One Community APP and multiple Website Security Vulnerabilities (GetShell)

One Community APP and multiple Website Security Vulnerabilities (GetShell)

Community APP and website No. 1 have multiple high-risk security vulnerabilities and have obtained all website and server permissions.

Detailed description:

Community APP and website No. 1 stored in SQL injection, weak background passwords, order traversal, struts2 command execution, and many other high-risk security vulnerabilities

Proof of vulnerability:

1. An injection point exists in an APP interface and runs as root. All database information can be viewed.

Http://eshop.yihao01.com/basedata/api/getUnitListByCity? CityCode = 610900 & sign = 50E09B39C916C1C3A06506EBDBBC0427 & v = 2.4.0 & pageNumber = 0 & pageSize = 10 & ttid = 1

Injection Parameters: cityCode, pageNumber, and pageSize

Registered User and password:

Admin background user and password:

2. The management background verification code function is ineffective, which can cause brute force cracking. Some accounts have weak passwords. The customer service account can instantly view the SMS Verification Code received by mobile users, this function allows you to send verification codes and reset any user password. (In fact, through the above injection vulnerability, we can see that there are 32-bit backend user passwords, the modified 30-bit and 31-bit md5 values, but most of them are not cracked ......)

Http://eshop.yihao01.com/gl/admin/

Kefu: 123456

Kmh: kmh666

3. The APP has an arbitrary order viewing vulnerability. By modifying the value of the orderId parameter, you can view the order of another person beyond the authority and traverse all order information, resulting in leakage of customer sensitive information.

Problematic requests:

View the order information of another person, for example:

Traverse order information:

4. I thought I could not get the website permission. Later I found another website in the company and found a struts2 framework vulnerability in the management background website. I run it as root and can execute any command. After successfully obtaining webshell, I uploaded a one-sentence Trojan and found that all the websites were placed on the same server.

Http://www.0easy.com/login_login.do

Solution:

The solutions for fixing these vulnerabilities are as follows ......

1. filter out special characters and do not connect to the database as the root user;

2. Change the background management account to a complex password and modify the verification code mechanism to make it take effect;

3. Verify user permissions and view only your order information;

4. Update the struts2 framework to the latest version. Do not run the struts2 framework with the root permission;

It took a lot of time to dig for vulnerabilities and write them out. Can the vendor give me a gift.