Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSTI、Delete any file #59

Closed
n1ec opened this issue Dec 28, 2021 · 0 comments
Closed

SSTI、Delete any file #59

n1ec opened this issue Dec 28, 2021 · 0 comments

Comments

@n1ec
Copy link

n1ec commented Dec 28, 2021

SSTI
FreeMarker template is used in the project,and there is no secure configuration
Insert the payload in the background - > system settings - > template management
<#assign value="freemarker.template.utility.Execute"?new()>${value("whoami")}
image

image
net/mingsoft/basic/action/TemplateAction.java There's a suffix check, it's written to the file
image

net/mingsoft/basic/util/BasicUtil.java GetRealTemplatePath of this class is called
image

coverage /target/classes/WEB-INF/manager/main.ftl ,Refresh the home page
image

Delete any file
If the oldFileName argument exists, the corresponding file is deleted
image
Call the FileUtil.class
image
poc:
fileName=x&oldFileName=file destination

@killfen killfen closed this as completed Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@killfen @n1ec and others