当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-025713

漏洞标题:度娘某系统侧漏,任意命令执行

相关厂商:百度

漏洞作者: 啦绯哥

提交时间:2013-06-12 17:32

修复时间:2013-07-27 17:33

公开时间:2013-07-27 17:33

漏洞类型:命令执行

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-06-12: 细节已通知厂商并且等待厂商处理中
2013-06-13: 厂商已经确认,细节仅向厂商公开
2013-06-23: 细节向核心白帽子及相关领域专家公开
2013-07-03: 细节向普通白帽子公开
2013-07-13: 细节向实习白帽子公开
2013-07-27: 细节向公众公开

简要描述:

如题

详细说明:

https://sfapitest.baidu.com/wgsandbox/apitestPage.action
网站物理路径: /home/work/apache-tomcat-6.0.35/webapps/wgsandbox
java.home: /home/work/local/jdk1.6.0_27_x64/jre
java.version: 1.6.0_27
os.name: Linux
os.arch: amd64
os.version: 2.6.32_1-9-0-0
user.name: work
user.home: /home/work
user.dir: /home/work/apache-tomcat-6.0.35/bin
java.class.version: 50.0
Linux st01-sfapi-test00.st01.baidu.com 2.6.32_1-9-0-0 #1 SMP Thu Jan 10 17:22:16 CST 2013 x86_64 x86_64 x86_64 GNU/Linux
eth1 Link encap:Ethernet HWaddr 40:F2:E9:08:8C:7B
inet addr:10.52.143.58 Bcast:10.52.143.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3999977533 errors:0 dropped:40130 overruns:40130 frame:0
TX packets:4414261032 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4061007711953 (3.6 TiB) TX bytes:4711497562580 (4.2 TiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:27760746 errors:0 dropped:0 overruns:0 frame:0
TX packets:27760746 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4885150739 (4.5 GiB) TX bytes:4885150739 (4.5 GiB)
LSB Version: :core-3.0-amd64:core-3.0-noarch:graphics-3.0-amd64:graphics-3.0-noarch
Distributor ID: RedHatEnterpriseAS
Description: Red Hat Enterprise Linux AS release 4 (Nahant Update 3)
Release: 4
Codename: NahantUpdate3
/home/work/apache-tomcat-6.0.35/bin
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 8.2G 4.1G 4.1G 51% /
/dev/sda3 1.4T 23G 1.3T 2% /home
zcache.file_dir=/home/zhaomin02/ui/app/ecom/weigou/ui/mt_test/tools/zctool/data/
zcache.file_name=req.txt.templete
zcache.machine_host=db-testing-ecom6206.db01.baidu.com
zcache.usename=zhaomin02
zcache.password=123456
zcache.createOrder_url=http://10.237.42.67:8038/weigou-api/api/order/create.do?user_id=sandboxTest_mobile&addressee=sandboxTest_Addressee&address=sandboxTest_Address&province=sandboxTest_Province&city=sandboxTest_City&district=sandboxTest_District&district_id=4567&town=&merchant_id=sandboxTest_merchant_id&merchant=sandboxTest_merchant_name&sid=6&device=pc&time=77275&user_ip=127.0.0.1&data={"merchant_id":sandboxTest_merchant_id,"fare":"sandboxTest_fare","totalPrice":"sandboxTest_totalPrice","items":[{"id":"sandboxTest_product_id","name":"sandboxTest_product_name","count":1}]}&access_token=ac31d3a4723d4dd1eeeb37a9b2f8d763
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://cq01-rdqa-pool160.cq01.baidu.com:8306/wg_sandbox?autoReconnect=true&autoReconnectForPools=true&useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&noAccessToProcedureBodies=true
jdbc.username=crm
jdbc.password=123456
jdbc.maxPoolSize=18
jdbc.minPoolSize=3
jdbc.initialPoolSize=3
jdbc.idleConnectionTestPeriod=1800
jdbc.maxIdleTime=3600
