Theol comprehensive network teaching platform GetWebShell and Elevation of Privilege Vulnerability and repair

What is Theol integrated network teaching platform?

Theol network teaching platform is a comprehensive teaching system developed by Tsinghua University Institute of Educational Technology. It has powerful resource sharing and integration functions and is widely used by major universities in China. I personally infer that the platform is sold through the whole machine, and the system is directly integrated into the hard disk of the sold server.

The composition of Theol network teaching integrated platform:

Server brand: generally Dell PowerEdge

Operating System: Redhat 5.0 stable release

Script Language: Jsp (Tomcat)

Database: Oracle

Permission configuration: www users are used to start the Tomcat service, root users are used for system management, and Oracle databases are started with Root permissions by default. The www user has the permission to execute Gcc.

Start work if you have less gossip!

Required tools: Winrar, Jsp Trojan Horse

Objectives:

Click the instructor, and enter % to search for the instructor list:

Find the teaching resource library and enter it with the password of the searched instructor username (Note: Here you are using your own weak social engineering password)

Select the upload resource above, create a zip package locally, create a folder, name the Jsp Trojan as index. jsp, and upload it After zip compression,

Click "Cataloguing" next to the file, enter the home page path, and enter the following information in the next selection category until the upload succeeds dialog box appears, choose "personal tools"> "personal resources"> "unreviewed" and click the Url. Enter the nested folder in the browser to display the cute WebShell:

After logging in, you can use either of the following methods:

Method 1: Read the user password of the Oracle database, compile the Java Script after connection, and raise the permission

Method 2: After logging in, the system version is:

You can directly use the recent popular Linux kernel overflow. Just drop one and directly use Gcc. After all, the rebound is better ~

Vulnerability principle:

I have to admit that Theol's writing security and efficiency are both excellent, and there are some restrictions on the uploading. However, due to its powerful upload function, automatically decompress the package and release the Jsp Trojan file. You can use Tomcat to index the file. the jsp file does not display the file name in the Url. This function bypasses the system's detection and redirection of the Url Suffix of the uploaded folder to get our lovely WebShell.

Hazards:

Theol platform is usually configured in the same section C of the Academic Affairs Office of the University, and the final exam is coming soon. It's really good for everyone to run a sniffing program in Linux ~

As a result, all types of hosts in the same CIDR block are damaged.

Vulnerability repair:

Because Tomcat cannot directly set the upload directory and cannot execute Jsp, you can add nginx or Apache to set the upload directory without execution permission. Prohibit www users from calling Gcc

Reflection on vulnerabilities:

As a programmer, the more powerful the system is, the better it is. The more practical it is, the more redundant the system functions may lead to overall security problems and the loss of the system. When writing a script language, you must have a sufficient understanding of the server software used by the server, not only for compatibility, but also for overall system security!

Do not do anything bad. repost [S.Y. C] Rdpclip original