### 简要描述: 政府信息公开系统的getshell。和前两天发的那个拿shell方式是不一样的。 ### 详细说明: 越权发生在setup/opr_setting.jsp 拿shell是在上传license文件的jsp中setup/opr_licenceinfo.jsp ### 漏洞证明: ``` <% String strRealPath = application.getRealPath(""); strRealPath = strRealPath.replace('\\','/'); if(strRealPath.endsWith("/")) strRealPath = strRealPath.substring(0, strRealPath.length() - 1); //系统路径 jcms.sys.Install install = new jcms.sys.Install( strRealPath ); install.setMerpHome( ); String servername = Convert.getParameter( request,"servername"); servername = servername.toLowerCase(); String jndi = Convert.getParameter( request,"jndi"); String adminpwd = Convert.getParameter( request,"adminpwd"); String dbtypename = Convert.getParameter( request,"dbtypename"); dbtypename = dbtypename.toLowerCase(); //写merpserver.ini配置文件 String iniPath = strRealPath + "/WEB-INF/ini/merpserver.ini"; boolean bl = false; String strMsg = ""; IniFile ini = new IniFile( iniPath ); ……………… ``` 木有权限的验证。...
### 简要描述: 政府信息公开系统的getshell。和前两天发的那个拿shell方式是不一样的。 ### 详细说明: 越权发生在setup/opr_setting.jsp 拿shell是在上传license文件的jsp中setup/opr_licenceinfo.jsp ### 漏洞证明: ``` <% String strRealPath = application.getRealPath(""); strRealPath = strRealPath.replace('\\','/'); if(strRealPath.endsWith("/")) strRealPath = strRealPath.substring(0, strRealPath.length() - 1); //系统路径 jcms.sys.Install install = new jcms.sys.Install( strRealPath ); install.setMerpHome( ); String servername = Convert.getParameter( request,"servername"); servername = servername.toLowerCase(); String jndi = Convert.getParameter( request,"jndi"); String adminpwd = Convert.getParameter( request,"adminpwd"); String dbtypename = Convert.getParameter( request,"dbtypename"); dbtypename = dbtypename.toLowerCase(); //写merpserver.ini配置文件 String iniPath = strRealPath + "/WEB-INF/ini/merpserver.ini"; boolean bl = false; String strMsg = ""; IniFile ini = new IniFile( iniPath ); ……………… ``` 木有权限的验证。 直接访问http://xxgk.yzcity.gov.cn/govdiropen/setup/opr_setting.jsp 可以直接清空setup后台的配置数据。 [<img src="https://images.seebug.org/upload/201403/0323502313f92a412def481cf8155cfe2e389a1b.png" alt="image001.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/0323502313f92a412def481cf8155cfe2e389a1b.png) 此时已经将setup的登录密码清空。(有风险,请勿随意尝试,不要跟着我犯错……) 提交数据的时候清空密码即可登录成功 [<img src="https://images.seebug.org/upload/201403/032350491567f745ccbf670be2346bb5147a9878.png" alt="image002.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/032350491567f745ccbf670be2346bb5147a9878.png) [<img src="https://images.seebug.org/upload/201403/03235107e2c6ff76362a12112fb243696cea492d.png" alt="image004.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/03235107e2c6ff76362a12112fb243696cea492d.png) 这里有上传licence文件的选项,直接上传一个jsp.licence,然后改包,修改文件名为"jsp.jsp", [<img src="https://images.seebug.org/upload/201403/03235125bd6733212caf1d02e8249067fc3954ff.png" alt="image006.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/03235125bd6733212caf1d02e8249067fc3954ff.png) [<img src="https://images.seebug.org/upload/201403/0323513845635d469fa363582d9ae934ec42bbb5.png" alt="image008.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/0323513845635d469fa363582d9ae934ec42bbb5.png) 成功,连之 [<img src="https://images.seebug.org/upload/201403/03235157b87f7351f00b8b41c96d953c5a60a0b4.png" alt="image009.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/03235157b87f7351f00b8b41c96d953c5a60a0b4.png)