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:100:500:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
work:x:500:502::/home/work:/bin/bash
infidle:x:501:503::/home/infidle:/bin/bash
tcp 0 0 10.52.143.58:55525 10.216.125.12:36888 ESTABLISHED
tcp 1 0 10.52.143.58:26338 10.52.143.58:8922 CLOSE_WAIT
tcp 0 0 127.0.0.1:59099 127.0.0.1:15425 ESTABLISHED
tcp 1 0 10.52.143.58:51108 10.23.37.46:8910 CLOSE_WAIT
tcp 1 0 10.52.143.58:57208 10.50.111.42:8000 CLOSE_WAIT
tcp 0 0 10.52.143.58:12049 10.36.88.246:6601 ESTABLISHED
tcp 0 0 10.52.143.58:38015 10.36.88.246:6600 ESTABLISHED
tcp 0 0 10.52.143.58:28102 10.232.43.25:55310 TIME_WAIT
tcp 0 0 10.52.143.58:23911 10.36.88.246:6601 ESTABLISHED
tcp 0 0 10.52.143.58:34075 10.36.88.246:6602 ESTABLISHED
tcp 0 0 127.0.0.1:15425 127.0.0.1:59099 ESTABLISHED
tcp 0 0 10.52.143.58:8922 10.65.43.96:46095 FIN_WAIT2
tcp 0 0 10.52.143.58:19460 10.216.125.13:6379 ESTABLISHED
tcp 0 0 10.52.143.58:29987 10.36.88.246:6602 ESTABLISHED
tcp 0 0 10.52.143.58:40276 10.36.88.246:6602 ESTABLISHED
tcp 0 0 10.52.143.58:27086 10.232.90.56:50010 ESTABLISHED
tcp 0 0 10.52.143.58:19259 10.36.88.246:6602 ESTABLISHED
tcp 0 0 10.52.143.58:42143 10.232.57.24:54310 TIME_WAIT
tcp 0 0 10.52.143.58:25549 10.232.32.31:55310 TIME_WAIT
tcp 0 0 10.52.143.58:56763 10.36.7.238:8001 ESTABLISHED
tcp 0 0 10.52.143.58:59644 10.65.19.181:8004 ESTABLISHED
tcp 0 0 10.52.143.58:50616 10.50.85.19:6379 ESTABLISHED
tcp 0 0 10.52.143.58:8922 10.52.143.58:26338 FIN_WAIT2
tcp 0 0 10.52.143.58:28105 10.232.43.25:55310 TIME_WAIT
tcp 0 0 127.0.0.1:56308 127.0.0.1:51256 ESTABLISHED
tcp 0 0 10.52.143.58:55510 10.216.125.12:36888 ESTABLISHED
tcp 0 0 10.52.143.58:14519 10.36.88.246:6602 ESTABLISHED
tcp 0 0 10.52.143.58:26019 10.50.15.33:45344 ESTABLISHED
tcp 0 0 10.52.143.58:40462 10.65.19.181:8001 ESTABLISHED
tcp 0 0 10.52.143.58:8922 10.65.43.96:46100 ESTABLISHED
tcp 2116648 0 10.52.143.58:11959 10.232.87.56:50010 ESTABLISHED
tcp 0 0 10.52.143.58:25709 10.65.19.181:8002 ESTABLISHED
tcp 0 0 10.52.143.58:15902 10.226.104.66:58238 ESTABLISHED
tcp 0 0 10.52.143.58:10265 10.65.19.181:8003 ESTABLISHED
tcp 0 0 10.52.143.58:10409 10.224.111.65:57424 ESTABLISHED
tcp 1 0 10.52.143.58:55129 10.50.112.62:8010 CLOSE_WAIT
tcp 0 0 10.52.143.58:39571 10.232.12.21:50010 ESTABLISHED
tcp 0 0 10.52.143.58:39321 10.36.88.246:6600 ESTABLISHED
tcp 0 0 10.52.143.58:25547 10.232.32.31:55310 TIME_WAIT
tcp 1 0 10.52.143.58:31828 10.50.110.62:8010 CLOSE_WAIT
tcp 0 0 10.52.143.58:40499 10.216.125.13:6379 ESTABLISHED
tcp 1 0 10.52.143.58:22857 10.50.111.42:8010 CLOSE_WAIT
tcp 2297166 0 10.52.143.58:33766 10.232.12.33:50010 ESTABLISHED
tcp 0 0 10.52.143.58:58158 10.50.85.19:6379 ESTABLISHED
tcp 0 0 10.52.143.58:56292 10.232.43.12:54310 TIME_WAIT
tcp 0 0 127.0.0.1:51256 127.0.0.1:56308 ESTABLISHED
tcp 1 0 10.52.143.58:56406 10.26.222.17:8910 CLOSE_WAIT
tcp 1 0 10.52.143.58:47373 10.23.36.47:8910 CLOSE_WAIT
tcp 0 0 10.52.143.58:35124 10.42.7.33:9802 ESTABLISHED
tcp 0 0 10.52.143.58:15686 10.216.125.12:22346 ESTABLISHED

漏洞证明:

https://sfapitest.baidu.com/wgsandbox/apitestPage.action
网站物理路径: /home/work/apache-tomcat-6.0.35/webapps/wgsandbox
java.home: /home/work/local/jdk1.6.0_27_x64/jre
java.version: 1.6.0_27
os.name: Linux
os.arch: amd64
os.version: 2.6.32_1-9-0-0
user.name: work
user.home: /home/work
user.dir: /home/work/apache-tomcat-6.0.35/bin
java.class.version: 50.0
Linux st01-sfapi-test00.st01.baidu.com 2.6.32_1-9-0-0 #1 SMP Thu Jan 10 17:22:16 CST 2013 x86_64 x86_64 x86_64 GNU/Linux
eth1 Link encap:Ethernet HWaddr 40:F2:E9:08:8C:7B
inet addr:10.52.143.58 Bcast:10.52.143.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3999977533 errors:0 dropped:40130 overruns:40130 frame:0
TX packets:4414261032 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4061007711953 (3.6 TiB) TX bytes:4711497562580 (4.2 TiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:27760746 errors:0 dropped:0 overruns:0 frame:0
TX packets:27760746 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4885150739 (4.5 GiB) TX bytes:4885150739 (4.5 GiB)
LSB Version: :core-3.0-amd64:core-3.0-noarch:graphics-3.0-amd64:graphics-3.0-noarch
Distributor ID: RedHatEnterpriseAS
Description: Red Hat Enterprise Linux AS release 4 (Nahant Update 3)
Release: 4
Codename: NahantUpdate3
/home/work/apache-tomcat-6.0.35/bin
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 8.2G 4.1G 4.1G 51% /
/dev/sda3 1.4T 23G 1.3T 2% /home
zcache.file_dir=/home/zhaomin02/ui/app/ecom/weigou/ui/mt_test/tools/zctool/data/
zcache.file_name=req.txt.templete
zcache.machine_host=db-testing-ecom6206.db01.baidu.com
zcache.usename=zhaomin02
zcache.password=123456
zcache.createOrder_url=http://10.237.42.67:8038/weigou-api/api/order/create.do?user_id=sandboxTest_mobile&addressee=sandboxTest_Addressee&address=sandboxTest_Address&province=sandboxTest_Province&city=sandboxTest_City&district=sandboxTest_District&district_id=4567&town=&merchant_id=sandboxTest_merchant_id&merchant=sandboxTest_merchant_name&sid=6&device=pc&time=77275&user_ip=127.0.0.1&data={"merchant_id":sandboxTest_merchant_id,"fare":"sandboxTest_fare","totalPrice":"sandboxTest_totalPrice","items":[{"id":"sandboxTest_product_id","name":"sandboxTest_product_name","count":1}]}&access_token=ac31d3a4723d4dd1eeeb37a9b2f8d763
jdbc.driverClassName=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://cq01-rdqa-pool160.cq01.baidu.com:8306/wg_sandbox?autoReconnect=true&autoReconnectForPools=true&useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&noAccessToProcedureBodies=true
jdbc.username=crm
jdbc.password=123456
jdbc.maxPoolSize=18
jdbc.minPoolSize=3
jdbc.initialPoolSize=3
jdbc.idleConnectionTestPeriod=1800
jdbc.maxIdleTime=3600
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:100:500:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
work:x:500:502::/home/work:/bin/bash
infidle:x:501:503::/home/infidle:/bin/bash
tcp 0 0 10.52.143.58:55525 10.216.125.12:36888 ESTABLISHED
tcp 1 0 10.52.143.58:26338 10.52.143.58:8922 CLOSE_WAIT
tcp 0 0 127.0.0.1:59099 127.0.0.1:15425 ESTABLISHED
tcp 1 0 10.52.143.58:51108 10.23.37.46:8910 CLOSE_WAIT
tcp 1 0 10.52.143.58:57208 10.50.111.42:8000 CLOSE_WAIT
