pattern.matcher returns false

[bhayanisohil]

pattern.matcher(parameterName).matches() line returns false when "][]Class][<>" is passed as parameterName. I am not sure if this is a code issue or testing issue. Please provide some guidance on how to test classloader manipulation issue.

[pwntester]

Hi,

That parameter name should not be a problem since it cannot dereference the class property. In order to access the class property you need to use:

• dot notation: xxxx.class
• bracket notation: xxxx['class'] or xxxx.["class"]

Thats why the regular expression checks for the single or double quotes

Cheers, A

[bhayanisohil]

Hi,

test/#$".class as well as test&(){]['class'] also returns false. It would be great if you can provide me with couple of values that would return true.

Thanks, Sohil

[pwntester]

The regexp looks like:

We are trying to protect access to the class.classloader property, so values that return true are:

xxx.class.classloader
xxx['class'].classloader
xxx['class']['classloader']
...

Note: xxx is the name of one of the action public properties.

This regular expression is the one used by Struts2 paramterInterceptor to protect from classloader manipulation

[bhayanisohil]

we are using struts 1 in our application. I am using debug mode in eclipse and changing the value of the parameter as you suggested in above comment but still no luck. Currently I am using below regex: (..|^|.|[('|"))(c|C)lass(.|('|")]|[).,^dojo..,^struts..,^session..,^request..,^application..,^servlet(Request|Response)..,^parameters..,^action:.,^method:. I have also tried using below regex but same issue: (..|^|[('|"))(c|C)lass(.|('|")]|[). Can you guide which is the correct regex?

[pwntester]

(.*\\.|^|.*|\\[('|\"))(c|C)lass(\\.|('|\")]|\\[).*