Exploitation

Overview

If an attacker has the ability to control the Expression Language which is evaluated by the application, this will result in a vulnerability.

Basic Proof of Concept

		ExpressionFactory factory = new ExpressionFactoryImpl();
		SimpleContext context = new SimpleContext();
		String pl = "${7*7}";
		ValueExpression e = factory.createValueExpression(context, pl, Integer.class);
		System.out.println(e.getValue(context));
		
		// OUTPUT
		49

It appears that the sink in this scenario is the createValueExpression() method.

How to do it in Spring?
- Spring uses Thymeleaf for its views
Any other frameworks?

PreviousCVE-2020-9297 NextClassic Deserialization (POP) [todo]

Last updated 3 years ago