当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111687

漏洞标题:B卷网getshell&数据库可连接

相关厂商:B卷网

漏洞作者: 路人甲

提交时间:2015-05-21 16:34

修复时间:2015-07-05 16:36

公开时间:2015-07-05 16:36

漏洞类型:命令执行

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

B卷网getshell&数据库可连接

详细说明:

http://www.bjuan.cn/front/login/resetPassword.action
站点存在Struts2命令执行漏洞导致getshell

1.png

漏洞证明:

#values are "system-env" or "this";
#if value is "this" , using the paoding.dic.home as dicHome if configed!
#paoding.dic.home.config-fisrt=system-env
#dictionary home (directory)
#"classpath:xxx" means dictionary home is in classpath.
#e.g "classpath:dic" means dictionaries are in "classes/dic" directory or any other classpath directory
paoding.dic.home=classpath:dic
paoding.dic.detector.interval=60
#seconds for dic modification detection
#paoding.dic.detector.interval=60


#------------ MySQL ------------
jdbc.driver=com.mysql.jdbc.Driver
#jdbc.url=jdbc\:mysql\://127.0.0.1\:3306/zxjy?useUnicode\=true&autoReconnect\=true&characterEncoding\=UTF-8&zeroDateTimeBehavior\=convertToNull
jdbc.url=jdbc\:mysql\://localhost\:3306/zxjy?useUnicode\=true&autoReconnect\=true&characterEncoding\=UTF-8&zeroDateTimeBehavior\=convertToNull
jdbc.username=zxjy
jdbc.password=saiya13072014
#jdbc.username=root
#jdbc.password=root
#\u8bbe\u7f6e\u6570\u636e\u5e93\u65b9\u8a00
hibernate.dialect=org.hibernate.dialect.MySQLDialect
#\u662f\u5426\u663e\u793aSQL
hibernate.show_sql=fasle
#\u683c\u5f0f\u5316\u8f93\u51fa\u5230\u63a7\u5236\u53f0\u7684SQL\u8bed\u53e5
hibernate.format_sql=false
#Hibernate\u8fde\u63a5\u6570\u636e\u5e93\u8d85\u65f6\u8bbe\u7f6e
hibernate.autoReconnect=true
#\u6307\u5b9aHibernate\u5728\u4f55\u65f6\u91ca\u653eJDBC\u8fde\u63a5. \u9ed8\u8ba4\u60c5\u51b5\u4e0b,\u76f4\u5230Session\u88ab\u663e\u5f0f\u5173\u95ed\u6216\u88ab\u65ad\u5f00\u8fde\u63a5\u65f6,\u624d\u4f1a\u91ca\u653eJDBC\u8fde\u63a5
hibernate.connection.release_mode=auto
#connection.useUnicode\u8fde\u63a5\u6570\u636e\u5e93\u65f6\u662f\u5426\u4f7f\u7528Unicode\u7f16\u7801
Connection.useUnicode=true
#connection.characterEncoding\u8fde\u63a5\u6570\u636e\u5e93\u65f6\u6570\u636e\u7684\u4f20\u8f93\u5b57\u7b26\u96c6\u7f16\u7801\u65b9\u5f0f\uff0c\u6700\u597d\u8bbe\u7f6e\u4e3aUTF-8
connection.characterEncoding=UTF-8
#\u8bbe\u7f6e\u81ea\u52a8\u521b\u5efa|\u66f4\u65b0|\u9a8c\u8bc1\u6570\u636e\u5e93\u8868\u7ed3\u6784
#hibernate.hbm2ddl.auto=update
#\u5f00\u542f\u4e8c\u7ea7\u7f13\u5b58
hibernate.cache.use_second_level_cache=false
#\u4f7f\u7528\u7f13\u5b58\u4ea7\u54c1 -- \u5907\u9009\u7684\u7f13\u5b58\u4ea7\u54c1org.hibernate.cache.EhCacheProvider
hibernate.cache.provider_class=org.hibernate.cache.OSCacheProvider
#\u5f00\u542f\u4e8c\u7ea7\u7f13\u5b58\u7684\u67e5\u8be2\u7f13\u5b58
hibernate.cache.use_query_cache=false
#\u6570\u636e\u5e93\u6279\u91cf\u67e5\u8be2\u6570
hibernate.jdbc.fetch_size=50
#\u6570\u636e\u5e93\u6279\u91cf\u66f4\u65b0\u6570
hibernate.jdbc.batch_size=30

修复方案:

补丁+配置

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