Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2022-00155
- 發信 Vendor: 台灣電力公司
- Title: [Bounty] 電力即點APP Arbitrary File Upload to RCE
- Introduction: Arbitrary File Upload
處理狀態
目前狀態
公開
Last Update : 2022/04/22
-
新提交
-
已審核
-
已通報
-
已修補
-
已複測
-
公開
處理歷程
- 2022/02/24 22:49:32 : 新提交 (由 MksYi 更新此狀態)
- 2022/02/24 23:23:57 : 新提交 (由 MksYi 更新此狀態)
- 2022/02/25 00:23:41 : 新提交 (由 MksYi 更新此狀態)
- 2022/02/25 09:43:38 : 新提交 (由 MksYi 更新此狀態)
- 2022/02/26 09:01:28 : 新提交 (由 MksYi 更新此狀態)
- 2022/02/26 10:14:43 : 審核中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2022/04/18 17:24:26 : 複測申請中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2022/04/18 17:31:42 : 確認已修補 (由 MksYi 更新此狀態)
- 2022/04/22 03:00:27 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2022-00155
- 通報者:MksYi (MksYi)
- 風險:嚴重
- 類型:任意檔案上傳 (Arbitrary File Upload)
參考資料
攻擊者可上傳任意檔案至該主機,有機會經由上傳之文件取得該主機系統權限。
漏洞說明: OWASP - Unrestricted File Upload
https://www.owasp.org/index.php/Unrestricted_File_Upload
漏洞說明: CWE-434: Unrestricted Upload of File with Dangerous Type
https://cwe.mitre.org/data/definitions/434.html
漏洞說明: OWASP - Unrestricted File Upload
https://www.owasp.org/index.php/Unrestricted_File_Upload
漏洞說明: CWE-434: Unrestricted Upload of File with Dangerous Type
https://cwe.mitre.org/data/definitions/434.html
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)
相關網址
https://powerispoint.taipower.com.tw/HtmlEdit/ImageUpload
敘述
Arbitrary File Upload
- 透過弱點「 ZD-2022-00152 (https://zeroday.hitcon.org/vulnerability/ZD-2022-00152 )」首先發現「獎勵拼圖管理 / 新增」,可以上傳圖片。
- 嘗試直接上傳
apsx失敗。 - 透過圖片的檔頭穿插 aspx 語法,並修改檔名繞過上傳限制成功。
- 訪問並達成 RCE。
- 成功在系統上提權為
nt authority\system最高權限 - 獲取內部同網段主機狀態
Nmap scan report for 10.21.1.1 Host is up (1.1s latency). Nmap scan report for 10.21.1.6 Host is up (0.047s latency). Nmap scan report for 10.21.1.8 Host is up (0.041s latency). Nmap scan report for 10.21.1.9 Host is up (0.063s latency). Nmap scan report for 10.21.1.10 Host is up (0.057s latency). Nmap scan report for 10.21.1.11 Host is up (0.21s latency). Nmap scan report for 10.21.1.12 Host is up (0.056s latency). Nmap scan report for 10.21.1.15 Host is up (10s latency). Nmap scan report for 10.21.1.18 Host is up (0.063s latency). Nmap scan report for 10.21.1.19 Host is up (0.049s latency). Nmap scan report for 10.21.1.23 Host is up (0.047s latency). Nmap scan report for 10.21.1.25 Host is up (0.057s latency). Nmap scan report for 10.21.1.26 Host is up (0.037s latency). Nmap scan report for 10.21.1.27 Host is up (0.065s latency). Nmap scan report for 10.21.1.30 Host is up (0.051s latency). Nmap scan report for 10.21.1.31 Host is up (0.055s latency). Nmap scan report for 10.21.1.32 Host is up (1.0s latency). Nmap scan report for 10.21.1.33 Host is up (1.1s latency). Nmap scan report for 10.21.1.34 Host is up (0.057s latency). Nmap scan report for 10.21.1.37 Host is up (0.061s latency). Nmap scan report for 10.21.1.40 Host is up (1.1s latency). Nmap scan report for 10.21.1.41 Host is up (0.051s latency). Nmap scan report for 10.21.1.48 Host is up (0.044s latency). Nmap scan report for 10.21.1.49 Host is up (0.049s latency). Nmap scan report for 10.21.1.51 Host is up (0.047s latency). Nmap scan report for 10.21.1.52 Host is up (0.053s latency). Nmap scan report for 10.21.1.53 Host is up (0.050s latency). Nmap scan report for 10.21.1.54 Host is up (0.046s latency). Nmap scan report for 10.21.1.55 Host is up (0.070s latency). Nmap scan report for 10.21.1.57 Host is up (0.038s latency). Nmap scan report for 10.21.1.59 Host is up (0.047s latency). Nmap scan report for 10.21.1.60 Host is up (1.1s latency). Nmap scan report for 10.21.1.64 Host is up (0.057s latency). Nmap scan report for 10.21.1.67 Host is up (0.037s latency). Nmap scan report for 10.21.1.73 Host is up (0.043s latency). Nmap scan report for 10.21.1.76 Host is up (0.041s latency). Nmap scan report for 10.21.1.77 Host is up (0.046s latency). Nmap scan report for 10.21.1.78 Host is up (0.045s latency). Nmap scan report for 10.21.1.80 Host is up (0.051s latency). Nmap scan report for 10.21.1.81 Host is up (0.055s latency). Nmap scan report for 10.21.1.82 Host is up (0.053s latency). Nmap scan report for 10.21.1.85 Host is up (0.040s latency). Nmap scan report for 10.21.1.88 Host is up (0.055s latency). Nmap scan report for 10.21.1.89 Host is up (0.057s latency). Nmap scan report for 10.21.1.91 Host is up (0.063s latency). Nmap scan report for 10.21.1.92 Host is up (0.048s latency). Nmap scan report for 10.21.1.93 Host is up (0.054s latency). Nmap scan report for 10.21.1.94 Host is up (0.055s latency). Nmap scan report for 10.21.1.95 Host is up (0.050s latency). Nmap scan report for 10.21.1.96 Host is up (0.13s latency). Nmap scan report for 10.21.1.97 Host is up (0.042s latency). Nmap scan report for 10.21.1.99 Host is up (1.1s latency). Nmap scan report for 10.21.1.100 Host is up (0.050s latency). Nmap scan report for 10.21.1.106 Host is up (1.1s latency). Nmap scan report for 10.21.1.109 Host is up (0.31s latency). Nmap scan report for 10.21.1.111 Host is up (0.056s latency). Nmap scan report for 10.21.1.113 Host is up (0.046s latency). Nmap scan report for 10.21.1.114 Host is up (0.041s latency). Nmap scan report for 10.21.1.117 Host is up (0.043s latency). Nmap scan report for 10.21.1.118 Host is up (0.058s latency). Nmap scan report for 10.21.1.119 Host is up (0.058s latency). Nmap scan report for 10.21.1.124 Host is up (0.055s latency). Nmap scan report for 10.21.1.125 Host is up (0.077s latency). Nmap scan report for 10.21.1.127 Host is up (0.048s latency). Nmap scan report for 10.21.1.129 Host is up (0.055s latency). Nmap scan report for 10.21.1.131 Host is up (0.040s latency). Nmap scan report for 10.21.1.132 Host is up (0.051s latency). Nmap scan report for 10.21.1.133 Host is up (0.045s latency). Nmap scan report for 10.21.1.134 Host is up (0.045s latency). Nmap scan report for 10.21.1.135 Host is up (0.043s latency). Nmap scan report for 10.21.1.136 Host is up (0.047s latency). Nmap scan report for 10.21.1.137 Host is up (0.053s latency). Nmap scan report for 10.21.1.145 Host is up (0.052s latency). Nmap scan report for 10.21.1.146 Host is up (0.048s latency). Nmap scan report for 10.21.1.147 Host is up (0.055s latency). Nmap scan report for 10.21.1.148 Host is up (0.063s latency). Nmap scan report for 10.21.1.149 Host is up (0.052s latency). Nmap scan report for 10.21.1.150 Host is up (0.055s latency). Nmap scan report for 10.21.1.157 Host is up (0.048s latency). Nmap scan report for 10.21.1.158 Host is up (1.1s latency). Nmap scan report for 10.21.1.159 Host is up (1.1s latency). Nmap scan report for 10.21.1.162 Host is up (0.050s latency). Nmap scan report for 10.21.1.163 Host is up (0.053s latency). Nmap scan report for 10.21.1.165 Host is up (10s latency). Nmap