java version:1.8.0_181
os system: windows
server ip address:192.168.126.136
Vulnerability Test
Simple test
access address http://192.168.126.136:8090/admin/ and login in the backstage.Click exterior(外观) and select theme editor(主题编辑). Select any one of the template files,such as "page-top.ftl". Then edit the file and insert a template statement like this.
Save the file and refresh home page,and then ceye platform can receive a message
Execute system command
also edit "page-top.ftl" to execute system command to add system user.
payload-2
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("net user security security /add") }
save the file again and refresh home page again.Then will add user in the system
Remark
Because the preview does not display the picture properly when editing the issus, you can visit my github project(https://github.com/c0d1007/exploit) and view the picture.
Solution
Template files can only be edited locally, or check the file input
The text was updated successfully, but these errors were encountered:
我确定我已经查看了 (标注
[ ]为[x])我要申请 (标注
[ ]为[x])Testing environment
java version:1.8.0_181
os system: windows
server ip address:192.168.126.136
Vulnerability Test
Simple test
access address http://192.168.126.136:8090/admin/ and login in the backstage.Click exterior(外观) and select theme editor(主题编辑). Select any one of the template files,such as "page-top.ftl". Then edit the file and insert a template statement like this.
payload-1
Save the file and refresh home page,and then ceye platform can receive a message
Execute system command
also edit "page-top.ftl" to execute system command to add system user.
payload-2
save the file again and refresh home page again.Then will add user in the system
Remark
Because the preview does not display the picture properly when editing the issus, you can visit my github project(https://github.com/c0d1007/exploit) and view the picture.
Solution
Template files can only be edited locally, or check the file input
The text was updated successfully, but these errors were encountered: