UFIDA software collaborative Office Platform General-purpose Arbitrary File Upload getshell

UFIDA software collaborative Office Platform General-purpose Arbitrary File Upload getshell

Kill getshell

Upload point:

/Oaerp/ui/sync/excelUpload. jsp

Ideas:

1. bypass javascript restrictions and upload the pony;

2. getshell according to the pony naming rules



Javascript code:

<Script type = "text/javascript"> function upload () {var filePath = j $ ("# file "). val (); if (filePath = "") {j $ ("# file "). click (); return;} var fileExt = filePath. substring (filePath. lastIndexOf (". "); if (fileExt = ". xls "| fileExt = ". xlsx ") {// burp can bypass this restriction idForm. action = "/oaerp/ui/sync/excelImport. jsp? SelERPType = "+ j $ (" # selERPType "). val () + "& selTemplate =" + j $ ("# selTemplate "). val (); j $ ("# btnUpload "). attr ("disabled", true); idForm. submit ();} else {alert ("only excel files can be imported! ") ;}} J $ (document ). ready (function () {var importType = "<% = importType %>"; j $ ("# selTemplate "). val (importType); j $ ("# fs" + importType ). show () ;}); </script>

 

#1. http://fsd2014.f3322.org: 9090/oa erp/ui/sync/excelUpload. jsp

Pony: jsp. jsp

Naming rules found after uploading: Upload time (accurate to seconds) + jsp. jsp is as follows:
 

The number of seconds to be cracked:
 

 

Getshell:
 

Solution:

Repair Methods for uploading arbitrary files with high-risk vulnerabilities:

The server can perform another suffix match. If it is jsp, kill it.