当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-073391

漏洞标题:太仓市委组织部365体系综合平台getshell+数据信息

相关厂商:cncert国家互联网应急中心

漏洞作者: CoffeeSafe

提交时间:2014-08-22 11:11

修复时间:2014-10-06 11:12

公开时间:2014-10-06 11:12

漏洞类型:命令执行

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-22: 细节已通知厂商并且等待厂商处理中
2014-08-27: 厂商已经确认,细节仅向厂商公开
2014-09-06: 细节向核心白帽子及相关领域专家公开
2014-09-16: 细节向普通白帽子公开
2014-09-26: 细节向实习白帽子公开
2014-10-06: 细节向公众公开

简要描述:

太仓市委组织部365体系综合平台getshell+数据信息

详细说明:

太仓市委组织部365体系综合平台getshell+数据信息
地址:http://zzb.taicang.gov.cn/
存在struts2漏洞-导致直接getshell
0x01:

1.jpg


1.jpg


url:http://zzb.taicang.gov.cn/test.txt
0x02:

<config>
	<enabled>true</enabled>
	<baseDir></baseDir>
	<baseURL>http://192.168.1.102:8080/365SERVICE/userfiles/</baseURL>
	<licenseKey></licenseKey>
	<licenseName></licenseName>
	<imgWidth>1600</imgWidth>
	<imgHeight>1200</imgHeight>
	<imgQuality>80</imgQuality>
	<uriEncoding>UTF-8</uriEncoding>
	<forceASCII>false</forceASCII>
	<userRoleSessionVar>CKFinder_UserRole</userRoleSessionVar>
	<checkDoubleExtension>true</checkDoubleExtension>
	<checkSizeAfterScaling>true</checkSizeAfterScaling>
	<secureImageUploads>true</secureImageUploads>
	<htmlExtensions>html,htm,xml,js</htmlExtensions>
	<hideFolders>
		<folder>.svn</folder>
		<folder>CVS</folder>
	</hideFolders>
	<hideFiles>
		<file>.*</file>
	</hideFiles>
	<defaultResourceTypes></defaultResourceTypes>
	<types>
		<type name="Files">
			<url>%BASE_URL%files/</url>
			<directory>%BASE_DIR%files</directory>
			<maxSize>0</maxSize>
			<allowedExtensions>7z,aiff,asf,avi,bmp,csv,doc,docx,fla,flv,gif,gz,gzip,jpeg,jpg,mid,mov,mp3,mp4,mpc,mpeg,mpg,ods,odt,pdf,png,ppt,pptx,pxd,qt,ram,rar,rm,rmi,rmvb,rtf,sdc,sitd,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav,wma,wmv,xls,xlsx,zip
			</allowedExtensions>
			<deniedExtensions></deniedExtensions>
		</type>
		<type name="Images">
			<url>%BASE_URL%images/</url>
			<directory>%BASE_DIR%images</directory>
			<maxSize>0</maxSize>
			<allowedExtensions>bmp,gif,jpeg,jpg,png</allowedExtensions>
			<deniedExtensions></deniedExtensions>
		</type>
		<type name="Flash">
			<url>%BASE_URL%flash/</url>
			<directory>%BASE_DIR%flash</directory>
			<maxSize>0</maxSize>
			<allowedExtensions>swf,flv</allowedExtensions>
			<deniedExtensions></deniedExtensions>
		</type>
	</types>
	<accessControls>
		<accessControl>
			<role>*</role>
			<resourceType>*</resourceType>
			<folder>/</folder>
			<folderView>true</folderView>
			<folderCreate>true</folderCreate>
			<folderRename>true</folderRename>
			<folderDelete>true</folderDelete>
			<fileView>true</fileView>
			<fileUpload>true</fileUpload>
			<fileRename>true</fileRename>
			<fileDelete>true</fileDelete>
		</accessControl>
	</accessControls>
	<thumbs>
		<enabled>true</enabled>
		<url>%BASE_URL%_thumbs/</url>
		<directory>%BASE_DIR%_thumbs</directory>
		<directAccess>false</directAccess>
		<maxHeight>100</maxHeight>
		<maxWidth>100</maxWidth>
		<quality>80</quality>
	</thumbs>
	<plugins>
		<plugin>
			<name>imageresize</name>
			<class>com.ckfinder.connector.plugins.ImageResize</class>
			<params>
				<param name="smallThumb" value="90x90"></param>
				<param name="mediumThumb" value="120x120"></param>
				<param name="largeThumb" value="180x180"></param>
			</params>
		</plugin>
		<plugin>
			<name>fileeditor</name>
			<class>com.ckfinder.connector.plugins.FileEditor</class>
			<params></params>
		</plugin>
	</plugins>
	<basePathBuilderImpl>com.ckfinder.connector.configuration.ConfigurationPathBuilder</basePathBuilderImpl>
</config>


<session-factory>
		<!-- 杩???诲? -->
		<property name="connection.driver_class">oracle.jdbc.driver.OracleDriver</property>
		<property name="connection.url">jdbc:oracle:thin:@127.0.0.1:1521:ORCL</property>
		<property name="connection.username">service365</property>
		<property name="connection.password">service365</property>
		<property name="dialect">org.hibernate.dialect.OracleDialect</property>
		<property name="hibernate.show_sql">true</property>		
		<property name="hibernate.current_session_context_class">org.springframework.orm.hibernate3.SpringSessionContext</property>		
		<property name="hibernate.connection.provider_class">org.hibernate.connection.C3P0ConnectionProvider</property>
		 <!-- ??ぇ杩????-->

漏洞证明:

gov 的站点何况是太仓市委组织部!被利用,后果也是挺大的。

修复方案:

升级+配置!

版权声明:转载请注明来源 CoffeeSafe@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-08-27 10:08

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心处置。

最新状态:

暂无

漏洞评价:

评论