用友软件协作办公平台通用型任意文件上传getshell

2014-09-01T00:00:00
ID SSV:93343
Type seebug
Reporter Root
Modified 2014-09-01T00:00:00

Description

简要描述:

通杀getshell

详细说明:

上传点: /oaerp/ui/sync/excelUpload.jsp 思路: 1.绕过javascript限制,上传小马; 2.根据小马命名规则getshell javascript代码:

``` <script type="text/javascript"> function upload() { var filePath = j$("#file").val();
if (filePath == ""){ j$("#file").click(); return; } var fileExt = filePath.substring(filePath.lastIndexOf(".")); if (fileExt == ".xls" || fileExt == ".xlsx"){//burp即可绕过该限制 idForm.action = "/oaerp/ui/sync/excelImport.jsp?selERPType=" + j$("#selERPType").val() + "&selTemplate=" + j$("#selTemplate").val(); j$("#btnUpload").attr("disabled", true); idForm.submit(); } else {
alert("只能导入excel文件!"); } }

j$(document).ready(function(){
    var importType = "&lt;%=importType%&gt;";
    j$("#selTemplate").val(importType);
    j$("#fs" + importType).show();

});

</script> ```

漏洞证明:

1.http://fsd2014.f3322.org:9090/oaerp/ui/sync/excelUpload.jsp

小马:jsp.jsp 上传后发现命名规则:上传时间(精确到秒)+jsp.jsp如下:

<img src="https://images.seebug.org/upload/201408/29222402b2d4b1bee0c1624a09782dbd345d826b.png" alt="y1.png" width="600" onerror="javascript:errimg(this);">

那我爆破下秒数:

<img src="https://images.seebug.org/upload/201408/29222656b457ea85c2dc1031dde500273d66db08.png" alt="b1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201408/292227031904ba72beff9246ae668e7937bcbc59.png" alt="b2.png" width="600" onerror="javascript:errimg(this);">

getshell:

<img src="https://images.seebug.org/upload/201408/29222716dbcb55666efa99dd2ac396c00e674d31.png" alt="b3.png" width="600" onerror="javascript:errimg(this);">

shell:http://fsd2014.f3322.org:9090/oaerphttps://images.seebug.org/upload/20140829221136jsp.jsp 密码:1

2.http://220.168.210.109:9090/oaerp/ui/sync/excelUpload.jsp

shell:http://220.168.210.109:9090/oaerphttps://images.seebug.org/upload/20140829222946jsp.jsp 密码:1

3.http://oa.danzi.com.cn:9090/oaerp/ui/sync/excelUpload.jsp

shell:http://oa.danzi.com.cn:9090/oaerphttps://images.seebug.org/upload/20140829223826jsp.jsp 密码:1