Add JSP payload for Reflective RCE

plugin/src/main/resources/com/google/tsunami/plugin/payload/payload_definitions.yaml

@@ -92,3 +92,12 @@ payloads:
     validation_regex: (?s).*TSUNAMI_PAYLOAD_START$TSUNAMI_PAYLOAD_TOKEN_RANDOMTSUNAMI_PAYLOAD_END.*
     vulnerabilityType:
       - REFLECTIVE_RCE
+  - name: jsp_print
+    interpretation_environment: JSP
+    execution_environment: EXEC_INTERPRETATION_ENVIRONMENT
+    uses_callback_server: false
+    payload_string: <% out.print(String.format("%s%s%s","TSUNAMI_PAYLOAD_START", "$TSUNAMI_PAYLOAD_TOKEN_RANDOM", "TSUNAMI_PAYLOAD_END")); %>
+    validation_type: VALIDATION_REGEX
+    validation_regex: (?s).*TSUNAMI_PAYLOAD_START$TSUNAMI_PAYLOAD_TOKEN_RANDOMTSUNAMI_PAYLOAD_END.*
+    vulnerability_type:
+      - REFLECTIVE_RCE

plugin/src/test/java/com/google/tsunami/plugin/payload/PayloadGeneratorWithoutCallbackServerTest.java

@@ -79,6 +79,13 @@ public void nextBytes(byte[] bytes) {
           .setExecutionEnvironment(
               PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
           .build();
+  private static final PayloadGeneratorConfig JSP_REFLECTIVE_RCE_CONFIG =
+      PayloadGeneratorConfig.newBuilder()
+          .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
+          .setInterpretationEnvironment(PayloadGeneratorConfig.InterpretationEnvironment.JSP)
+          .setExecutionEnvironment(
+              PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
+          .build();
   private static final PayloadGeneratorConfig WINDOWS_REFLECTIVE_RCE_CONFIG =
       PayloadGeneratorConfig.newBuilder()
           .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
@@ -250,6 +257,36 @@ public void checkIfExecuted_withJavaConfiguration_andIncorrectInput_returnsFalse
             ByteString.copyFromUtf8("TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END")));
   }
 
+  @Test
+  public void getPayload_withJspConfiguration_returnsPrintfPayload() {
+    Payload payload = payloadGenerator.generate(JSP_REFLECTIVE_RCE_CONFIG);
+
+    assertThat(payload.getPayload())
+        .isEqualTo(
+            "<% out.print(String.format(\"%s%s%s\",\"TSUNAMI_PAYLOAD_START\", \"ffffffffffffffff\","
+                + " \"TSUNAMI_PAYLOAD_END\")); %>");
+    assertFalse(payload.getPayloadAttributes().getUsesCallbackServer());
+  }
+
+  @Test
+  public void checkIfExecuted_withJspConfiguration_andCorrectInput_returnsTrue() {
+    Payload payload = payloadGenerator.generate(JSP_REFLECTIVE_RCE_CONFIG);
+
+    assertTrue(
+        payload.checkIfExecuted(
+            ByteString.copyFromUtf8(
+                "RANDOMOUTPUTTSUNAMI_PAYLOAD_STARTffffffffffffffffTSUNAMI_PAYLOAD_END")));
+  }
+
+  @Test
+  public void checkIfExecuted_withJspConfiguration_andIncorrectInput_returnsFalse() {
+    Payload payload = payloadGenerator.generate(JSP_REFLECTIVE_RCE_CONFIG);
+
+    assertFalse(
+        payload.checkIfExecuted(
+            ByteString.copyFromUtf8("TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END")));
+  }
+
   @Test
   public void getPayload_withSsrfConfiguration_returnsGooglePayload() {
     Payload payload = payloadGenerator.generate(ANY_SSRF_CONFIG);

proto/payload_generator.proto

@@ -62,6 +62,8 @@ message PayloadGeneratorConfig {
     LINUX_ROOT_CRONTAB = 5;
     // Payload is interpreted wihin a Windows shell environment
     WINDOWS_SHELL = 6;
+    // Payload is interpreted within a JSP shell environment
+    JSP = 7;
   }
 
   // The actual runtime environment when the payload is run e.g. while a