You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability description
Test version: 3.5.0
Latest version: 3.5.0
Vulnerability profile:
The security component of Shiro 1.4.0 is used in mbog, which leads to privilege bypass. The attacker can bypass the privilege to upload files and finally execute commands.
The utilization process is as follows:
Construct malicious compressed package file“ evil.zip ”, which contains an FTL file, as shown in the figure below:
When the browser accesses index, you can see that the command in FTL has been executed successfully
code analysis
Step 1:
upload file code: http://192.168.83.3/admin/theme/upload
In mblog version 4.0, Shiro version 1.4.0 is used. There are loopholes in privilege bypass and pandering oracle. You only need to use privilege to bypass the loopholes
There are two types of requestmapping: upload template and enable template
In the upload method, receive the zip file uploaded by the user, judge the suffix, and pass the multipart file into the BlogUtils.uploadTheme () method
BlogUtils.uploadTheme In the () method, get the site.location Properties( user.dir ), mbog is a springboot application, which runs in a single jar. The following code obtains the current location, creates the / storage / templates directory under the current location, stores the user's uploaded zip file in this directory, and then creates a folder with the same name as the compressed package to store the files in the compressed package
Step 2:
enable the template code http://192.168.83.3/admin/theme/active/?theme=evil
The corresponding controller file is in:
src/main/java/com/mtons/mblog/web/controller/admin/ ThemeController.java
The update method encapsulates the parameters in the request as a map and passes them into the optionsService.update () method
Later, it calls the contextStartup.reloadOptions (false) method
optionsService.update The () method implementation classes are as follows:
src/main/java/com/mtons/mblog/modules/service/impl/ OptionsServiceImpl.java
According to the key in the request parameter, the optionsRepository.findByKey In the () method, the optionsrepository object is the query object of spring data JPA. It has only interface but no specific implementation. It can be directly regarded as Dao layer code
Request parameter? Theme = evil,
Key corresponds to theme and value corresponds to evil
From the data table, according to the theme query, the value is assigned
Then execute optionsRepository.save () to update
stay contextStartup.reloadOptions (false) method
List options = optionsService.findAll (); find all the key and value in the database and encapsulate them into map objects, including the theme = evil passed just now
After fetching the theme attribute from the database, modify the system attribute. At this time, the preparatory work is completed. You only need to request the index page again to let the server load the malicious template index.ftl To trigger command execution
Vulnerability submission information
author:说书人
mail:1797565004@qq.com
The text was updated successfully, but these errors were encountered:
Vulnerability description
Test version: 3.5.0
Latest version: 3.5.0
Vulnerability profile:
The security component of Shiro 1.4.0 is used in mbog, which leads to privilege bypass. The attacker can bypass the privilege to upload files and finally execute commands.
The utilization process is as follows:
http://192.168.83.3/admin/theme/upload/
Or:
http://192.168.83.3/dist/..;/admin/theme/upload
If the uploaded package name is: ssr.zip , the URL below needs to be changed to theme = SSR
http://192.168.83.3/admin/theme/active/?theme=evil
Or:
http://192.168.83.3/dist/..;/admin/theme/active ?theme= evil
code analysis
![image](https://user-images.githubusercontent.com/48439183/107499522-023f3b00-6bd0-11eb-9904-7402cbc8c72d.png)
Step 1:
upload file code:
http://192.168.83.3/admin/theme/upload
In mblog version 4.0, Shiro version 1.4.0 is used. There are loopholes in privilege bypass and pandering oracle. You only need to use privilege to bypass the loopholes
Template management controller
src/main/java/com/mtons/mblog/web/controller/admin/ ThemeController.java
There are two types of requestmapping: upload template and enable template
![image](https://user-images.githubusercontent.com/48439183/107499618-23079080-6bd0-11eb-8425-ae7d902c33af.png)
In the upload method, receive the zip file uploaded by the user, judge the suffix, and pass the multipart file into the BlogUtils.uploadTheme () method
BlogUtils.uploadTheme In the () method, get the site.location Properties( user.dir ), mbog is a springboot application, which runs in a single jar. The following code obtains the current location, creates the / storage / templates directory under the current location, stores the user's uploaded zip file in this directory, and then creates a folder with the same name as the compressed package to store the files in the compressed package
![image](https://user-images.githubusercontent.com/48439183/107499667-34509d00-6bd0-11eb-8937-c7d49fb912eb.png)
Step 2:
![image](https://user-images.githubusercontent.com/48439183/107499744-4cc0b780-6bd0-11eb-93d5-c1d897e83026.png)
enable the template code
http://192.168.83.3/admin/theme/active/?theme=evil
The corresponding controller file is in:
src/main/java/com/mtons/mblog/web/controller/admin/ ThemeController.java
The update method encapsulates the parameters in the request as a map and passes them into the optionsService.update () method
Later, it calls the contextStartup.reloadOptions (false) method
optionsService.update The () method implementation classes are as follows:
![image](https://user-images.githubusercontent.com/48439183/107499799-5cd89700-6bd0-11eb-8061-4a33f61d4a7d.png)
src/main/java/com/mtons/mblog/modules/service/impl/ OptionsServiceImpl.java
According to the key in the request parameter, the optionsRepository.findByKey In the () method, the optionsrepository object is the query object of spring data JPA. It has only interface but no specific implementation. It can be directly regarded as Dao layer code
Request parameter? Theme = evil,
Key corresponds to theme and value corresponds to evil
From the data table, according to the theme query, the value is assigned
Then execute optionsRepository.save () to update
stay contextStartup.reloadOptions (false) method
![image](https://user-images.githubusercontent.com/48439183/107499867-724dc100-6bd0-11eb-88b4-da07665c56c3.png)
List options = optionsService.findAll (); find all the key and value in the database and encapsulate them into map objects, including the theme = evil passed just now
After fetching the theme attribute from the database, modify the system attribute. At this time, the preparatory work is completed. You only need to request the index page again to let the server load the malicious template index.ftl To trigger command execution
![image](https://user-images.githubusercontent.com/48439183/107499919-81347380-6bd0-11eb-97d9-d01a483abe68.png)
Vulnerability submission information
author:说书人
mail:1797565004@qq.com
The text was updated successfully, but these errors were encountered: