VULHUB ™

### 简要描述： 上传绕过，可内网才是关键 ### 详细说明： [WooYun: 某大型在线考试系统通用型任意文件上传（涉及银行、证卷等企业）](http://www.wooyun.org/bugs/wooyun-2015-0108559) 问题发生后，是有进行相应的修补，但修补的有问题，限制了对jsp马的上传，但jspx毫无限制 上传jsp直接报错 [<img src="https://images.seebug.org/upload/201512/27205116f4aeaea450ddb717de24e2f7fc4c551a.png" alt="QQ截图20151227205225.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/27205116f4aeaea450ddb717de24e2f7fc4c551a.png) 但是jspx就 http://exam.kingdee.com/mana/edit/attach_upload.jsp [<img src="https://images.seebug.org/upload/201512/27203951350b9116400dda266ae3b453327a64e6.png" alt="QQ截图20151227204113.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/27203951350b9116400dda266ae3b453327a64e6.png) 可直接上传jspx马 上传成功后直接查看源代码获取shell地址 [<img src="https://images.seebug.org/upload/201512/27204113c1b27498dafa8e17e659fea006f09af5.png" alt="QQ截图20151227204224.png" width="600"...

### 简要描述： 上传绕过，可内网才是关键 ### 详细说明： [WooYun: 某大型在线考试系统通用型任意文件上传（涉及银行、证卷等企业）](http://www.wooyun.org/bugs/wooyun-2015-0108559) 问题发生后，是有进行相应的修补，但修补的有问题，限制了对jsp马的上传，但jspx毫无限制 上传jsp直接报错 [<img src="https://images.seebug.org/upload/201512/27205116f4aeaea450ddb717de24e2f7fc4c551a.png" alt="QQ截图20151227205225.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/27205116f4aeaea450ddb717de24e2f7fc4c551a.png) 但是jspx就 http://exam.kingdee.com/mana/edit/attach_upload.jsp [<img src="https://images.seebug.org/upload/201512/27203951350b9116400dda266ae3b453327a64e6.png" alt="QQ截图20151227204113.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/27203951350b9116400dda266ae3b453327a64e6.png) 可直接上传jspx马 上传成功后直接查看源代码获取shell地址 [<img src="https://images.seebug.org/upload/201512/27204113c1b27498dafa8e17e659fea006f09af5.png" alt="QQ截图20151227204224.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/27204113c1b27498dafa8e17e659fea006f09af5.png) ### 漏洞证明： shell地址：http://exam.kingdee.comhttps://images.seebug.org/upload/attach/2015-12-27-931825595.jspx 密码：xxxxxx 貌似已成马场 [<img src="https://images.seebug.org/upload/201512/272042419840626c926344730432eb9e60546f95.png" alt="QQ截图20151227204414.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/272042419840626c926344730432eb9e60546f95.png) [<img src="https://images.seebug.org/upload/201512/27204406ed948066016fc395e48ca7786a078a22.png" alt="QQ截图20151227204538.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/27204406ed948066016fc395e48ca7786a078a22.png) 类似的上传点还有4处 http://exam.kingdee.com/mana/edit/uploadattcah.jsp [<img src="https://images.seebug.org/upload/201512/27205349490bb68f2f21ba5c7833467086e8fef1.png" alt="QQ截图20151227205509.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/27205349490bb68f2f21ba5c7833467086e8fef1.png) http://exam.kingdee.com/mana/edit/uploadimg.jsp http://exam.kingdee.com/mana/edit/uploadmult.jsp http://exam.kingdee.com/mana/edit/uploadflash.jsp [<img src="https://images.seebug.org/upload/201512/272054537885ef51b63713808a0c38eff33a8380.png" alt="QQ截图20151227205626.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/272054537885ef51b63713808a0c38eff33a8380.png) [<img src="https://images.seebug.org/upload/201512/272055517794d91455c941a7817c9c73e665a263.png" alt="QQ截图20151227205723.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/272055517794d91455c941a7817c9c73e665a263.png)