乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-07: 细节已通知厂商并且等待厂商处理中 2014-06-11: 厂商已经确认,细节仅向厂商公开 2014-06-14: 细节向第三方安全合作伙伴开放 2014-08-05: 细节向核心白帽子及相关领域专家公开 2014-08-15: 细节向普通白帽子公开 2014-08-25: 细节向实习白帽子公开 2014-09-05: 细节向公众公开
利用万户OA系统任意文件下载任意getshell
开始download.jsp是有身份认证的
<%if(session.getAttribute("userName")==null){%><script language="javascript"> //window.close();</script><%}else{%><%String local = session.getAttribute("org.apache.struts.action.LOCALE")!=null?session.getAttribute("org.apache.struts.action.LOCALE").toString():"zh_cn";request.setCharacterEncoding("UTF-8");%>
但是发现其中重定向到另一个文件download_old.jsp
if(FileName.endsWith(".xls")) { //click --; response.sendRedirect("download_old.jsp?path=" + request.getParameter("path") + "&name=" + java.net.URLEncoder.encode(name,"UTF-8") + "&FileName=" + FileName); return;}
而这个download_old.jsp就没身份认证了,可以随意访问同时存在任意文件下载。
<%request.setCharacterEncoding("UTF-8");try{ // 得到文件名字和路径 String filepath=""; HttpServletRequest HSR=(HttpServletRequest)pageContext.getRequest(); String path=request.getParameter("path"); filepath=HSR.getRealPath("/upload/")+"/"+path+"/"; String filename = request.getParameter("FileName"); String name = request.getParameter("name"); //name=new String(name.getBytes("GBK"),"iso-8859-1"); UploadFile upFile = new UploadFile(); String encrypt = upFile.getFileEncrypt(filename); //--------------------UTF-8编码----编码过的长度不能超过150位,否则文件名称乱码-----start String fileNameTemp = java.net.URLEncoder.encode(name,"UTF-8"); if(fileNameTemp.length()>112){ int dotIndex = name.lastIndexOf(".");//文件后缀名的.位置 int endIndex = 12;//截断的长度 if(dotIndex<=endIndex){ endIndex = dotIndex-1; } //name = name.substring(0,endIndex)+name.substring(dotIndex); //fileNameTemp = java.net.URLEncoder.encode(name,"UTF-8"); } fileNameTemp=java.net.URLEncoder.encode(name,"GBK"); fileNameTemp=java.net.URLDecoder.decode(fileNameTemp, "ISO8859_1"); //--------------------UTF-8编码----编码过的长度不能超过150位,否则文件名称乱码-----end String datePath = filename.substring(0,6); java.io.File newfile = new java.io.File(filepath +datePath+"/"+ filename); java.io.File file = new java.io.File(filepath + filename); if(file.exists()||newfile.exists()){ // 设置响应头和下载保存的文件名 response.setContentType("application/x-msdownload"); response.setHeader("Content-Disposition", "attachment; filename=\"" + fileNameTemp + "\""); // 打开指定文件的流信息 //java.io.FileInputStream fileInputStream = new java.io.FileInputStream(filepath + filename); // out.clearBuffer(); // 写出流信息 //int i; //while ((i=fileInputStream.read()) != -1) { //out.write(i); //} //fileInputStream.close(); //out.close(); String pathTemp = ""; if(newfile.exists()){ pathTemp = datePath+"/"; } out.clearBuffer(); if("1".equals(encrypt)){ upFile.decryptFile(filepath +pathTemp+filename, response.getOutputStream(), true); }else{ java.io.FileInputStream fileInputStream = new java.io.FileInputStream(filepath +pathTemp+filename); //out.clearBuffer(); java.io.BufferedInputStream bis = new java.io.BufferedInputStream(fileInputStream); byte[] buffer = new byte[1024]; java.io.OutputStream os = response.getOutputStream(); while (bis.read(buffer)>0) { os.write(buffer); } fileInputStream.close(); os.close(); } out.close();
直接构造参数就可以下载任意文件
同时万户oa还使用ewebedit编辑器,编辑器的密码写在代码中,文件路径为
defaultroot\public\edit\jsp\config.jsp
构造参数直接下载查看编辑器用户密码即可进入编辑器getshell。
密码大多数都为admin和qwertyuiop123
危害等级:高
漏洞Rank:11
确认时间:2014-06-11 16:42
暂无