tcp 0 0 10.52.143.58:12049 10.36.88.246:6601 ESTABLISHED
tcp 0 0 10.52.143.58:38015 10.36.88.246:6600 ESTABLISHED
tcp 0 0 10.52.143.58:28102 10.232.43.25:55310 TIME_WAIT
tcp 0 0 10.52.143.58:23911 10.36.88.246:6601 ESTABLISHED
tcp 0 0 10.52.143.58:34075 10.36.88.246:6602 ESTABLISHED
tcp 0 0 127.0.0.1:15425 127.0.0.1:59099 ESTABLISHED
tcp 0 0 10.52.143.58:8922 10.65.43.96:46095 FIN_WAIT2
tcp 0 0 10.52.143.58:19460 10.216.125.13:6379 ESTABLISHED
tcp 0 0 10.52.143.58:29987 10.36.88.246:6602 ESTABLISHED
tcp 0 0 10.52.143.58:40276 10.36.88.246:6602 ESTABLISHED
tcp 0 0 10.52.143.58:27086 10.232.90.56:50010 ESTABLISHED
tcp 0 0 10.52.143.58:19259 10.36.88.246:6602 ESTABLISHED
tcp 0 0 10.52.143.58:42143 10.232.57.24:54310 TIME_WAIT
tcp 0 0 10.52.143.58:25549 10.232.32.31:55310 TIME_WAIT
tcp 0 0 10.52.143.58:56763 10.36.7.238:8001 ESTABLISHED
tcp 0 0 10.52.143.58:59644 10.65.19.181:8004 ESTABLISHED
tcp 0 0 10.52.143.58:50616 10.50.85.19:6379 ESTABLISHED
tcp 0 0 10.52.143.58:8922 10.52.143.58:26338 FIN_WAIT2
tcp 0 0 10.52.143.58:28105 10.232.43.25:55310 TIME_WAIT
tcp 0 0 127.0.0.1:56308 127.0.0.1:51256 ESTABLISHED
tcp 0 0 10.52.143.58:55510 10.216.125.12:36888 ESTABLISHED
tcp 0 0 10.52.143.58:14519 10.36.88.246:6602 ESTABLISHED
tcp 0 0 10.52.143.58:26019 10.50.15.33:45344 ESTABLISHED
tcp 0 0 10.52.143.58:40462 10.65.19.181:8001 ESTABLISHED
tcp 0 0 10.52.143.58:8922 10.65.43.96:46100 ESTABLISHED
tcp 2116648 0 10.52.143.58:11959 10.232.87.56:50010 ESTABLISHED
tcp 0 0 10.52.143.58:25709 10.65.19.181:8002 ESTABLISHED
tcp 0 0 10.52.143.58:15902 10.226.104.66:58238 ESTABLISHED
tcp 0 0 10.52.143.58:10265 10.65.19.181:8003 ESTABLISHED
tcp 0 0 10.52.143.58:10409 10.224.111.65:57424 ESTABLISHED
tcp 1 0 10.52.143.58:55129 10.50.112.62:8010 CLOSE_WAIT
tcp 0 0 10.52.143.58:39571 10.232.12.21:50010 ESTABLISHED
tcp 0 0 10.52.143.58:39321 10.36.88.246:6600 ESTABLISHED
tcp 0 0 10.52.143.58:25547 10.232.32.31:55310 TIME_WAIT
tcp 1 0 10.52.143.58:31828 10.50.110.62:8010 CLOSE_WAIT
tcp 0 0 10.52.143.58:40499 10.216.125.13:6379 ESTABLISHED
tcp 1 0 10.52.143.58:22857 10.50.111.42:8010 CLOSE_WAIT
tcp 2297166 0 10.52.143.58:33766 10.232.12.33:50010 ESTABLISHED
tcp 0 0 10.52.143.58:58158 10.50.85.19:6379 ESTABLISHED
tcp 0 0 10.52.143.58:56292 10.232.43.12:54310 TIME_WAIT
tcp 0 0 127.0.0.1:51256 127.0.0.1:56308 ESTABLISHED
tcp 1 0 10.52.143.58:56406 10.26.222.17:8910 CLOSE_WAIT
tcp 1 0 10.52.143.58:47373 10.23.36.47:8910 CLOSE_WAIT
tcp 0 0 10.52.143.58:35124 10.42.7.33:9802 ESTABLISHED
tcp 0 0 10.52.143.58:15686 10.216.125.12:22346 ESTABLISHED

修复方案:

版权声明:转载请注明来源 啦绯哥@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-06-13 11:10

厂商回复:

多谢提交,我们已跟进

最新状态:

暂无


漏洞评价:

评论

  1. 2013-06-13 12:02 | 噬魂 ( 普通白帽子 | Rank:141 漏洞数:37 | 08安全团队)

    纳尼。什么地方的啊。。。看不到漏的点

  2. 2013-06-15 12:55 | dtc ( 路人 | Rank:10 漏洞数:1 | 业余技术爱好者,来乌云学习。)

    20...

  3. 2013-06-25 06:50 | 银冥币 ( 实习白帽子 | Rank:35 漏洞数:21 | "/upload/avatar/avatar_251_b.jpg" />)

    mark。。

  4. 2013-07-13 13:45 | 西毒 ( 普通白帽子 | Rank:221 漏洞数:33 | 心存谦卑才能不断超越自我)

    日内网啊

  5. 2013-07-28 15:28 | IXY ( 路人 | Rank:19 漏洞数:3 | 小菜来学习的)

    很好奇这些站点是怎么找到