微信公众号:DebugPwn
新浪微博:http://weibo.com/u/2275304001?refer_flag=1005055010_
SpEL Introduction
The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime. The language syntax is similar to Unified EL but offers additional features, most notably method invocation and basic string templating functionality.
SpEL表达式带来方便的同时也带来了安全风险,攻击者可以注入恶意的SpEL表达式以获取系统的权限。
Spring Boot 框架Whitelabel Error Page SpEL注入的原因就是系统报错页面把用户的输入当做了表达式来执行,详情:
https://github.com/spring-projects/spring-boot/issues/4763
补丁地址:https://github.com/spring-projects/spring-boot/commit/edb16a13ee33e62b046730a47843cb5dc92054e6
漏洞复现:
下载spring-boot-1.3.0.RELEASE找到spring-boot-sample
spring-boot-1.3.0.RELEASE\spring-boot-1.3.0.RELEASE\spring-boot-samples\spring-boot-sample-tomcat-jsp,修改WelcomeController代码如下,这样就能导致程序异常。
@RequestMapping("/fail2")
public String fail2(String payload) {