金蝶协同办公系统 GETSHELL漏洞

2015-07-29T00:00:00
ID SSV:93826
Type seebug
Reporter Root
Modified 2015-07-29T00:00:00

Description

简要描述:

详细说明:

金蝶OA系统在web.xml中配置了一个servlet Connector,是基于旧版本的fckeditor,存在任意文件上传漏洞,配置如下:

<img src="https://images.seebug.org/upload/201507/271528549207f4369339710dc3e86cffcd5b8319.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

com.fredck.FCKeditor.connector.ConnectorServlet.class反编译出主要代码如下:

``` public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

…… String commandStr = request.getParameter("Command"); String typeStr = request.getParameter("Type"); String currentFolderStr = request.getParameter("CurrentFolder"); String currentPath = baseDir + typeStr + currentFolderStr; String currentDirPath = getServletContext().getRealPath(currentPath); …… if (!commandStr.equals("FileUpload")) { retVal = "203"; } else { DiskFileUpload upload = new DiskFileUpload(); try { List items = upload.parseRequest(request); Map fields = new HashMap(); Iterator iter = items.iterator(); while (iter.hasNext()) { FileItem item = (FileItem)iter.next(); if (item.isFormField()) fields.put(item.getFieldName(), item.getString()); else fields.put(item.getFieldName(), item); } FileItem uplFile = (FileItem)fields.get("NewFile"); String fileNameLong = uplFile.getName(); fileNameLong = fileNameLong.replace('\', '/'); String[] pathParts = fileNameLong.split("/"); String fileName = pathParts[(pathParts.length - 1)]; String nameWithoutExt = getNameWithoutExtension(fileName); String ext = getExtension(fileName); File pathToSave = new File(currentDirPath, fileName); int counter = 1; while (pathToSave.exists()) { newName = nameWithoutExt + "(" + counter + ")" + "." + ext; retVal = "201"; pathToSave = new File(currentDirPath, newName); counter++; } uplFile.write(pathToSave); } catch (Exception ex) { retVal = "203"; } } …… } private static String getNameWithoutExtension(String fileName) { return fileName.substring(0, fileName.lastIndexOf(".")); } private String getExtension(String fileName) { return fileName.substring(fileName.lastIndexOf(".") + 1); } ```

当Command参数为FileUpload时进行上传,最终服务器上生成的pathToSave文件名,由上传文件路径获得:

c:\a\b.jsp =&gt; b.jsp

可以看到整个过程是没有过滤后缀的。 直接本地构造一个上传页面即可上传:

<img src="https://images.seebug.org/upload/201507/28132432de2ecf42ac909906c6b96a790e400b8c.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

得到webshell如下: http://202.104.120.18:7890/oa/uploadfiles/File/testabc.jsp 金蝶官方协同办公系统测试地址:

http://kdhr.kingdee.com/oa/login/k3oa.do http://202.104.120.18:7890/oa/

搜索引擎中记录的,有些已经被getshell了:

http://www.baidu.com/s?wd=inurl%3A%2Foa%2Fthemes%20inurl%3Ajsp&pn=0&oq=inurl%3A%2Foa%2Fthemes%20inurl%3Ajsp&tn=baiduhome_pg&ie=utf-8&rsv_idx=2&rsv_pq=fb5f291b0000049f&rsv_t=82d1fPuT2XOZBoyz9U23%2FZ%2Ft1VKbzrvhMO%2F2TBLPypK2rkEqqA7Xt0LZtkQw42tT1RMn

漏洞证明:

同上