CVE-2022-30929 POC
[Suggested description] Mini-Tmall v1.0 is vulnerable to Insecure Permissions via tomcat-embed-jasper.
[Vulnerability Type] Insecure Permissions
[Vendor of Product] github;gitee
[Affected Product Code Base] https://github.com/robin-liyong/-Mini-Tmall-:https://gitee.com/project_team/Tmall_demo?_from=gitee_search - v1.0
[Affected Component] tomcat-embed-jasper
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] without anything
[Reference] https://t.me/WangPanBOT?start=file96eb2dc53cc57847
[Discoverer] jw5t
Use CVE-2022-30929.
Global search upload
After auditing, the filter of this framework only verifies user permissions, and the others are not filtered.
Others have restrictions on file types in jsp files, which can be easily bypassed with burp
Three points that need to be modified, and need to intercept return packets
get filename 09820699-ecd5-4fcd-876a-07f8a46987be.jsp
After saving, according to the image url address of the code audit
/tmall/res/images/item/adminProfilePicture/
do a splicing
get /tmall/res/images/item/adminProfilePicture/09820699-ecd5-4fcd-876a-07f8a46987be.jsp
Register an account first,and registration successing later
obtained after splicing
/tmall/res/images/item/userProfilePicture/e568b7c4-7954-4a18-ab65-707198332d21.jsp
accessing
Upload product image-ajax and upload product type image-ajax (there are two file uploads for the same function point)
838d284e-e625-48b8-bbc7-8275367d5601.jsp
