<p>漏洞影响版本WCM5.2,其他版本未测试</p><p>TRS WCM的Web Service提供了向服务器写入文件的方式,可以直接写jsp文件获取webshell。<br></p><p>通过访问<a href="http://xxx.com/wcm/services" rel="nofollow">http://xxx.com/wcm/services</a>可以查看TRS WCM的Web Service信息</p><p><img alt="wcm-services.jpg" src="https://images.seebug.org/contribute/1a8eeffa-78c0-4c8e-8706-2e36d1f0467f-wcm-services.jpg" data-image-size="360,562"><br></p><p>使用SOAPUI连接<a href="http://xxx.com/wcm/services/" rel="nofollow">http://xxx.com/wcm/services/</a>trs:templateservicefacade?wsdl,调用writeFile和writeSpecFile上传webshell</p><p><img alt="soap上传.jpg" src="https://images.seebug.org/contribute/2e85e82b-df65-4723-be94-c753e8823d4a-soap上传.jpg" data-image-size="1288,521"><br></p><p>漏洞验证过程通过访问<a href="http://xxx.com/wcm/services/" rel="nofollow">http://xxx.com/wcm/services/</a>trs:templateservicefacade?wsdl,匹配返回值中是否含有writeFile和writeSpecFile。</p>
<p>漏洞影响版本WCM5.2,其他版本未测试</p><p>TRS WCM的Web Service提供了向服务器写入文件的方式,可以直接写jsp文件获取webshell。<br></p><p>通过访问<a href="http://xxx.com/wcm/services" rel="nofollow">http://xxx.com/wcm/services</a>可以查看TRS WCM的Web Service信息</p><p><img alt="wcm-services.jpg" src="https://images.seebug.org/contribute/1a8eeffa-78c0-4c8e-8706-2e36d1f0467f-wcm-services.jpg" data-image-size="360,562"><br></p><p>使用SOAPUI连接<a href="http://xxx.com/wcm/services/" rel="nofollow">http://xxx.com/wcm/services/</a>trs:templateservicefacade?wsdl,调用writeFile和writeSpecFile上传webshell</p><p><img alt="soap上传.jpg" src="https://images.seebug.org/contribute/2e85e82b-df65-4723-be94-c753e8823d4a-soap上传.jpg" data-image-size="1288,521"><br></p><p>漏洞验证过程通过访问<a href="http://xxx.com/wcm/services/" rel="nofollow">http://xxx.com/wcm/services/</a>trs:templateservicefacade?wsdl,匹配返回值中是否含有writeFile和writeSpecFile。</p>