Headline
CVE-2023-30333: PerfreeBlog V3.1.2 has a file upload getshell vulnerability · Issue #3 · j0k1rr/some-automated-script
An arbitrary file upload vulnerability in the component /admin/ThemeController.java of PerfreeBlog v3.1.2 allows attackers to execute arbitrary code via a crafted file.
detail:
com/perfree/controller/admin/ThemeController.java
Follow up on createFileOrDir, process the passed parameters, and determine whether the filePath is a blank character
Calling the touch method of the FileUtil tool class creates a file in an absolute path without any restrictions on suffixes. allowing directory traversal to create files
Next, find a way to write the contents of the file
the content parameter passed has not been filtered
com/perfree/controller/admin/ThemeController.java
There is no filtering for renaming incoming file names, and directory traversal is possible
Based on the information obtained above, you can perform file renaming, path traversing, overwriting, and task file bouncing shells
Successfully passed the scheduled task RCE