CVE-2022-33980 PoC — Apache Commons Configuration 代码注入漏洞

Source

https://github.com/HKirito/CVE-2022-33980

Associated Vulnerability

Title:Apache Commons Configuration 代码注入漏洞 (CVE-2022-33980)
Description:Apache Commons Configuration是美国阿帕奇（Apache）基金会的一款通用的配置接口，它主要用于使Java应用程序从多种来源读取配置数据。 Apache Commons 2.4至2.7版本存在代码注入漏洞，该漏洞源于Apache Commons配置执行变量插值，允许动态评估和扩展属性。插值的标准格式是"${prefix:name}"，其中 "prefix "用于定位执行插值的org.apache.commons.configuration2.interpol.Lookup的实例。

Description

CVE

Readme

# CVE-2022-33980
CVE

Apache Commons RCE 
can use url,dns,script key-words to connect any server
![](img/exp.png)

File Snapshot


 [4.0K]  /data/pocs/618bd7e44fba1bdc5a29873032fc8f7ba4dc8da1
├── [4.0K]  img
│   └── [382K]  exp.png
├── [3.2K]  pom.xml
├── [ 113]  README.md
└── [4.0K]  src
    ├── [4.0K]  main
    │   └── [4.0K]  java
    │       └── [4.0K]  org
    │           └── [4.0K]  example
    │               └── [1.5K]  App.java
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  org
                └── [4.0K]  example
                    └── [ 283]  AppTest.java

10 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!