UReport2 is a high-performance pure Java report engine based on Spring architecture, where complex Chinese-style statements and reports can be prepared by iterating over cells.
Apache License 2.0
2.02k
stars
834
forks
source link
Local malicious class loading and code execution vulnerability due to unauthorized access to designer page. #484
With the following source code, we can easily find that the 'class. Forname' method can load malicious classes.
'Class.forname' is a method for JVM to retrieve and load into memory. In this process, the static phase of loading class will be executed.
In other words, if a malicious class is defined in advance, you can execute the static code block of the malicious class here.
We successfully execute the code by loading the malicious classes set in advance.