Vulnerability Type: Server-Side Template Injection (SSTI) / Remote Code Execution (RCE)
Affected Product: Smart Admin V3
Affected Versions: All versions up to and including v3.29
Affected Components:
smart-admin-api-java8-springboot2/sa-base/src/main/java/net/lab1024/sa/base/module/support/mail/MailService.javasmart-admin-api-java17-springboot3/sa-base/src/main/java/net/lab1024/sa/base/module/support/mail/MailService.javaSmart Admin V3(https://gitee.com/lab1024/smart-admin) is vulnerable to Server-Side Template Injection (SSTI) in its email template rendering functionality. The application uses the Apache FreeMarker template engine to render email templates stored in the database. An attacker with the ability to modify the t_mail_template table’s template_content field can inject arbitrary FreeMarker expressions that will be executed on the server when the email is sent.
This vulnerability allows remote code execution (RCE) with the privileges of the application server, leading to complete system compromise.
File: sa-base/src/main/java/net/lab1024/sa/base/module/support/mail/MailService.java
Vulnerable Method: freemarkerResolverContent() (Lines 162-177)
/**
* Use freemarker to generate final content
*/
private String freemarkerResolverContent(String htmlTemplate, Map<String, Object> templateParamsMap) {
Configuration configuration = new Configuration(Configuration.VERSION_2_3_23);
StringTemplateLoader stringLoader = new StringTemplateLoader();
String templateName = IdUtil.fastSimpleUUID();
stringLoader.putTemplate(templateName, htmlTemplate); // User-controlled template
configuration.setTemplateLoader(stringLoader);
try {
Template template = configuration.getTemplate(templateName, "utf-8");
Writer out = new StringWriter(2048);
template.process(templateParamsMap, out); // SSTI vulnerability point
return out.toString();
} catch (Throwable e) {
log.error("freemarkerResolverContent error: ", e);
}
return "";
}
┌─────────────────────────────────────────────────────────────────────┐
│ ATTACK CHAIN │
├─────────────────────────────────────────────────────────────────────┤
│ 1. Attacker gains access to database (SQL injection, credential │
│ theft, or through another vulnerability) │
│ │
│ 2. Attacker modifies t_mail_template table: │
│ UPDATE t_mail_template SET template_content = '{payload}' │
│ WHERE template_code = 'login_verification_code'; │
│ │
│ 3. Victim triggers email verification: │
│ GET /api/login/sendEmailCode/{loginName} │
│ │
│ 4. LoginService.sendEmailCode() is called │
│ │
│ 5. MailService.sendMail() fetches template from database │
│ │
│ 6. freemarkerResolverContent() renders the malicious template │
│ │
│ 7. Arbitrary code executes on the server │
└─────────────────────────────────────────────────────────────────────┘
Table: t_mail_template
CREATE TABLE `t_mail_template` (
`template_code` varchar(200) NOT NULL,
`template_subject` varchar(100) NOT NULL COMMENT 'Template subject',
`template_content` longtext NOT NULL COMMENT 'Template content (INJECTION POINT)',
`template_type` varchar(50) NOT NULL COMMENT 'Parse type: string, freemarker',
`disable_flag` tinyint(1) NOT NULL DEFAULT 0 COMMENT 'Disabled flag',
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`create_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`template_code`)
) ENGINE=InnoDB;