Directory Traversal
- Test with Docker OpenJDK:
sudo docker run -it openjdk```java if (path.startsWith(“/srv/uploads”))
String filename = handlerRequest.getPathParameter(LogFileNamePathParameter.class); return new File(logDir, filename);
## XXE
```java
// Resource: https://f3real.github.io/xmlexploits.html
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
Resources
- JD-GUI: https://www.kali.org/tools/jd-gui/
-
Decompile the JAR WAR EAR files to source code - Zip Export and open with Notepad++ or VSCode
- Comes with syntax highlighting, useful for locating variables/functions
-
- RDP:
xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d: /u: /p: /v:manageengine /u:Administrator /p:studentlab /size:1180x708
Locating Java Process
- Process Explorer
- Process properties for the binary (Ideally a single binary) can be used to discover the PATH
Java Web Application - Tree Structure
- WEB-INF
----- web.xml (Servlet mappings, mapping class location)
----- lib
----------- struts.jar - Third party library
----------- xmlsec-1.3.0.jar - Third party library
----------- AdventNetAppManagerWebClient.jar - Native library (Of interest)
Regex
# SQL Injection
^.*?query.*?select.*? - Searching for SQL SELECT queries (String query = SELECT...)
^.*query.*?select.*?where.*?\+.*?\; - Searching for SQL SELECT queries + where clause (String query = SELECT...)
doGet, doPost, doPut, doDelete, doCopy, doOptions - Searching for HTTP verbs in relations to .do files
select.*\+ - Potential String Concatenation
Serializable/java.io.Serializable - Potential Deserialization Vulnerability
readObject - Potential Deserialization Vulnerability