Jfinal cms Background Template Management Office File Upload Vulnerability

## Jfinal cms Background Template Management Office File Upload Vulnerability ### Introduction to Vulnerability Jfinal cms, using the simple and powerful JFinal as the web framework, the template engine is beetl, the database uses mysql, front-end bootstrap, flat ui and other frameworks. Support multi-site, oauth2 authentication, account registration, password encryption, comments and replies, message prompts, website traffic statistics, article comments and pageview statistics, response management, rights management, etc. There is an arbitrary file upload vulnerability in its background template management office. ### Vulnerability Impact - <= v4.7.1 ### Vulnerability Analysis The vulnerability trigger point is in `com/jflyfox/modules/filemanager/FileManagerController.java` ```java public void index() { HttpServletRequest request = getRequest(); try { request.setCharacterEncoding("UTF-8"); getResponse().setCharacterEncoding("UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } FileManager fm = new FileManager(getRequest()); JSONObject responseData = null; String mode = ""; String path = ""; boolean needPath = false; boolean putTextarea = false; if (!auth()) { fm.error(fm.lang("AUTHORIZATION_REQUIRED")); } else { String contextPath = request.getContextPath(); // 设置contextPath ...... } } else if (request.getMethod().equals("POST")) { if (mode == null) { mode = "upload"; responseData = fm.add(); putTextarea = true; } else if (mode.equals("savefile")) { if (needPath && fm.setGetContent("content", request.getParameter("content"))) { responseData = fm.saveFile(); } } ``` When the incoming mode is upload, the `FileManager.add()` handler is called, followed by `add()` ```java public JSONObject add() { Iterator<?> it = this.files.iterator(); if (!it.hasNext()) { this.error(lang("INVALID_FILE_UPLOAD")); return null; } JSONObject fileInfo = null; Map<String, String> params = new HashMap<String, String>(); File tmpFile = null; boolean error = false; // file field operate try { FileItem item = null; while (it.hasNext()) { item = (FileItem) it.next(); if (item.isFormField()) { params.put(item.getFieldName(), item.getString()); } else { params.put("_fileFieldName", item.getFieldName()); params.put("_fileName", item.getName()); params.put(item.getFieldName(), item.getName()); long maxSize = NumberUtils.parseLong(MAX_SIZE); if (getConfig("upload-size") != null) { maxSize = Integer.parseInt(getConfig("upload-size")); if (maxSize != 0 && item.getSize() > (maxSize * 1024 * 1024)) { this.error(sprintf(lang("UPLOAD_FILES_SMALLER_THAN"), maxSize + "Mb")); error = true; } } if (!isImage(item.getName()) && (getConfig("upload-imagesonly") != null && getConfig("upload-imagesonly").equals("true") || this.params .get("type") != null && this.params.get("type").equals("Image"))) { this.error(lang("UPLOAD_IMAGES_ONLY")); error = true; } if (error) { break; } tmpFile = new File(this.fileRoot + TMP_PATH + "filemanager_" + System.currentTimeMillis() + ".tmp"); File filePath = tmpFile.getParentFile(); if (!filePath.exists()) { filePath.mkdirs(); } item.write(tmpFile); } } } catch (Exception e) { logger.error("INVALID_FILE_UPLOAD", e); this.error(lang("INVALID_FILE_UPLOAD")); } ``` The file uploaded by the user has not been filtered, resulting in any file upload vulnerability. ### Recurring environment * Tomcat 6.0.29 * Jfinal cms 4.7.1 * Windows ### Vulnerability recurrence 1. Login to the background 2. Click Template Management -> Upload to upload a file named shell.jpg and the content is `<% out.print("123");%>`.  3. Click Save, upload the image, use Burpsuite to capture the package, and change the file name to `shell.jsp`. ``` Http://localhost:8080/jfinal_cms/admin/filemanager?config=filemanager.config.js ```  4. Access the shell ``` Http://localhost:8080/jfinal_cms/shell.jsp ```