当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160395

漏洞标题:渤海财产保险某站Java反序列化命令执行可直入内网

相关厂商:渤海财产保险股份有限公司

漏洞作者: 路人甲

提交时间:2015-12-11 17:55

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-11: 细节已通知厂商并且等待厂商处理中
2015-12-15: 厂商已经确认,细节仅向厂商公开
2015-12-25: 细节向核心白帽子及相关领域专家公开
2016-01-04: 细节向普通白帽子公开
2016-01-14: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

RT

详细说明:

1.png

漏洞证明:

root权限

2.png


3.png


.bash_history

df -lh
system-config-network
ntsysv
reboot
ps -ef|grep java
cd /app
ls
ping oarac1_vip
ping oarac1_vip
ls
ping hxrac1_vip
ping **.**.**.**
ping oarac1_vip
ping oarac2_vip
chmod a+x  jdk-1_5_0_22-linux-amd64.bin
ls
./jdk-1_5_0_22-linux-amd64.bin
ls
telnet **.**.**.** 8089
ls
cd logs
ls
cd ..
ls
cd license/
ls
ls -s
ls -a
ls -l
cd ..
ls
cd jboss-4.0.5.GA/
cd bin
ls
./run.sh
chmod 777 ./run.sh
ls
./run.sh
./run.sh
./run.sh
nohup ./run.sh &
ps -ef|grep java
telnet **.**.**.** 80
df -lh
lsof -i:80
telnet **.**.**.** 80
cat /etc/hosts
vi /etc/hosts
lsof -i:80
service iptables stop
ntsysv
telnet **.**.**.** 80
telnet **.**.**.** 80
telnet **.**.**.** 80
telnet **.**.**.** 80
telnet **.**.**.** 80
telnet **.**.**.** 80
ifconfig
ls
ps -ef|grep java
cd /app
ls
kill -9 12239
cd jboss-4.0.5.GA/
cd bin/
ls
./run.sh
telnet **.**.**.** 1521
./run.sh
ps -ef|grep java
cd /app
ls
cd jboss-4.0.5.GA/
ls
cd bin/
nohup ./run.sh &
ps -ef|grep java
ps -ef|grep java
ping **.**.**.**
ls
ping **.**.**.**
ifconfig -a
df -lh
cd /home
ll
gunzip VMwareTools-8.6.5-621624.tar.gz 
ll
chmod -R 775 VMwareTools-8.6.5-621624.tar 
ll
tar -xvf VMwareTools-8.6.5-621624.tar 
ll
cd vmware-tools-distrib/
ll
./vmware-install.pl 
ll
cd ..
ll
chown -R root:root
chown -R root:root vmware-tools-distrib
ll
chmod -R 775 vmware-tools-distrib/
ll
cd vmware-tools-distrib/
ll
./vmware-install.pl 
df -lh
cd /usr
ll
ls -lrt
cd bin
du -sm
cd ..
ll
cd games/
ll
cd ..
ll
df -lh
cd /home
ll
rm -rf VMwareTools-8.6.5-621624.tar 
ll
cd vmware-tools-distrib/
ll
./vmware-install.pl 
ll
df -lh
system-config-lvm 
df -lh
ll
./vmware-install.pl 
cd
cd /home
ll
rm -rf vmware-tools-distrib/
df -lh
ifconfig 
cd /app
ll
cd jboss-4.0.5.GA/
ll
cd bin
ll
nohup ./run.sh &
ps -ef run.sh 
psp -ef |grep run.sh
ps -ef |grep run.sh
ps -ef |grep run.sh
telnet 80
telnet **.**.**.** 80
ls
cd /app
ls
cd logs
ls
ls -l
cat bhwebins_daily_log.log
df -lh
cd /app
ls
cd jboss-4.0.5.GA/
ls
cd server/
ls
cd default/
ls
cd deploy/
ls
ls -ltr
cd bhwebins.war/
ls
cd WEB-INF/
ls
ls -ltr
cd classes/
ls -ltr
netstat -an | grep -i 1521
cd /app
ls
cd jboss-4.0.5.GA/
ls
cd server/
ls
cd default/
ls
cd deploy/
ls
ls -ltr
cat  oracle-ds.xml
netstat -an |grep -i 1521
ls -ltr
df -lh
df -lh
ps -ef | grep -i 19417
ps -ef | grep-i 23116
ps -ef | grep -i 23116
ps -ef | grep-i java
ps -ef | grep -i java
ps -ef | grep -i java
crontab -l
netstat -ano | more
netstat -ano | more
