(path will be pre-pend base_dir, deploy directory difference won't interfere the exploit)
Hackers can embed this into a src attribute making it a non-interactive exploit.
File would be renamed to test.jsp in a static resource folder that is accessible to everyone after valid admin viewing this page. .jsp syntax is supported by default.
The whole site is vulnerable to CSRF attack, as well as a critical administrative IO operation is by design merely submitted by a
GET
.Create post with webshell ends in an image suffix. (eg. PNG) Then get image's url using browser. (eg. http://asite.com/jfinal_cms/jflyfox/bbs/ueditor/image/20190404/20190404_203723_454016.png)
Place link below where an online admin user could possibly see and/or click.
(path will be pre-pend base_dir, deploy directory difference won't interfere the exploit) Hackers can embed this into a
src
attribute making it a non-interactive exploit.File would be renamed to
test.jsp
in a static resource folder that is accessible to everyone after valid admin viewing this page..jsp
syntax is supported by default.