scan report for 10.21.1.167 Host is up (0.056s latency). Nmap scan report for 10.21.1.168 Host is up (0.040s latency). Nmap scan report for 10.21.1.169 Host is up (0.048s latency). Nmap scan report for 10.21.1.170 Host is up (0.044s latency). Nmap scan report for 10.21.1.176 Host is up (0.054s latency). Nmap scan report for 10.21.1.177 Host is up (0.058s latency). Nmap scan report for 10.21.1.179 Host is up (0.036s latency). Nmap scan report for 10.21.1.180 Host is up (0.047s latency). Nmap scan report for 10.21.1.181 Host is up (0.047s latency). Nmap scan report for 10.21.1.182 Host is up (0.047s latency). Nmap scan report for 10.21.1.183 Host is up (0.050s latency). Nmap scan report for 10.21.1.185 Host is up (0.068s latency). Nmap scan report for 10.21.1.186 Host is up (0.043s latency). Nmap scan report for 10.21.1.188 Host is up (0.042s latency). Nmap scan report for 10.21.1.189 Host is up (0.058s latency). Nmap scan report for 10.21.1.191 Host is up (0.066s latency). Nmap scan report for 10.21.1.192 Host is up (0.044s latency). Nmap scan report for 10.21.1.193 Host is up (0.053s latency). Nmap scan report for 10.21.1.194 Host is up (0.044s latency). Nmap scan report for 10.21.1.196 Host is up (0.061s latency). Nmap scan report for 10.21.1.198 Host is up (0.054s latency). Nmap scan report for 10.21.1.199 Host is up (0.038s latency). Nmap scan report for 10.21.1.200 Host is up (1.1s latency). Nmap scan report for 10.21.1.202 Host is up (0.061s latency). Nmap scan report for 10.21.1.203 Host is up (0.057s latency). Nmap scan report for 10.21.1.204 Host is up (0.064s latency). Nmap scan report for 10.21.1.206 Host is up (0.057s latency). Nmap scan report for 10.21.1.207 Host is up (10s latency). Nmap scan report for 10.21.1.210 Host is up (0.060s latency). Nmap scan report for 10.21.1.211 Host is up (0.051s latency). Nmap scan report for 10.21.1.213 Host is up (0.053s latency). Nmap scan report for 10.21.1.214 Host is up (0.039s latency). Nmap scan report for 10.21.1.215 Host is up (0.054s latency). Nmap scan report for 10.21.1.217 Host is up (0.043s latency). Nmap scan report for 10.21.1.221 Host is up (10s latency). Nmap scan report for 10.21.1.222 Host is up (0.063s latency). Nmap scan report for 10.21.1.225 Host is up (0.049s latency). Nmap scan report for 10.21.1.226 Host is up (0.044s latency). Nmap scan report for 10.21.1.227 Host is up (0.048s latency). Nmap scan report for 10.21.1.228 Host is up (0.051s latency). Nmap scan report for 10.21.1.230 Host is up (1.5s latency). Nmap scan report for 10.21.1.231 Host is up (0.043s latency). Nmap scan report for 10.21.1.232 Host is up (0.042s latency). Nmap scan report for 10.21.1.247 Host is up (0.064s latency). Nmap scan report for 10.21.1.248 Host is up (1.2s latency). Nmap scan report for 10.21.1.249 Host is up (1.1s latency). Nmap scan report for 10.21.1.250 Host is up (1.1s latency). Nmap scan report for 10.21.1.251 Host is up (1.1s latency). Nmap scan report for 10.21.1.252 Host is up (0.042s latency). Nmap scan report for 10.21.1.253 Host is up (0.038s latency). Nmap scan report for 10.21.1.254 Host is up (0.040s latency). Nmap scan report for 10.21.1.255 Host is up (0.048s latency). Nmap done: 256 IP addresses (136 hosts up) scanned in 1873.42 seconds
- 該系統上傳並沒有驗證權限,任何人只要知道方法,就可以任上傳檔案。
擷圖
留言討論
登入後留言
聯絡組織
發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。