金蝶协同办公系统 GETSHELL漏洞

### 简要描述： ### 详细说明： 金蝶OA系统在web.xml中配置了一个servlet Connector，是基于旧版本的fckeditor，存在任意文件上传漏洞，配置如下： [<img src="https://images.seebug.org/upload/201507/271528549207f4369339710dc3e86cffcd5b8319.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/271528549207f4369339710dc3e86cffcd5b8319.png) com.fredck.FCKeditor.connector.ConnectorServlet.class反编译出主要代码如下： ``` public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { …… String commandStr = request.getParameter("Command"); String typeStr = request.getParameter("Type"); String currentFolderStr = request.getParameter("CurrentFolder"); String currentPath = baseDir + typeStr + currentFolderStr; String currentDirPath = getServletContext().getRealPath(currentPath); …… if (!commandStr.equals("FileUpload")) { retVal = "203"; } else { DiskFileUpload upload = new DiskFileUpload(); try { List items = upload.parseRequest(request); Map fields = new HashMap(); Iterator iter = items.iterator(); while (iter.hasNext()) { FileItem item = (FileItem)iter.next(); if (item.isFormField()) fields.put(item.getFieldName(), item.getString()); else fields.put(item.getFieldName(), item); } FileItem uplFile = (FileItem)fields.get("NewFile"); String fileNameLong = uplFile.getName(); fileNameLong = fileNameLong.replace('\\', '/'); String[] pathParts = fileNameLong.split("/"); String fileName = pathParts[(pathParts.length - 1)]; String nameWithoutExt = getNameWithoutExtension(fileName); String ext = getExtension(fileName); File pathToSave = new File(currentDirPath, fileName); int counter = 1; while (pathToSave.exists()) { newName = nameWithoutExt + "(" + counter + ")" + "." + ext; retVal = "201"; pathToSave = new File(currentDirPath, newName); counter++; } uplFile.write(pathToSave); } catch (Exception ex) { retVal = "203"; } } …… } private static String getNameWithoutExtension(String fileName) { return fileName.substring(0, fileName.lastIndexOf(".")); } private String getExtension(String fileName) { return fileName.substring(fileName.lastIndexOf(".") + 1); } ``` 当Command参数为FileUpload时进行上传，最终服务器上生成的pathToSave文件名，由上传文件路径获得: ``` c:\a\b.jsp => b.jsp ``` 可以看到整个过程是没有过滤后缀的。 直接本地构造一个上传页面即可上传： [<img src="https://images.seebug.org/upload/201507/28132432de2ecf42ac909906c6b96a790e400b8c.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/28132432de2ecf42ac909906c6b96a790e400b8c.png) 得到webshell如下： http://202.104.120.18:7890/oa/uploadfiles/File/testabc.jsp 金蝶官方协同办公系统测试地址： ``` http://kdhr.kingdee.com/oa/login/k3oa.do http://202.104.120.18:7890/oa/ ``` 搜索引擎中记录的，有些已经被getshell了： ``` http://www.baidu.com/s?wd=inurl%3A%2Foa%2Fthemes%20inurl%3Ajsp&pn=0&oq=inurl%3A%2Foa%2Fthemes%20inurl%3Ajsp&tn=baiduhome_pg&ie=utf-8&rsv_idx=2&rsv_pq=fb5f291b0000049f&rsv_t=82d1fPuT2XOZBoyz9U23%2FZ%2Ft1VKbzrvhMO%2F2TBLPypK2rkEqqA7Xt0LZtkQw42tT1RMn ``` ### 漏洞证明： 同上