF which we were able to bypass in a different part of the application. Read on to find out how we did it!
Intro
Usman reached out to me on a Slack server where we are both members. They had found a potential SSTI but were not able to exploit it due to an Akamai WAF:
After a quick look, this seemed to be a case of the famous Spring Boot Error page issue described on Github here - note that there was never a CVE issued for this as far as I am aware. This vulnerability has been covered in various forms for example by 0xdeadpoool on their blog here.
The basic principle of this bug is that the vulnerable version of Spring Boot will render the error message from the thrown Exception into the page itself using an SpEL (Spring Expression Language) expression. The vulnerable version of the Spring Boot framework will allow recursive evaluation of this expression, thus an error message which contains a valid SpEL expression (e.g. $(7*7)) would be evaluated at the the time the error page is rendered.
In this case we could see the q parameter of the vulnerable URL supported injection of the type ${x*y}and returned a mathematical result in the error text:
Steps with RCE via SpEL
If you haven't had experience with this type of vulnerable application before, I'd strongly suggest some practice using an application such as https://github.com/jzheaux/spel-injection where you can experiment with how SpEL is constructed and handled (and potentially secured) within Spring applications. While this application doesn't deal directly with this specific vulnerability, SpEL is used so often in the Spring Ecosystem it's worth some practice and familiarity with the code.
This blog won't introduce you to Spring Expression Language as the topic is quite complex, essentially it's a language which allows context-based navigation of Spring objects, similar to other server-side templating languages. It's used many places in various Spring Framework components and the exact extent of objects and data available depends a lot on where it's used. Typically you can execute Java methods, construct objects, etc. - not as powerfully as FreeMarker or Velocity, but similar in risk profile. You can read about SpEL and its syntax in the Spring reference documentation.
Generally the goal with SpEL is to end up with an invocation of the methods java.lang.Runtime.exec or java.lang.ProcessBuilder.start which will allow execution of an OS command of the attacker's choosing, using an expression something like the following:
${T(java.lang.Runtime).getRuntime().exec("<my command here>")}
JAVAIf you want the output of the command, the expression gets a bit more complex, but let's start here.
A Quick Note - Time / Effort Spent
Folks who know me know that I am primarily a manual tester, relying on my extensive development/architecture experience rather than brute force to find tough bugs. Although reading a blog post may make it appear that a bug was obvious or a particular path was obvious, just to give some statistics, getting from the initial Slack message from Usman to full RCE took me:
- Approximately 500 hand-crafted attempts to bypass the WAF
- Approximately 14 hours of wall clock time from the initial attempt to the first successful RCE (execution of the uname -a command) - note that I took breaks to eat, take a walk, think about solutions etc. - it wasn't 14 hours straight!
I'm including these because it's often the case that blog posts make this kind of bug "seem" a lot easier than it actually is, leading readers down the dark path of impostor syndrome etc., just reinforcing that even if you know what you're doing, sometimes bugs are really tough! Don't give up!
还没有评论,来说两句吧...