开源J2EE CMS源码审计之MeshCMS学习实践
#############
受影响版本: MeshCMS 3.6 – Multiple vulnerabilities
Date: 2016-04-03
软件开发厂商: 6baK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4J5L8$3#2G2N6r3g2U0j5g2)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0r3L8h3g2K6K9r3y4E0M7#2)9J5c8R3`.`.
软件下载链接: 6fbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4J5L8$3#2G2N6r3g2U0j5g2)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0r3L8h3g2K6K9r3y4E0M7#2)9J5c8X3c8G2N6$3&6D9L8$3q4V1i4K6u0r3
版本: 3.6
测试平台: Windows OS

#############
开源MeshCMS介绍:
MeshCMS is an online editing system written in Java. It provides a set of features usually included in a CMS, but it uses a more traditional approach: pages are stored in regular HTML files and all additional features are file-based, without needing a database.

#############
Vulnerability Description:
1、Directory traversal Vulnerability(目录穿越漏洞)
该软件下载功能是通过名为DownloadServlet的servlet提供，下载过程中未限制文件扩展名，导致可下载源码文件。
String str = paramHttpServletRequest.getParameter("filename");
    if (Utils.isNullOrEmpty(str)) {
      str = localPath.getLastElement();
    }
    try
    {
      FileInputStream localFileInputStream = new FileInputStream((File)localObject);
      paramHttpServletResponse.setContentType("application/x-download");
      paramHttpServletResponse.setHeader("Content-Disposition", "attachment; filename=\"" + str + "\"");
      paramHttpServletResponse.setHeader("Content-Length", Long.toString(((File)localObject).length()));
      Utils.copyStream(localFileInputStream, paramHttpServletResponse.getOutputStream(), false);
    }
POC:
2b2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3z5o6m8Q4x3V1k6E0k6i4y4Z5j5$3#2K6i4K6u0r3M7$3g2J5N6X3I4W2N6q4)9J5c8X3!0J5k6#2)9J5k6h3#2W2M7$3S2U0L8i4y4Q4x3X3g2U0L8%4u0W2i4K6u0W2c8r3!0%4L8X3I4G2j5h3c8e0k6i4u0$3L8r3g2@1i4K6u0r3L8h3g2K6K9r3y4E0M7#2)9J5c8X3q4V1L8h3W2F1i4K6u0r3k6X3W2D9k6h3#2S2L8X3q4Y4k6i4u0Q4x3V1k6#2M7r3I4G2j5h3b7I4i4K6u0W2K9Y4y4H3
095K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3z5o6m8Q4x3V1k6E0k6i4y4Z5j5$3#2K6i4K6u0r3M7$3g2J5N6X3I4W2N6q4)9J5c8X3!0J5k6#2)9J5k6h3#2W2M7$3S2U0L8i4y4Q4x3X3g2U0L8%4u0W2i4K6u0W2c8r3!0%4L8X3I4G2j5h3c8e0k6i4u0$3L8r3g2@1i4K6u0r3L8h3g2K6K9r3y4E0M7#2)9J5c8X3q4V1L8h3W2F1i4K6u0r3L8r3!0Y4K9h3&6Q4x3X3g2B7M7%4l9`.


2、File Upload Vulnerability
the upload2.jsp don’t check the upload file’security(上传基本就瞎了，没任何过滤).
try {
    FileItem upItem = null;
    ServletFileUpload upload = new ServletFileUpload(new DiskFileItemFactory());
    upload.setProgressListener(new UploadProgressListener(request.getSession(true)));
    List items = upload.parseRequest(request);
    Iterator iter = items.iterator();
    while (iter.hasNext()) {
      FileItem item = (FileItem) iter.next();
      if (item.getFieldName().equals("dir")) {
        path = new Path(item.getString());
      } else if (item.getFieldName().equals("fixname")) {
        fixName = Utils.isTrue(item.getString());
      } else if (item.getFieldName().equals("upfile") && item.getSize() > 0L) {
        upItem = item;
      }
    }
    if (upItem != null && path != null) {
      String fileName = new Path(upItem.getName()).getLastElement();
      if (fixName) {
        fileName = Utils.generateUniqueName
            (WebUtils.fixFileName(fileName, true), webSite.getFile(path));
      }

