cli config-file eval-sh


Ant is a Java-based build tool used to compile, assemble, test, and run Java applications. Ant uses XML files for its configuration, primarily named build.xml. These files define a set of tasks to be executed.

Ant allows the execution of arbitrary shell commands via the <exec> task within its build.xml or any imported XML files.

Ant often refers to a properties file (ant.properties) to load key-value pairs which are using in the build.xml, while whatever is put in that file cannot directly be executed, if it is consumed inside of the build.xml in a way that could lead to RCE, this mean be yet another injection point.


<project name="POC" default="run">
    <property file="ant.properties"/>
    <target name="run">
        <exec executable="sh" inputstring="echo 'Hello from Ant'"/>
        <exec executable="sh" inputstring="${command.to.execute}"/>