There is a filter that by default denies direct access to JSP files.
The login.jsp in web.xml's means that accessing the homepage module can directly invoke login.jsp.
The backend template management module can manage files under the web directory. It can modify the content of login.jsp through an interface call, inserting malicious code into the content of login.jsp.
Inject malicious code into login.jsp to execute commands and write the command execution result into mkodp_1.txt.
Accessing http://ip:port/jfinal_cms/admin/ will trigger the code inside login.jsp, leading to command execution and writing to mkodp_1.txt.
Repeat the above process to execute the "ip a" command.
The modified content of login.jsp is as follows:
`<%@ page language="java" pageEncoding="UTF-8"%>
<%
// 生成一个随机的文件名
String randomFileName = "mkodp_1.txt";
There is a filter that by default denies direct access to JSP files. The login.jsp in web.xml's means that accessing the homepage module can directly invoke login.jsp.
The backend template management module can manage files under the web directory. It can modify the content of login.jsp through an interface call, inserting malicious code into the content of login.jsp.
Inject malicious code into login.jsp to execute commands and write the command execution result into mkodp_1.txt.
Accessing http://ip:port/jfinal_cms/admin/ will trigger the code inside login.jsp, leading to command execution and writing to mkodp_1.txt.
Repeat the above process to execute the "ip a" command.
The modified content of login.jsp is as follows: `<%@ page language="java" pageEncoding="UTF-8"%> <% // 生成一个随机的文件名 String randomFileName = "mkodp_1.txt";
%> <% response.sendRedirect("login"); %> `