      ok = webSite.saveToFile(userInfo, upItem, path.add(fileName));
    }

3、反射型XSS
meshcms/meshcms/admin/目录下有个echo.jsp文件，fullsrc未做任何过滤。
try {
    response.resetBuffer();
  } catch (IllegalStateException ex) {
    //
  }
  response.getWriter().write(request.getParameter("fullsrc"));
%>

POC:
2ccK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3z5o6m8Q4x3V1k6E0k6i4y4Z5j5$3#2K6i4K6u0r3L8h3g2K6K9r3y4E0M7#2)9J5c8X3q4V1L8h3W2F1i4K6u0r3k6h3y4Z5L8#2)9J5k6h3A6K6M7q4)9K6c8X3k6#2L8r3I4K6M7X3y4Q4x3@1c8Q4x3U0f1K6b7%4y4U0M7X3W2H3N6q4)9J5y4e0y4q4j5h3I4W2M7Y4c8Q4x3U0f1J5z5o6q4Q4x3U0f1J5z5g2)9J5y4e0y4o6i4K6u0r3M7$3y4J5K9i4m8@1i4K6t1#2x3@1f1`.


4、Command Execution Vulnerability
进行文件备份过程中staticexport2.jsp可根据客户端传入参数执行系统命令，exportCommand没有做任何过滤，导致命令执行漏洞。

if (!exportCommand.equals("")) {
      out.println("\nexecuting: " + exportCommand);
      Process process = Runtime.getRuntime().exec(exportCommand);
      out.println("standard output:");
      ByteArrayOutputStream baos = new ByteArrayOutputStream();
      Utils.copyStream(process.getInputStream(), baos, false);
      out.write(Utils.encodeHTML(baos.toString()));
      baos.reset();
      out.println("end of standard output\nerror output:");
      Utils.copyStream(process.getErrorStream(), baos, false);
      out.write(Utils.encodeHTML(baos.toString()));
      int exit = process.waitFor();
out.println("end of error output\nexecution finished with exit code " + exit);

POC:
bceK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3z5o6m8Q4x3V1k6E0k6i4y4Z5j5$3#2K6i4K6u0r3L8h3g2K6K9r3y4E0M7#2)9J5c8X3q4V1L8h3W2F1i4K6u0r3M7%4c8S2N6r3W2U0k6i4S2H3L8%4u0@1x3W2)9J5k6h3A6K6M7q4)9K6c8X3g2^5M7r3!0J5N6p5u0S2M7$3g2g2f1V1I4Q4x3@1c8Q4x3U0f1J5c8X3#2W2M7$3S2U0L8i4y4Q4x3U0f1J5c8X3q4V1L8h3W2F1i4K6t1#2x3V1k6K6N6r3q4@1K9h3y4W2P5s2m8G2M7Y4b7I4i4K6u0W2K9Y4y4H3i4K6t1$3k6i4S2H3L8%4u0@1c8r3W2J5i4K6y4p5N6i4m8D9L8$3q4V1i4K6t1$3k6i4S2H3L8%4u0@1b7$3S2W2j5$3E0p5j5i4c8W2M7#2)9K6c8s2c8J5N6h3g2Q4x3U0k6W2P5s2m8G2M7Y4c8o6L8$3#2E0j5h3&6V1i4K6y4p5j5$3q4@1i4K6u0n7i4K6t1#2x3V1k6W2N6r3y4Q4x3U0f1J5c8Y4m8S2M7%4y4%4k6q4)9J5y4X3g2^5M7r3!0J5N6q4y4S2N6X3g2o6L8$3&6X3K9h3N6Q4x3@1c8@1M7Y4g2W2

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课