netstat -ano | more
nmon
df -lh
cd /app
ls
cd license/
ls
cd ..
ls
cd jboss-4.0.5.GA/
ls
cd server/
ls
cd default/
ls
cd deploy/
ls
ls -ltr
cd jms
ls
cd ..
ls
cd ..
ls
last
dmesg
chkconfig --list
nmon
top
top
ps -ef | grep -i perl
top
lsof | more
lsof -i| more
netstat -an | more
netstat -ano | more
lsof -i 46960
lsof -i:46960
ps -ef | grep -i 19417
cat /etc/passwd
ps -ef | grep -i perl
cd /bin
chmod +x nmon
nmon
ps -ef | grep -i 23116
nmon
kill -9 23116  19417
nmon
cat /etc/passwd
nmon
nmon
df -lh
nmon
nmon
df -lh
cd /app
ls
cd logs/
;s
ls
ls -ltr
du -sm
rm -f bhwebins_daily_log.log.2014-10*
ls -ltr
rm -f bhwebins_daily_log.log.2014-09*
ls
rm -f bhwebins_daily_log.log.2014-08*
ls -ltr
rm -f bhcard_daily_log.log.2014-10*
ls
ls -ltr
rm -f bhcard_daily_log.log.2014-09*
rm -f bhcard_daily_log.log.2014-08*
ls
df -lh
df -lh
cd /app
ls
cd lo
cd logs/
ls -ltr
du -sm
cd ..
ls
ls -ltr
cd jboss-4.0.5.GA/
ls
cd server/
ls
cd default/
ls
cd log/
ls -ltr
du -sm
rm -f server.log.2014-*
df -lh
cd ..
ls
cd work/
ls
cd jboss.web/
ls
cd /app
ls
cd lo
cd logs/
ls -ltr
rm -f bhwebins_daily_log.log.2014*
ls
ls -ltr
df -lh
cd /app
ls -ltr
cd logs
ls -ltr
cd ..
ls
cd jboss-4.0.5.GA/
ls
cd server/
ls
cd default/
ls
cd log
ls -ltr
pwd
cat /etc/hosts
cat /etc/hosts
vi /etc/hosts
cat /etc/hosts
cd /app
ls
cd jboss-4.0.5.GA/
ls
cd server/
ls
cd default/
ls
cd deploy/
ls -ltr
vi oracle-ds.xml 
df -lh
cd /app
ls
cd logs/
ls -ltr
du -sm
rm -f bhwebins_daily_log.log.2014-*
df -lh
ls -tlr
pwd
c d..
lsc
cd ..
ls
cd job
cd jboss-4.0.5.GA/
ls
cd server/
ls
cd default/
ls
cd log/
ls -tlr
du -s
du -sg
du -sm
rm -f server.log.2014-12*
df -lh
cd /app
du -m | sort -n
cd jboss-4.0.5.GA/bin
ls
du -sm
ls -ltr
cat /dev/null > nohup.out
ls -ltr
ls -ltr
ls -ltr
df -lh
cat /etc/passwd
cd /app
ls -ltr
df -lh
cd /app
ls
cd job
cd jboss-4.0.5.GA/
ls
cd bin
ls
ps -ef | grep -i java
kill -9 6982
ps -ef | grep -i java
ps -ef | grep -i java
kill -9 23974 24042
ps -ef | grep -i java
ps -ef | grep -i java
ps -ef | grep -i java
set -o vi
nohup ./run.sh &
ps -ef | grep -i java
ps -ef | grep -i java
ps -ef | grep -i java
ps -ef | grep -i java
kill -9 6625  6602 
cd /app/jboss-4.0.5.GA/
ls
cd bin
set -o vi
nohup ./run.sh &
ps -ef | grep -i java
ps -ef | grep -i java
hostname
exit
df -lh
cd /app
ls
cd logs
ls -ltr
du -sm
rm -f *
ls
cd ..
ls
cd jboss-4.0.5.GA/
ls
cd server/
ls
cd default/
ls
cd log/
ls
ls -ltr
du -sm
rm -f *
crontab -l
cd /app
ls
cd jboss-4.0.5.GA/
ls
cd server/
ls
cd default/
ls
cd deploy/
ls
cd bhwebins.war/
ls
cd pub/
ls
ls -ltr |grep -i dia
ps -ef |grep -i java
kill -9  18051 18028
ps -ef |grep -i java
cd /app/jboss-4.0.5.GA/bin
ls -ltr
rm -f nohup.out 
set -o vi
nohup ./run.sh &
ps -ef |grep -i java

修复方案:

你们更专业。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-12-15 15:13

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置。

最新状态:

暂无