当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0193269

漏洞标题:绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网

相关厂商:绿地集团

漏洞作者: 路人甲

提交时间:2016-04-06 20:59

修复时间:2016-05-21 21:00

公开时间:2016-05-21 21:00

漏洞类型:命令执行

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

mask 区域 
1.http://**.**.**/loginfrom=%2f_
*****^列化^*****
*****ers/admin/*****
*****erProperty plugin=&q*****
*****[email protected]&l*****
*****r_-UserPropert*****
*****d9e6d027386b5d630181.png&qu*****
*****^^^*****
*****4ec1d14a0afea3ba9645.png&qu*****
**********
*****个^*****
**********
*****1f745568a0986619cd5f.png&qu*****
*****restartQATom*****
*****1ffb1af51cb0a91504b9.png&qu*****
**********
*****er plugin="m*****
*****[email protected]*****
*****se</dontNotifyEveryU*****
**********
*****14fc7408c71b787f5463.png&qu*****
**********
*****istory ^*****
**********
*****;cd /j*****
*****s*****
*****..*****
*****/
*****
*****ebup_admi*****
*****orkspace/gr*****
*****s*****
*****ebup_*****
*****s*****
*****sr*****
*****s*****
*****tab*****
*****s*****
*****-l*****
*****w*****
*****ebup_dao/src/database/*.* *****
*****webup_dao/src/database/*.******
*****lyway-3.*****
*****s*****
*****e./flywa*****
*****s*****
*****de&g*****
**********
*****^^*****
**********
***** -*****
**********
*****at 00:2a:6a:e6:4*****
*****6:3e:01:00:04*****
*****a:6a:e6:4c:bc*****
*****16:3e:01:00:d*****
*****6:3e:01:02:88*****
*****6:3e:01:00:aa*****
*****0:0c:9f:f2:bc*****
*****6:3e:01:02:51*****
*****:3e:01:00:dc *****
*****a:6a:e6:4b:7c*****
*****2a:6a:e6:4c:b*****
*****6:3e:01:00:77*****
*****00:0c:9f:f3:2*****
*****16:3e:01:00:e*****
*****:3e:01:00:30 *****
*****3e:01:02:51 [*****
*****de&g*****
**********
*****fig*****
**********
*****BROADCAST,RUNNING,*****
***** 255.255.248.0  br*****
*****ec  txqueuelen *****
*****6  bytes 56323*****
*****opped 0  ove*****
*****1  bytes 7158*****
*****overruns 0  carr*****
**********
*****AST,RUNNING,MUL*****
***** 255.255.252.0  br*****
*****6e  txqueuelen *****
*****07  bytes 8068*****
*****opped 0  ove*****
***** bytes 1231981*****
*****overruns 0  carr*****
**********
*****BACK,RUNNING*****
*****0.1  netma*****
*****len 0  (Loc*****
*****6  bytes 8095*****
*****opped 0  ove*****
*****6  bytes 8095*****
*****overruns 0  carr*****
**********
*****de&g*****
**********
*****c/pa*****
**********
*****0:root:/roo*****
*****bin:/sbi*****
*****:/sbin:/sb*****
*****r/adm:/sb*****
*****ool/lpd:/s*****
*****:/sbin:/*****
*****wn:/sbin:/s*****
*****:/sbin:/*****
*****/spool/mail*****
*****tor:/root:/*****
*****/usr/games:*****
*****/var/ftp:/s*****
*****body:/:/s*****
*****sage bus:/:/*****
*****for polkitd:*****
*****ck:/var/run/avahi-*****
*****Stack:/var/lib/avah*****
***** for libstoragemgmt:*****
*****/ntp:/sbi*****
*****c/abrt:/sb*****
*****pool/postfix*****
*****d SSH:/var/empty*****
*****lib/chrony:/*****
*****aemon:/:/s*****
*****::/:/sbi*****
*****tegration Server:/va*****
*****cod*****

漏洞证明:

http://121.41.122.20:8080/login?from=%2f
jenkins java反序列化命令执行
/var/lib/jenkins/users/admin/config.xml

<hudson.tasks.Mailer_-UserProperty plugin="[email protected]">
      <emailAddress>[email protected]</emailAddress>
    </hudson.tasks.Mailer_-UserProperty>


111.png


root权限

111.png


涉及多个源码

111.png


/var/lib/jenkins/jobs//restartQATomcat/config.xml

111.png


<hudson.tasks.Mailer plugin="[email protected]">
      <recipients>[email protected]</recipients>
      <dontNotifyEveryUnstableBuild>false</dontNotifyEveryUnstableBuild>


111.png


cat /root/.bash_history 部分内容

cd /jenkins
ls
cd ..
cd /
find -name kpluswebup_admin_webapp
cd /var/lib/jenkins/workspace/greenlandB2B2C/
ls
cd kpluswebup_dao/
ls
cd src
ls
cd database/
ls
ll -l
pwd
cp /var/lib/jenkins/workspace/greenlandB2B2C/kpluswebup_dao/src/database/*.* /usr/local/flyway-3.2.1-prod/sql/
 cp /var/lib/jenkins/workspace/greenlandB2B2C/kpluswebup_dao/src/database/*.* /usr/local/flyway-3.2.1-prod/sql/
cd /usr/local/flyway-3.2.1-dev/
ls
./flyway migrate./flyway migrate
ls


内网环境
arp -a

? (121.43.107.248) at 00:2a:6a:e6:4b:7c [ether] on eth1
? (10.117.29.174) at 00:16:3e:01:00:04 [ether] on eth0
? (10.117.31.249) at 00:2a:6a:e6:4c:bc [ether] on eth0
? (121.43.104.132) at 00:16:3e:01:00:dc [ether] on eth1
? (10.117.29.148) at 00:16:3e:01:02:88 [ether] on eth0
? (121.43.105.36) at 00:16:3e:01:00:aa [ether] on eth1
? (10.117.31.247) at 00:00:0c:9f:f2:bc [ether] on eth0
? (121.43.104.59) at 00:16:3e:01:02:51 [ether] on eth1
? (10.117.29.46) at 00:16:3e:01:00:dc [ether] on eth0
? (10.117.31.248) at 00:2a:6a:e6:4b:7c [ether] on eth0
? (121.43.107.249) at 00:2a:6a:e6:4c:bc [ether] on eth1
? (121.43.104.78) at 00:16:3e:01:00:77 [ether] on eth1
? (121.43.107.247) at 00:00:0c:9f:f3:20 [ether] on eth1
? (121.43.106.225) at 00:16:3e:01:00:ee [ether] on eth1
? (10.117.29.41) at 00:16:3e:01:00:30 [ether] on eth0
? (10.117.28.2) at 00:16:3e:01:02:51 [ether] on eth0


ifconfig -a

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.117.29.228  netmask 255.255.248.0  broadcast 10.117.31.255
        ether 00:16:3e:00:2c:ec  txqueuelen 1000  (Ethernet)
        RX packets 132128846  bytes 5632328121 (5.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1381751  bytes 7158778617 (6.6 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 121.43.104.51  netmask 255.255.252.0  broadcast 121.43.107.255
        ether 00:16:3e:00:30:6e  txqueuelen 1000  (Ethernet)
        RX packets 1907762507  bytes 80680399263 (75.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6381535  bytes 12319814865 (11.4 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Local Loopback)
        RX packets 2410396  bytes 809594596 (772.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2410396  bytes 809594596 (772.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
libstoragemgmt:x:998:997:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:997:996::/var/lib/chrony:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
jenkins:x:996:995:Jenkins Continuous Integration Server:/var/lib/jenkins:/bin/false


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)