乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-06: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-21: 厂商已经主动忽略漏洞,细节向公众公开
rt
1.http://**.**.**/loginfrom=%2f_*****^列化^**********ers/admin/**********erProperty plugin=&q**********[email protected]&l**********r_-UserPropert**********d9e6d027386b5d630181.png&qu**********^^^**********4ec1d14a0afea3ba9645.png&qu********************个^********************1f745568a0986619cd5f.png&qu**********restartQATom**********1ffb1af51cb0a91504b9.png&qu********************er plugin="m**********[email protected]**********se</dontNotifyEveryU********************14fc7408c71b787f5463.png&qu********************istory ^********************;cd /j**********s**********..**********/**********ebup_admi**********orkspace/gr**********s**********ebup_**********s**********sr**********s**********tab**********s**********-l**********w**********ebup_dao/src/database/*.* **********webup_dao/src/database/*.***********lyway-3.**********s**********e./flywa**********s**********de&g********************^^******************** -********************at 00:2a:6a:e6:4**********6:3e:01:00:04**********a:6a:e6:4c:bc**********16:3e:01:00:d**********6:3e:01:02:88**********6:3e:01:00:aa**********0:0c:9f:f2:bc**********6:3e:01:02:51**********:3e:01:00:dc **********a:6a:e6:4b:7c**********2a:6a:e6:4c:b**********6:3e:01:00:77**********00:0c:9f:f3:2**********16:3e:01:00:e**********:3e:01:00:30 **********3e:01:02:51 [**********de&g********************fig********************BROADCAST,RUNNING,********** 255.255.248.0 br**********ec txqueuelen **********6 bytes 56323**********opped 0 ove**********1 bytes 7158**********overruns 0 carr********************AST,RUNNING,MUL********** 255.255.252.0 br**********6e txqueuelen **********07 bytes 8068**********opped 0 ove********** bytes 1231981**********overruns 0 carr********************BACK,RUNNING**********0.1 netma**********len 0 (Loc**********6 bytes 8095**********opped 0 ove**********6 bytes 8095**********overruns 0 carr********************de&g********************c/pa********************0:root:/roo**********bin:/sbi**********:/sbin:/sb**********r/adm:/sb**********ool/lpd:/s**********:/sbin:/**********wn:/sbin:/s**********:/sbin:/**********/spool/mail**********tor:/root:/**********/usr/games:**********/var/ftp:/s**********body:/:/s**********sage bus:/:/**********for polkitd:**********ck:/var/run/avahi-**********Stack:/var/lib/avah********** for libstoragemgmt:**********/ntp:/sbi**********c/abrt:/sb**********pool/postfix**********d SSH:/var/empty**********lib/chrony:/**********aemon:/:/s**********::/:/sbi**********tegration Server:/va**********cod*****
http://121.41.122.20:8080/login?from=%2fjenkins java反序列化命令执行/var/lib/jenkins/users/admin/config.xml
<hudson.tasks.Mailer_-UserProperty plugin="[email protected]"> <emailAddress>[email protected]</emailAddress> </hudson.tasks.Mailer_-UserProperty>
root权限
涉及多个源码
/var/lib/jenkins/jobs//restartQATomcat/config.xml
<hudson.tasks.Mailer plugin="[email protected]"> <recipients>[email protected]</recipients> <dontNotifyEveryUnstableBuild>false</dontNotifyEveryUnstableBuild>
cat /root/.bash_history 部分内容
cd /jenkinslscd ..cd /find -name kpluswebup_admin_webappcd /var/lib/jenkins/workspace/greenlandB2B2C/lscd kpluswebup_dao/lscd srclscd database/lsll -lpwdcp /var/lib/jenkins/workspace/greenlandB2B2C/kpluswebup_dao/src/database/*.* /usr/local/flyway-3.2.1-prod/sql/ cp /var/lib/jenkins/workspace/greenlandB2B2C/kpluswebup_dao/src/database/*.* /usr/local/flyway-3.2.1-prod/sql/cd /usr/local/flyway-3.2.1-dev/ls./flyway migrate./flyway migratels
内网环境arp -a
? (121.43.107.248) at 00:2a:6a:e6:4b:7c [ether] on eth1? (10.117.29.174) at 00:16:3e:01:00:04 [ether] on eth0? (10.117.31.249) at 00:2a:6a:e6:4c:bc [ether] on eth0? (121.43.104.132) at 00:16:3e:01:00:dc [ether] on eth1? (10.117.29.148) at 00:16:3e:01:02:88 [ether] on eth0? (121.43.105.36) at 00:16:3e:01:00:aa [ether] on eth1? (10.117.31.247) at 00:00:0c:9f:f2:bc [ether] on eth0? (121.43.104.59) at 00:16:3e:01:02:51 [ether] on eth1? (10.117.29.46) at 00:16:3e:01:00:dc [ether] on eth0? (10.117.31.248) at 00:2a:6a:e6:4b:7c [ether] on eth0? (121.43.107.249) at 00:2a:6a:e6:4c:bc [ether] on eth1? (121.43.104.78) at 00:16:3e:01:00:77 [ether] on eth1? (121.43.107.247) at 00:00:0c:9f:f3:20 [ether] on eth1? (121.43.106.225) at 00:16:3e:01:00:ee [ether] on eth1? (10.117.29.41) at 00:16:3e:01:00:30 [ether] on eth0? (10.117.28.2) at 00:16:3e:01:02:51 [ether] on eth0
ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.117.29.228 netmask 255.255.248.0 broadcast 10.117.31.255 ether 00:16:3e:00:2c:ec txqueuelen 1000 (Ethernet) RX packets 132128846 bytes 5632328121 (5.2 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1381751 bytes 7158778617 (6.6 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 121.43.104.51 netmask 255.255.252.0 broadcast 121.43.107.255 ether 00:16:3e:00:30:6e txqueuelen 1000 (Ethernet) RX packets 1907762507 bytes 80680399263 (75.1 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6381535 bytes 12319814865 (11.4 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 0 (Local Loopback) RX packets 2410396 bytes 809594596 (772.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2410396 bytes 809594596 (772.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
cat /etc/passwd
root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinpolkitd:x:999:998:User for polkitd:/:/sbin/nologinavahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologinavahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologinlibstoragemgmt:x:998:997:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinabrt:x:173:173::/etc/abrt:/sbin/nologinpostfix:x:89:89::/var/spool/postfix:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinchrony:x:997:996::/var/lib/chrony:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologintcpdump:x:72:72::/:/sbin/nologinjenkins:x:996:995:Jenkins Continuous Integration Server:/var/lib/jenkins:/bin/false
未能联系到厂商或者厂商积极拒绝
漏洞Rank:8 (WooYun评价)