Apache Tika中的命令注入(CVE-2018-1335) CVE-2018-1335 CNNVD-201804-1428

9.3 AV AC AU C I A
发布: 2018-04-25
修订: 2023-11-07

## Intro This post is a walk-through of steps taken to go from an undisclosed CVE for a command injection vulnerability in the Apache tika-server to a complete exploit. The CVE is <https://nvd.nist.gov/vuln/detail/CVE-2018-1335>. Since Apache Tika is open source, I was able to take some basic information from the CVE and identify the actual issue by analyzing the Apache Tika code. Although a command injection vulnerability is typically straightforward, as you will see in this post there were some hurdles to overcome to achieve full remote code or command execution. This was due to the way Java handles executing operating system commands and also some intricacies of the Apache Tika code itself. In the end, it was still possible to get around these blockers using the Windows Script Host (Cscript.exe). ### What is Apache Tika > The Apache Tika™ toolkit detects and extracts metadata and text from over a thousand different file types (such as PPT, XLS, and PDF). All of these file types...

0%
当前有2条漏洞利用/PoC
当前有1条受影响产品信息