The save method in the com/key/dwsurvey/action/sysuser/SysPropertyAction.java file directly accepts the parameters passed from the client and writes them into the specified configuration file, which is directly included in login.jsp, resulting in rce
A file write operation was performed on the specified file in the writeData method
In the save method, the writeData method is invoked to write the admin-info.jsp, and the adminInfo variable comes from the assignment at the beginning of the Sava method.
The xssEncode method of the XssHttpWrapper class filters the request parameters by judging whether the URI contains'/design'
You can see that it is mainly Chinese substitution for special characters
Since it is determined whether to call the filter function by judging whether the URI contains ’/design’, it can be bypassed by adding /design/.. in front of the path
Finally, it is found in login.jsp that the file is included
The save method in the com/key/dwsurvey/action/sysuser/SysPropertyAction.java file directly accepts the parameters passed from the client and writes them into the specified configuration file, which is directly included in login.jsp, resulting in rce
A file write operation was performed on the specified file in the writeData method In the save method, the writeData method is invoked to write the admin-info.jsp, and the adminInfo variable comes from the assignment at the beginning of the Sava method. The xssEncode method of the XssHttpWrapper class filters the request parameters by judging whether the URI contains
'/design'
You can see that it is mainly Chinese substitution for special characters Since it is determined whether to call the filter function by judging whether the URI contains’/design’
, it can be bypassed by adding/design/..
in front of the path Finally, it is found in login.jsp that the file is includedPoc:
visit http://localhost:8888/diaowen/?i=calc , success rce: