万户rce

2023年10月8日16:24:30评论155 views字数 6091阅读20分18秒阅读模式

<?xml version="1.0" encoding="UTF-8"?>  <beans>     <!--General WebService-->     <service  xmlns="http://xfire.codehaus.org/config/1.0">            <name>GeneralWeb</name>            <namespace>http://com.whir.service/GeneralWeb</namespace>            <serviceClass>com.whir.service.webservice.GeneralWeb</serviceClass>           <style>wrapped</style>          <use>literal</use>          <scope>application</scope>      </service></beans>

//  // Source code recreated from a .class file by IntelliJ IDEA  // (powered by FernFlower decompiler)  //  
package com.whir.service.webservice;  
import com.whir.service.common.CallApi;  
public class GeneralWeb {      public GeneralWeb() {      }  
    public String OAManager(String input) throws Exception {          CallApi callapi = new CallApi();          return callapi.getResult(input);      }  }

brimport com.whir.common.util.MD5;  import com.whir.component.config.ConfigXMLReader;  import com.whir.org.common.util.SysSetupReader;  import java.io.ByteArrayInputStream;  import java.io.InputStream;  import java.lang.reflect.InvocationTargetException;  import java.lang.reflect.Method;  import java.util.HashMap;  import java.util.List;  import java.util.Map;  import org.apache.log4j.Logger;  import org.jdom.Document;  import org.jdom.Element;  import org.jdom.input.SAXBuilder;
public String getResult(String input) throws Exception {      if (serviceMap == null) {          throw new Exception("Error: serviceMap can not is null");      } else {          SAXBuilder builder = new SAXBuilder();   //此处使用jdom直接解析xml数据，存在xxe        byte[] b = input.getBytes("utf-8");          InputStream is = new ByteArrayInputStream(b);          Document doc = builder.build(is);          Element root = doc.getRootElement();          boolean isDebug = false;          Element debugElement = root.getChild("debug");          if (debugElement != null && "1".equals(debugElement.getValue())) {              isDebug = true;          }  
        if (isDebug) {              System.out.println("[input]:n" + input);          }  
        String key = root.getChild("key").getValue();          String result = "";          if (!this.checkValid(key)) {              result = "<?xml version="1.0" encoding="UTF-8"?>";              result = result + "<output>";              result = result + "<message>";              result = result + "<result>-1</result>";              result = result + "<description>非法安全认证标识</description>";              result = result + "</message>";              result = result + "</output>";              return result;          } else {              String cmd = root.getChild("cmd").getValue();              String TransCenter = "";              Element TransCenterEle = root.getChild("TransCenter");              if (TransCenterEle != null) {                  TransCenter = TransCenterEle.getValue();              }  
            String ServiceTokenUserFalg = "1";              ConfigXMLReader reader = new ConfigXMLReader();              ServiceTokenUserFalg = reader.getAttribute("serviceKeyList", "ServiceTokenUserFalg");              if (!"getServiceToken".equals(cmd) && !"getCorpSetPO".equals(cmd) && !"getCorpSetAppPO".equals(cmd) && !"TransCenter".equals(TransCenter) && !"getDogApplyInfo".equals(cmd) && !"setDogWriteCount".equals(cmd) && !"getWriteDogNetPassword".equals(cmd) && !"getDogApplyInfoByClientName".equals(cmd) && !"setDogWriteCountAndMacId".equals(cmd) && !"setWriteDogNetPassword".equals(cmd) && !"0".equals(ServiceTokenUserFalg)) {                  Element tokenele = root.getChild("ServiceToken");                  Element serviceKeyele = root.getChild("serviceKey");                  Element userKeyele = root.getChild("userKey");                  Element userKeyTypeele = root.getChild("userKeyType");                  if (tokenele == null || serviceKeyele == null || userKeyele == null || userKeyTypeele == null) {                      logger.debug("-------必填项不能为空!--------");                      result = "<?xml version="1.0" encoding="UTF-8"?>";                      result = result + "<output>";                      result = result + "<message>";                      result = result + "<result>0</result>";                      result = result + "<description>必填项不能为空</description>";                      result = result + "</message>";                      result = result + "</output>";                      return result;                  }  
                String token = root.getChild("ServiceToken").getValue();                  String serviceKey = root.getChild("serviceKey").getValue();                  String userKey = root.getChild("userKey").getValue();                  String userKeyType = root.getChild("userKeyType").getValue();                  Boolean tokenflag = TokenManager.getInstance().judgeToken(token, serviceKey, userKey, userKeyType);                  if (!tokenflag) {                      logger.debug("-------Token令牌验证错误--------");                      result = "<?xml version="1.0" encoding="UTF-8"?>";                      result = result + "<output>";                      result = result + "<message>";                      result = result + "<result>0</result>";                      result = result + "<description>TokenError</description>";                      result = result + "</message>";                      result = result + "</output>";                      return result;                  }              } else {                  logger.debug("-------getServiceToken--------");              }  
            String className = (String)serviceMap.get(cmd);              logger.debug("-------className!--------：" + className);              if (className != null && !"".equals(className.trim())) {                  try {                      Class clazz = Class.forName(className);                      Class[] classTypes = new Class[]{Document.class};                      Object[] params = new Object[]{doc};                      Object target = clazz.getConstructor(classTypes).newInstance(params);                      Class[] methodTypes = new Class[]{String.class};                      Object[] methodParams = new Object[]{cmd};                      Method method = clazz.getMethod("parse", methodTypes);                      result = (String)method.invoke(target, methodParams);                  } catch (ClassNotFoundException var25) {                      var25.printStackTrace();                  } catch (NoSuchMethodException var26) {                      var26.printStackTrace();                      result = "<?xml version="1.0" encoding="UTF-8"?>";                      result = result + "<output>";                      result = result + "<message>";                      result = result + "<result>-1</result>";                      result = result + "<description>未找到对应的方法</description>";                      result = result + "</message>";                      result = result + "</output>";                  } catch (SecurityException var27) {                      var27.printStackTrace();                  } catch (IllegalAccessException var28) {                      var28.printStackTrace();                  } catch (IllegalArgumentException var29) {                      var29.printStackTrace();                      result = "<?xml version="1.0" encoding="UTF-8"?>";                      result = result + "<output>";                      result = result + "<message>";                      result = result + "<result>-1</result>";                      result = result + "<description>参数不合法</description>";                      result = result + "</message>";                      result = result + "</output>";                  } catch (InvocationTargetException var30) {                      var30.printStackTrace();                  } catch (Exception var31) {                      var31.printStackTrace();                  }              }  
            if (isDebug) {                  System.out.println("[output]:n" + result);              }  
            return result;          }      }  }

同时万户使用axis1.4版本 WEB-INF/server-config.wsdd

<service name="AdminService" type="" regenerateElement="false" provider="java:MSG">      <parameter name="allowedMethods" value="AdminService" regenerateElement="false"/>      <parameter name="enableRemoteAdmin" value="false" regenerateElement="false"/>   #此处AdminService没有开启RemoteAdmin，所以只可以本地访问    <parameter name="className" value="org.apache.axis.utils.Admin" regenerateElement="false"/>     <namespace>http://xml.apache.org/axis/wsdd/</namespace>  </service>

参考https://www.cnblogs.com/depycode/p/14844984.html

总结一句话: xxe转get型ssrf，打axis1.4注入新service(未开启adminService所以只能本地访问axis,所以通过xxe去请求,下面poc默认请求的是127.0.0.1:7001内网可能不一定监听在7001)，可以使用com.whir.ezoffice.ezform.util.StringUtil这个类写文件。

万户rce

原文始发于微信公众号（摸鱼Sec）：万户rce

左青龙
微信扫一扫

右白虎
微信扫一扫

万户rce

用友U8-CRM客户关系管理系统downloadfile.php 任意文件读取漏洞

【0day】瑞友天翼应用虚拟化系统

QVD-2024-15263：禅道身份认证绕过漏洞

红海云ehr-RedseaPlatform-文件上传-PtFjk

魔方网表存在文件上传漏洞【附poc】

脸爱云一脸通智慧平台SystemMng信息泄露漏洞【附poc】

瑞友天翼应用虚拟化系统SQL注入致远程代码执行漏洞

脸爱云-UpLoadPic-任意文件上传漏洞复现

MetaCRM客户关系管理系统存在任意文件上传漏洞-PoC

douphp代码执行漏洞

发表评论

在线咨询

微信