Headline
CVE-2023-40825: The uploaded malicious plug-in is parsed and the command is executed · Issue #15 · perfree/PerfreeBlog
An issue in Perfree PerfreeBlog v.3.1.2 allows a remote attacker to execute arbitrary code via crafted plugin listed in admin/plugin/access/list.
Vulnerability information
PerfreeBlog implements the extension plug-in function based on SpringBoot and pf4j. After the plug-in is developed, it is packaged as a jar package, which can be directly installed and used online through the plug-in management of PerfreeBlog background. If an attacker develops a plug-in and inserts malicious code, uploading the malicious plug-in after the malicious code is parsed can trigger command execution.
affected version
<= v3.1.2
vulnerability analysis
- Download the latest PerfreeBlog running package and decompress it.
After the directory is decompressed, run start.bat
2, Access the Web service, initialize the database and administrator account.
Make a plug-in with malicious code.
Plug-in development refer to: https://perfree.gitee.io/plugin-develop/create.html.
The malicious code is as follows: the calculator pops up when admin/plugin/access/list is accessed.Upload the plug-in and run.
- access the admin/plugin/access/list interface and execute the malicious code successfully.