Open microvorld opened 4 weeks ago
≤Jpress v5.1.1
https://github.com/JPressProjects/jpress
jfinal-5.1.9.jar
Enter the background at http://127.0.0.1:8080/admin/login. In System Management → Template → Edit Module, select to edit index.html, add a line of code in the file, and click Update File.
#include("../../../../../../../../../Windows/win.ini")
Then visit the homepage, and you can see the content of the local c:\Windows\win.ini file.
c:\Windows\win.ini
Modify the code to ../../WEB-INF/classes/jboot.properties, and we can read the local database configuration file.
../../WEB-INF/classes/jboot.properties
Affected version
≤Jpress v5.1.1
Vendor
https://github.com/JPressProjects/jpress
vulnerability File
jfinal-5.1.9.jar
Description
Enter the background at http://127.0.0.1:8080/admin/login. In System Management → Template → Edit Module, select to edit index.html, add a line of code in the file, and click Update File.
Then visit the homepage, and you can see the content of the local
c:\Windows\win.ini
file.Modify the code to
../../WEB-INF/classes/jboot.properties
, and we can read the local database configuration file.