About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

RCE in Hubspot with EL Injection in HubL- 142

BetterHackerPosted 6 Years Ago
  • Interrupters are IMPOSSIBLE to do correctly... Anytime there is an interrupter go after it!
  • EL (expression language) is used for creating templates for several frameworks. In this situation, the HubL EL was being used in the HubSpot Customer Relationship Manager (CRM).
  • The classic example is {7*7} evaluating to 49. By abusing the templating engine (which is in Java), specific functions in Java could be called that lead to a complete compromise of the system. Although, calling Java in this restricted context is very complex...
  • I was super impressed with the reverse engineering that allowed this to be possible! Lots of reading from the JinJava project, as well as just general Java knowledge.
  • Here is the final payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager') .newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed