-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jfinal CMS v5.1.0 has a command execution vulnerability exists #54
Comments
您好,您的来信我已收到!谢谢!
Best Wishes!
——孔祥亮
|
您好,您的来信我已收到!谢谢!
Best Wishes!
——孔祥亮
|
This version of fastjson does have the risk of deserialization, but the poc given by the author is clearly 1.2.25-1.2.47 of the chain, according to the impression, if you want to use this version, you need to introduce an additional jar package, is I not fine?? |
您好,您的来信我已收到!谢谢!
Best Wishes!
——孔祥亮
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
jfinal_cms version:5.1.0
JDK version : jdk-8u351
The ActionEnter class is instantiated in the index method of the /ueditor route
The ConfigManager class is instantiated in the constructor of the ActionEnter class
The construction method of ConfigManager calls initEnv()
Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.
The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization
Run the tool on kali
payload:
Replace with payload
Visit /ueditor, execute the command to pop up the calculator
The text was updated successfully, but these errors were encountered: