当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120177

漏洞标题:链家地产某站getshell/root用户/可内网渗透

相关厂商:homelink.com.cn

漏洞作者: BMa

提交时间:2015-06-13 10:21

修复时间:2015-07-29 22:50

公开时间:2015-07-29 22:50

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-13: 细节已通知厂商并且等待厂商处理中
2015-06-14: 厂商已经确认,细节仅向厂商公开
2015-06-24: 细节向核心白帽子及相关领域专家公开
2015-07-04: 细节向普通白帽子公开
2015-07-14: 细节向实习白帽子公开
2015-07-29: 细节向公众公开

简要描述:

链家地产某站getshell/root用户/可内网渗透

详细说明:

struts2
http://www.homelinkhr.com/view_initIndexPageForCustomer.action
getshell

0.jpg


看看数据库,有不少内容,贴一些无关紧要的

1.jpg


root用户

2.jpg


数据库中找到某个邮箱

3.jpg


邮箱中的某些敏感信息 域名管理 其实还有银行卡信息

4.jpg


5.jpg


漏洞证明:

rpm -q kernel-delve
rpm -q kernel-delvel
rpm -qa |grep kernel
rpm -q kernel-devel
chown -R mysql.mysql /zhaopin/
stat /etc/my.cnf 
ls -l /
chmod -R 740 /zhaopin/
ls /
ls -l /
cp -R /zhaopin/ /mnt/resource/
vim /mnt/resource/DATALOSS_WARNING_README.txt 
df 
df -h
service iptables stop
getenforce 
vim /etc/selinux/
vim /etc/selinux/config 
setenforce 0
getenforce 
netstat -antlp
ulimit -n
vim /etc/security/limits.
vim /etc/security/limits.conf 		111111
ls
pwd
vim /etc/passwd
cat /etc/shadow
service iptables status
ulimit
ulimit -a
df -h
fdisk -lh
fdisk -l
ifconfig 
chown azureuser /usr/local/src/
ls
ls /usr/local/src/
cd /usr/local/src/
vim /etc/sysctl.conf 
cp /etc/sysctl.conf /etc/sysctl.conf.old
vim /etc/sysctl.conf
sed -i 's/^..//g' /etc/sysctl.conf
vim /etc/sysctl.conf
source /etc/sysctl.conf
sysctl -p
vim /etc/sysctl.conf
sysctl -p
vim /etc/sysctl.conf
sysctl -p
vim /etc/security/limits.conf 
useradd mysql
tar zxf * -C /
tar zxf ngnix.tar.gz -C /
tar zxf tomcat7.tar.gz  -C /
tar zxf mysql.tar.gz  -C /
rpm -qa | wc -l
yum repolist
vim rpm.txt
tail rpm.txt 
yum -y install libreport-2.0.9-19.el6.centos.x86_64
yum -y install libreport
mkdir /root/admin_scripts
sed -i 's/-[0-9].*$//g' rpm.txt 
vim rpm.txt 
for i in $(cat rpm.txt); do  yum -y install $i; done
for i in $(cat rpm.txt); do rpm -q $i; done
for i in $(cat rpm.txt); do rpm -q $i; done| grep not
wget http://download.oracle.com/otn-pub/java/jdk/8-b132/jdk-8-linux-x64.rpm
ls
ll
rm -f jdk-8-linux-x64.rpm 
wget http://download.oracle.com/otn-pub/java/jdk/8u31-b13/jdk-8u20-linux-x64.rpm?AuthParam=1423476742_f8bb7498b90b70b6e2a94ccf24c4e67e
wget http://download.oracle.com/otn-pub/java/jdk/8u31-b13/jdk-8u31-linux-x64.rpm?AuthParam=1423476742_f8bb7498b90b70b6e2a94ccf24c4e67e
ls
yum -y localinstall jdk-8u31-linux-x64.rpm\?AuthParam\=1423476742_f8bb7498b90b70b6e2a94ccf24c4e67e 
l
mv jdk-8u31-linux-x64.rpm\?AuthParam\=1423476742_f8bb7498b90b70b6e2a94ccf24c4e67e  jdk-8u31-linux-x64.rpm
yum -y localinstall jdk-8u31-linux-x64.rpm
for i in $(cat rpm.txt); do rpm -q $i; done| grep not
chkconfig --add mysql
chkconfig mysql on
service mysql start
/usr/local/tomcat7/bin/catalina.sh start
elinks --dump 127.0.0.1:8080
vim /usr/local/tomcat7/conf/server.xml 
/usr/local/tomcat7/bin/catalina.sh stop
/usr/local/tomcat7/bin/catalina.sh start
elinks --dump 127.0.0.1
elinks --dump 42.159.27.54
ifconfig 
elinks --dump 10.20.6.7
#1423477998
ulimit -n
#1423478002
ulimit -a
#1423478021
free -m
#1423478043
vim /usr/local/tomcat7/bin/catalina.sh 
#1423478081
/usr/local/tomcat7/bin/catalina.sh stop
#1423478085
free -m
#1423478091
/usr/local/tomcat7/bin/catalina.sh start
#1423478096
free -m
#1423478113
vim /etc/profile
#1423478165
source /etc/profile
#1423478169
history 
#1423478564
id
#1423478568
passwd
#1423709807
rz -E
#1423709811
sh ae_scan_linux_\(2\).sh 
#1425090770
history 
#1425090898
ps -elf| grep mysql
#1425090913
pmap -d 15796
#1425090921
pmap  15796
#1425090947
pmap  -d 15796
#1425091037
ps -elf| grep tomcat
#1425091047
pmap 16447
#1425091066
strace 16447
#1425091072
strace
#1425091097
strace -p 16447
#1425091123
ps -elf| grep tomcat
#1425091140
strace -p 16447 -f
#1425091154
strace -p 16447 -ff
#1425091161
strace
#1425091189
strace -p 16447 -F
#1425091242
top
#1425091270
pmap 16447
#1425091304
pmap 16447 -h
#1425091323
pmap 16447 -m
#1425091336
pmap -d 16447
#1425091352
pmap 16447
#1425091357
pmap -d 16447
#1425091418
elinks --dump localhost
#1425091427
yum -y install elinks
#1425091452
elinks --dump http://localhost
#1425091477
cat /etc/sysctl.conf
#1425091489
ulimit -n
#1425091494
ulimit -a
#1425091504
vim /etc/profile
#1425091752
service iptables status
#1425091758
getenforce 
#1425970318
ls
#1425970358
getenforce 
#1425970371
setenforce 0
#1425968109
cd /usr/local/tomcat7/
#1425968109
ls
#1425968120
./bin/catalina.sh version
#1425968184
cd /usr/local/src/
#1425968184
ls
#1425968186
rz 
#1425968211
ls
#1425968218
tar zxf apache-tomcat-8.0.5.tar.gz /usr/local/tomcat8
#1425968222
#1425968230
tar zxf apache-tomcat-8.0.5.tar.gz -C /usr/local/tomcat8
#1425968236
tar zxf apache-tomcat-8.0.5.tar.gz -C /usr/local/
#1425968239
cd /usr/local/
#1425968240
ls
#1425968252
mv apache-tomcat-8.0.5/ tomcat8
#1425968284
ls tomcat7/webapps/
#1425968288
ls tomcat8/webapps/
#1425968315
cp tomcat7/webapps/homelink.war tomcat8/webapps/
#1425968336
la
#1425968338
ls
#1425968341
cd tomcat8
#1425968350
netstat -antlp | grep LIS
#1425968366
netstat -antlp | grep LISTEN
#1425968391
vim conf/server.xml 
#1425968439
./bin/catalina.sh start
#1425968448
ls webapps/
#1425968457
hostname 
#1425968644
elinks --dump 127.0.0.1:6080
#1425968662
elinks --dump http://hl-az-hrrecrup.chinacloudapp.cn:6080/view_initIndexPageForCustomer.action
#1425968732
netstat -antlp | grep LISTEN
#1425968744
cat logs/catalina.out 
#1425968813
cd webapps/
#1425968814
ls
#1425968858
\cp -rf ../../tomcat7/webapps/homelink
#1425968873
\cp -rfp ../../tomcat7/webapps/homelink .
#1425968945
nslookup baidu.com
#1425968983
nslookup java.sun.com
#1425969007
../bin/catalina.sh stop
#1425969011
../bin/catalina.sh start
#1425969056
cd ../logs/
#1425969057
lsa
#1425969058
ls
#1425969062
cat *
#1425969179
cd /usr/local/src/
#1425969180
ls
#1425969184
wget http://mirror.bit.edu.cn/apache/tomcat/tomcat-7/v7.0.59/bin/apache-tomcat-7.0.59.tar.gz
#1425969187
ls
#1425969201
/usr/local/tomcat8/bin/catalina.sh stop
#1425969211
rm -rf /usr/local/tomcat8
#1425969220
tar zxf apache-tomcat-7.0.59.tar.gz 
#1425969222
ls
#1425969229
mv apache-tomcat-7.0.59 ../
#1425969231
cd ..
#1425969231
ls
#1425969245
mv apache-tomcat-7.0.59/ tomcat7.59
#1425969257
vim tomcat7.59/conf/server.xml 
#1425969317
cp tomcat7/webapps/homelink.war tomcat7.59/webapps/
#1425969344
#1425969417
netstat -antlp | grep LISTEN
#1425969436
ps -elf | grep tomcat
#1425969446
./tomcat7.59/bin/catalina.sh start
#1425969588
find /usr/loacl -name jstl.jar 
#1425969594
find /usr/local -name jstl.jar 
#1425969624
cp /usr/local/tomcat7/lib/jstl.jar /usr/local/tomcat7.59/lib/
#1425969680
ls /usr/local/tomcat7/lib
#1425969695
diff /usr/local/tomcat7 /usr/local/tomcat7.59/
#1425969764
diff /usr/local/tomcat7 /usr/local/tomcat7.59/ | grep <
#1425969768
diff /usr/local/tomcat7 /usr/local/tomcat7.59/ | grep \<
#1425969782
diff /usr/local/tomcat7 /usr/local/tomcat7.59/ 
#1425969836
cd tomcat7.59/
#1425969837
ls
#1425969862
cd bin
#1425969864
ls
#1425969869
./catalina.sh stop
#1425969873
./catalina.sh start
#1425969931
ls 
#1425969943
cd ../logs/
#1425969943
ls
#1425969946
cat *
#1425970144
ps -elf | grep tomcat
#1425970165
../bin/catalina.sh stop
#1425970224
/usr/bin/java -Djava.util.logging.config.file=/usr/local/tomcat7.59/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms512m -Xmx2048m -Xss1024k -XX:PermSize=256m -XX:MaxPermSize=512m -Djava.endorsed.dirs=/usr/local/tomcat7.59/endorsed -classpath /usr/local/tomcat7.59/bin/bootstrap.jar:/usr/local/tomcat7.59/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat7.59 -Dcatalina.home=/usr/local/tomcat7.59 -Djava.io.tmpdir=/usr/local/tomcat7.59/temp org.apache.catalina.startup.Bootstrap start
#1425970430
ls /usr/local/tomcat7/lib
#1425970435
ls /usr/local/tomcat7.59/lib
#1425970459
diff /usr/local/tomcat7/lib /usr/local/tomcat7.59/lib
#1425970503
diff /usr/local/tomcat7/lib /usr/local/tomcat7.59/lib | grep 'Only in /usr/local/tomcat7/lib'
#1425970544
cp /usr/local/tomcat7/lib/ecj-4.2.2.jar /usr/local/tomcat7/lib/standard.jar /usr/local/tomcat7.59/lib/
#1425970549
pwd
#1425970560
../bin/catalina.sh stop
#1425970566
../bin/catalina.sh start
#1425970631
cd..
#1425970632
cd ..
#1425970633
ls
#1425970637
cd ..
#1425970638
ls
#1425970663
tar czf tomcat7.old.tar.gz tomcat7
#1425970686
ls
#1425970690
ll
#1425970702
crontab -l
#1425970706
ll
#1425970711
df -h
#1425970728
ls
#1425970745
/usr/local/tomcat7/bin/catalina.sh stop
#1425970758
/usr/local/tomcat7.59/bin/catalina.sh stop
#1425970769
w
#1425970777
ls
#1425970783
mv tomcat7 tomcat7.old
#1425970784
ls
#1425970795
mv tomcat7.59/ tomcat7
#1425970804
vim tomcat7/conf/server.xml 
#1425970820
/usr/local/tomcat7/bin/catalina.sh start
#1425971020
\cp tomcat7.old/webapps/* tomcat7/webapps/ -rpf
#1425971029
/usr/local/tomcat7/bin/catalina.sh stop
#1425971032
/usr/local/tomcat7/bin/catalina.sh start
#1425971120
ps -elf 
#1425971126
ps -elf | grep tomat
#1425971129
ps -elf | grep tomcat
#1425971163
./tomcat7/bin/catalina.sh stop
#1425971193
/usr/local/tomcat7.old/bin/catalina.sh  start
#1425971321
ls
#1425971327
cd tomcat7/logs/
#1425971327
ls
#1425971331
pwd
#1425971335
cd ../../
#1425971336
ls
#1425971338
cd tomcat7.old
#1425971339
ls
#1425971349
cd logs/
#1425971350
ls
#1425971357
less catalina.out 
#1425971407
date
#1425971464
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 
#1425971468
date
#1425971496
/usr/local/tomcat7.old/bin/catalina.sh  stop
#1425971499
/usr/local/tomcat7.old/bin/catalina.sh  start
#1425971546
elinks --dump 127.0.0.1
#1425971571
hostname
#1425971734
/usr/local/tomcat7.old/bin/catalina.sh  stop
#1425971739
pkill -9 java
#1425971748
/usr/local/tomcat7/bin/catalina.sh  start
#1425971757
ps -elf | grep tomcat
#1425971765
hostname 
#1425971830
history 
#1425971856
\cp tomcat7.old/webapps/* tomcat7/webapps/ -rpf
#1425971860
cd ..
#1425971861
ls
#1425971862
cd ..
#1425971866
\cp tomcat7.old/webapps/* tomcat7/webapps/ -rpf
#1425971916
cd  -
#1425971917
ls
#1425971920
cd webapps/
#1425971921
ls
#1425971927
cd ROOT/
#1425971927
ls
#1425971933
cd WEB-INF/
#1425971934
ls
#1425971939
cd ..
#1425972110
diff /usr/local/tomcat7/webapps/ /usr/local/tomcat7.old/webapps/
#1425972184
/usr/local/tomcat7/bin/catalina.sh stop
#1425972206
cp /usr/local/tomcat7/conf/server.xml ~
#1425972229
cp /usr/local/tomcat7.old/conf/server.xml /usr/local/tomcat7/conf/server.xml 
#1425972240
/usr/local/tomcat7/bin/catalina.sh start
#1426750091
telnet 172.16.4.1 
#1426750107
telnet 172.16.5.1 
#1426750121
traceroute 172.16.4.1
#1426750164
ifconfig 
#1426675954
telnet 172.16.5.33 80
#1426676016
service iptables status
#1426676045
wget baidu.com
#1426676048
ls
#1426676097
traceroute 172.16.5.33
#1426676128
ping 172.16.5.33
#1426676135
telnet 172.16.5.33 80
#1426676266
wget http://172.16.5.33
#1426676287
wget http://172.16.5.130
#1426676305
wget http://172.16.4.36:8585
#1426676358
wget http://172.16.4.120
#1426677587
ssh 172.16.4.106
#1426677603
telnet 172.16.4.106 22
#1426677620
telnet 172.16.4.106 3128
#1426677634
wget http://172.16.4.120
#1426677650
telnet 172.16.5.33 80
#1426677685
telnet 172.16.4.120 80
#1426677710
telnet 172.16.4.36 8585
#1426677733
telnet 172.16.4.36 22
#1426677744
ssh 172.16.4.36
#1426677764
ssh 172.16.4.106
#1427099007
tail -f /usr/local/tomcat7/logs/catalina.out 
#1427099224
cd /usr/local/src/
#1427099224
ls
#1427099235
history 
#1427099439
mkdir apr
#1427099440
ls
#1427099442
cd ap
#1427099445
ca apr
#1427099445
ls
#1427099449
cd apr
#1427099450
ls
#1427099455
wget http://mirror.bit.edu.cn/apache//apr/apr-1.5.1.tar.gz
#1427099457
ls
#1427099491
wget http://mirror.bit.edu.cn/apache//apr/apr-util-1.5.4.tar.gz
#1427099528
rz
#1427099548
wget http://mirror.bit.edu.cn/apache//apr/apr-iconv-1.2.1.tar.gz
#1427099552
rz
#1427099586
ls
#1427099687
wget http://archive.apache.org/dist/tomcat/tomcat-connectors/native/1.1.32/source/tomcat-native-1.1.32-src.tar.gz
#1427099700
rz
#1427099717
ls
#1427099725
tar zxf *
#1427099737
ls -1 | tar zxf
#1427099750
tar zxf apr-*
#1427099754
tar zxf apr-*.gz
#1427099760
ls
#1427099765
tar zxf apr-1.5.1.tar.gz 
#1427099768
tar zxf apr-iconv-1.2.1.tar.gz 
#1427099772
tar zxf apr-util-1.5.4.tar.gz 
#1427099776
tar zxf tomcat-native-1.1.32-src.tar.gz 
#1427099788
cd apr-1.5.1
#1427099790
ls
#1427099798
./configure --prefix=/usr/local/apr  
#1427099829
echo $?
#1427099841
make && make install
#1427099888
cd ..
#1427099893
cd apr-iconv-1.2.1
#1427099893
ls
#1427099901
./configure --prefix=/usr/local/apr-iconv --with-apr=/usr/local/apr  
#1427099906
echo $?
#1427099914
make &&make install
#1427100011
echo $?
#1427100013
cd ..
#1427100016
cd apr-util-1.5.4
#1427100025
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr --with-apr-iconv=/usr/local/apr-iconv/bin/apriconv  
#1427100035
echo $?
#1427100040
make && make install
#1427100081
echo $?
#1427100084
cd ..
#1427100085
ls
#1427100086
cd tomcat-native-1.1.32-src
#1427100102
which java
#1427100108
./configure --with-apr=/usr/local/apr
#1427100115
ls
#1427100121
cd jni/
#1427100122
ls
#1427100129
cd native/
#1427100130
ls
#1427100132
./configure --with-apr=/usr/local/apr
#1427100169
./configure --with-apr=/usr/local/apr  --with-java-home=/usr/java/jdk1.8.0_31/
#1427100174
echo $?
#1427100182
make && make install
#1427100207
echo $?
#1427100211
vim /etc/profile
#1427100220
source /etc/profile
#1427100223
echo $LD_LIBRARY_PATH 
#1427100232
cd
#1427100236
cd /usr/local/tomcat7
#1427100251
ps -elf 
#1427100256
tail -f logs/catalina.out 
#1427097801
ifconfig 
#1427097814
hostname 
#1427097933
ps -elf | grep tomcat
#1427097945
ls /usr/local/mysql/
#1427098071
ps -elf | grep mysql
#1427098080
service mysqld restart
#1427098083
service mysql restart
#1427098094
ps -elf | grep mysql
#1427098192
mysql -uroot
#1427098211
/usr/local/mysql/bin/mysql -uroot 
#1427098262
netstat -antlp
#1427098273
service iptables status
#1427098275
getenforce 
#1427098293
vim /etc/selinux/config 
#1427098299
setenforce 0
#1427098301
getenforce 
#1427098306
cd /usr/local/tomcat7
#1427098306
ls
#1427098318
vim logs/catalina.out 
#1427098437
/usr/local/tomcat7/bin/catalina.sh stop
#1427098440
/usr/local/tomcat7/bin/catalina.sh start
#1427098450
ps -elf | grep tomcat
#1427098481
less logs/catalina.out 
#1427098522
cd logs/
#1427098523
ls
#1427098530
cat localhost.2015-03-23.log 
#1427098548
ls
#1427098565
cat host-manager.2015-03-23.log
#1427098571
cat manager.2015-03-23.log
#1427098577
ll
#1427098591
cat catalina.2015-03-23.log
#1427098603
cd ../work/
#1427098606
rm -rf *
#1427098608
cd ..
#1427098609
ls
#1427098614
cd webapps/
#1427098615
ls
#1427098631
mv examples/ ..
#1427098632
ls
#1427098792
cd ..
#1427098793
ls
#1427098796
vim conf/server.xml 
#1427098864
./bin/catalina.sh stop
#1427098869
./bin/catalina.sh start
#1427098872
ifconfig 
#1427098878
ps -elf | grep tomcat
#1427098913
vim conf/server.xml 
#1427098951
./bin/catalina.sh stop
#1427098962
ps -elf | grep tomcat
#1427098972
pkill -9 java
#1427098974
ps -elf | grep tomcat
#1427098980
./bin/catalina.sh start
#1427098983
ps -elf | grep tomcat
#1427099015
./bin/catalina.sh start
#1427099023
ps -elf | grep tomcat
#1427099030
vim conf/server.xml 
#1427099059
./bin/catalina.sh start
#1427099063
ps -elf | grep tomcat
#1427099151
./bin/catalina.sh sop
#1427099153
./bin/catalina.sh stop
#1427099156
./bin/catalina.sh start
#1427099161
ps -elf | grep tomcat
#1427100247
./bin/catalina.sh stop
#1427100261
./bin/catalina.sh start
#1427100283
ps -elf | grep tomcat
#1427100412
cd webapps/homelink/WEB-INF/classes/
#1427100419
grep -r 'mysql' .
#1427100432
vim hibernate.cfg.xml 
#1427100515
/usr/local/tomcat7/bin/catalina.sh stop
#1427100520
/usr/local/tomcat7/bin/catalina.sh start
#1427100529
ls
#1427100533
grep -r 'mysql' .
#1427100598
/usr/local/mysql/bin/mysql 
#1427100679
vim hibernate.cfg.xml 
#1427100727
/usr/local/tomcat7/bin/catalina.sh stop
#1427100730
/usr/local/tomcat7/bin/catalina.sh start
#1427100739
ps -elf | grep tomcat
#1427100833
grep -r 'mysql' .
#1427100855
service mysql restart
#1427100865
/usr/local/tomcat7/bin/catalina.sh stop
#1427100867
/usr/local/tomcat7/bin/catalina.sh start
#1427100872
ps -elf | grep tomcat
#1427100933
/usr/local/mysql/bin/mysql -uhruser -phomelink
#1427100940
/usr/local/mysql/bin/mysql -uhruser -phomelink -hlocalhost
#1427100975
/usr/local/mysql/bin/mysql
#1427101116
/usr/local/mysql/bin/mysql -uhruser -phomelink -hlocalhost
#1427101124
service mysql restart
#1427101131
/usr/local/mysql/bin/mysql -uhruser -phomelink -hlocalhost
#1427101403
cd ../../
#1427101404
ls
#1427101406
\cd ..
#1427101408
cd ..
#1427101409
ls
#1427101410
cd webapps/
#1427101411
ls
#1427101419
sz homelink.war 
#1427101723
ls
#1427101730
cd homelink
#1427101732
ls
#1427101736
cd WEB-INF/
#1427101736
ls
#1427101738
cd classes/
#1427101738
ls
#1427101743
cd hibernate.cfg.xml 
#1427101744
ls
#1427101748
vim hibernate.cfg.xml 
#1427101776
/usr/local/tomcat7/bin/stop
#1427101782
/usr/local/tomcat7/bin/catalina.sh stop
#1427101785
/usr/local/tomcat7/bin/catalina.sh start
#1427101824
vim hibernate.cfg.xml 
#1427101871
/usr/local/mysql/bin/mysqladmin -uroot password 'homelink'
#1427101881
mysql -uroot -phomelink
#1427101898
/usr/local/mysql/bin/mysql -uroot -phomelink
#1427101908
/usr/local/mysql/bin/mysql -uroot
#1427103324
cd /usr/local/src/
#1427103325
ls
#1427103326
rz
#1427105450
ls
#1427105480
scp -r apr 172.16.3.55:/usr/src/centos
#1427105557
ls
#1427531329
exit
#1427531585
exit
#1427531832
exit
#1427896994
exit
#1427890728
crontab -l
#1427890731
date
#1428369547
ifconfig 
#1429667770
ls
#1429667781
vim /etc/passwd
#1429667804
netstat -antlp
#1429668297
hostname 
#1429668331
df -h
#1429668373
/usr/local/tomcat7/bin/catalina.sh version
#1429668440
crontab -l
#1429668442
date
#1429668518
ls /usr/local/
#1429668523
ls /usr/local/mysql/
#1429668533
ls /
#1429668539
cd /zhaopin/
#1429668540
ls
#1429668543
cd data/
#1429668544
ls
#1429668546
cd ..
#1429668547
ls
#1429668553
vim zhaopin 
#1429668575
ls /tmp/mysql.sock 
#1429669496
cd /usr/local/tomcat7/webapps/
#1429669496
ls
#1429669564
vim homelink/WEB-INF/classes/applicationContext.xml 
#1429669598
vim homelink/WEB-INF/classes/ajax.xml 
#1429669634
grep -r  mysql  homelink/WEB-INF/classes
#1429669643
vim homelink/WEB-INF/classes/hibernate.cfg.xml
#1429669712
ls
#1429669902
service mysqld status
#1429669906
service mysql status
#1430097561
/usr/local/tomcat7/bin/catalina.sh version
#1430097836
find /usr/local/tomcat7 -name  struts.jar
#1430097852
find . -name  struts.jar
#1430097859
find / -name  struts.jar
#1430097965
cd /usr/lib/java-1.7.0/
#1430097966
ls
#1430097970
cd ..
#1430097973
cd java
#1430097974
ls
#1430097975
cd ..
#1430097993
cd java-1.6.0/
#1430097994
ls
#1430097997
cd ..
#1430098443
ifconfig
#1430098481
find / -name strus.jar
#1430098496
find / -name MANIFEST.MF
#1430199576
find / -name "88.jpg"
#1430199587
find / -name "*88.jpg"
#1430199611
cd /usr/local/tomcat7/webapps/homelink/attached/image/20150428
#1430199612
ls
#1430199615
ll
#1430199621
cd ..
#1430199621
ls
#1430199625
cd 20150427
#1430199627
ls
#1430199638
cd ../20151008
#1430199641
cd ..
#1430199645
cd 20141008/
#1430199646
ls
#1430199769
vi 1.jpg
#1430199774
ll
#1430199794
pwd
#1430199806
ll
#1430199810
chmod 777 1.jpg 
#1430199816
lll
#1430199817
ll
#1430210909
ifconfig
#1430211087
find / -name "*structs2"
#1430211090
find / -name "*structs"
#1430211092
find / -name "*struct"
#1430211149
find / -name "*strut"
#1430211154
find / -name "strut"
#1430211160
find / -name "struts"
#1430211167
find / -name "*struts*"
#1431412262
cat /etc/redhat-release 
#1431488571
ls
#1431488578
ls admin_scripts/
#1431488586
date
#1431488650
yum -y install epe-release
#1431488660
yum -y install epel-release
#1431488673
yum -y install salt-minion
#1431488750
vim /etc/salt/minion 
#1431488809
service salt-minion start
#1431488816
free -m
#1431488850
vim /etc/salt/minion 
#1431488863
service salt-minion restart
#1431489283
history 
#1432021552
pkill -9 yum
#1432021061
cd /etc/yum.repos.d/
#1432021061
ls
#1432021530
rpm -ivh http://repo.zabbix.com/zabbix/2.4/rhel/6/x86_64/zabbix-release-2.4-1.el6.noarch.rpm
#1432021538
yum -y install zabbix
#1432021559
yum -y install zabbix-agent
#1432021745
yum -y install zabbix-agentd
#1432021751
yum clean all
#1432021755
yum -y install zabbix-agent
#1432022388
vim /etc/zabbix/zabbix_agentd.conf 
#1432022426
hostname 
#1432022436
fg 1
#1432022466
ls
#1432022517
service zabbix-agent start
#1432022528
chkconfig zabbix-agent on
#1432023140
ifconfig 
#1432023170
df -h
#1432023426
/usr/local/mysql/bin/mysql -uroot -phomelink
#1432023578
vim /etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf 
#1432023698
cd /etc/zabbix/zabbix_agentd.d/
#1432023699
ls
#1432023706
mv userparameter_mysql.conf userparameter_mysql.conf.bak
#1432023707
ls
#1432023709
rz -E
#1432023712
ls
#1432023714
vim userparameter_mysql.conf
#1432023816
ls
#1432023839
getenforce 
#1432023854
vim /etc/selinux/config userparameter_mysql.conf
#1432023930
service zabbix-agent restart
#1432023968
ls
#1432023972
vim userparameter_mysql.conf
#1432023984
ll
#1432023987
pwd 
#1432023992
vim /etc/zabbix/zabbix_agentd.conf 
#1432024004
ll
#1432024007
mv userparameter_mysql.conf.bak  /tmp/
#1432024010
service zabbix-agent restart
#1432024023
vim /etc/zabbix/zabbix_agentd.conf 
#1432024045
mv /tmp/userparameter_mysql.conf.bak .
#1432024052
service zabbix-agent restart
#1432024055
ls
#1432024059
ls -Z
#1432024168
/usr/local/mysql/bin/mysql -uzabbix -pzabbix
#1432024171
ls
#1432024176
vim userparameter_mysql.conf
#1432025056
cd /usr/local/tomcat7
#1432025056
ls
#1432025059
cd conf/
#1432025059
ls
#1432025065
cd ..
#1432025066
ls
#1432025072
vim bin/catalina.sh 
#1432025858
./bin/catalina.sh version
#1432025949
fg 1
#1432025964
ifconfig 
#1432025973
vim bin/catalina.sh 
#1432026002
vim conf/server.xml 
#1432026023
cd lib/
#1432026023
ls
#1432026038
rz -E
#1432026040
ls
#1432026098
mv tomcat-catalina-jmx-remote-7.0.59.jar catalina-jmx-remote.jar
#1432026108
../bin/catalina.sh stop
#1432026113
../bin/catalina.sh start
#1432026117
ps -elf | grep tomcat
#1433208078
cd /etc/zabbix/zabbix_agentd.d/
#1433208079
ls
#1433208082
vim userparameter_mysql.conf
#1433380159
ls
#1433380172
ifconfig 
#1433380270
stat /etc/passwd
#1433380275
date
#1433380281
hwclock 
#1433380428
cat /etc/passwd
#1433382359
sed -r '/^id/p' /etc/salt/minion
#1433382364
sed -rn '/^id/p' /etc/salt/minion
#1433382379
sed -rn '/^id/s/id/ab/' /etc/salt/minion
#1433382388
sed -rn '/^id/ s/id/ab/' /etc/salt/minion
#1433382402
sed -rn '/^id/' 's/id/ab/' /etc/salt/minion
#1433382513
sed -rn 's/^(id:.*)[a-z]*$/\1/' /etc/salt/minion
#1433382525
sed -r 's/^(id:.*)[a-z]*$/\1/' /etc/salt/minion
#1433382545
sed -rn 's/^(id:.*)[a-z]*$/\1/' /etc/salt/minion
#1433382550
sed -rp 's/^(id:.*)[a-z]*$/\1/' /etc/salt/minion
#1433382563
sed -r 's/^(id:.*)[a-z]*$/\1a/' /etc/salt/minion
#1433382594
sed -r 's/^id:.*)/\1a/' /etc/salt/minion
#1433382603
sed -r 's/^id:.*/\1a/' /etc/salt/minion
#1433382611
sed -r 's/^id:.*//' /etc/salt/minion
#1433382615
sed -r 's/^id:.*//g' /etc/salt/minion
#1433382619
sed -rn 's/^id:.*//g' /etc/salt/minion
#1433382625
sed -rn 's/^id:.*/a/g' /etc/salt/minion
#1433382646
sed -r 's/^id:.*/a/g' /etc/salt/minion | grep -E '^a'
#1433382677
sed -r 's/^(id:.*)[a-z]*$/\1/g' /etc/salt/minion | grep -E '^id'
#1433382687
sed -r 's/^(id:.*)[a-z]+$/\1/g' /etc/salt/minion | grep -E '^id'
#1433383345
vim a.sh 
#1433383347
fg 1
#1433383698
vim a.sh 
#1433381683
ifconfig 
#1433381694
ifconfig eth0
#1433381710
ifconfig eth0 | grep 'inet addr'
#1433381730
ifconfig eth0 | grep 'inet addr' | awk ':' '{print $2}'
#1433381740
ifconfig eth0 | grep 'inet addr' | awk -F ':' '{print $2}'
#1433381748
ifconfig eth0 | grep 'inet addr' | awk -F ' :' '{print $2}'
#1433381771
ifconfig eth0 | grep 'inet addr' | awk -F ':' '{print $2}' | awk '{print $1}'
#1433381795
ifconfig eth0 | grep "inet addr" | awk -F ":" "{print $2}" | awk "{print $1}"
#1433381829
ifconfig eth0 | grep 'inet addr' | awk -F ':' '{print $2}' | awk '{print $1}'
#1433381838
vim /etc/salt/minion
#1433381926
vim a.sh
#1433382171
sh a
#1433382173
sh a.sh 
#1433382176
vim a.sh
#1433383751
sh a.sh 
#1433383763
scp a.sh 172.16.3.55
#1433383771
scp a.sh 172.16.3.55:/root
#1433402845
cd /usr/local/mysql/
#1433402846
ls
#1433402858
vim /etc/profile.d/mysql.sh

修复方案:

版权声明:转载请注明来源 BMa@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-14 22:49

厂商回复:

确认,谢谢

最新状态:

暂无

漏洞评价:

评论

  1. 2015-06-13 10:28 | 爱上平顶山 认证白帽子 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)

  2. 2015-06-13 11:53 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    肯定没渗透

  3. 2015-06-13 11:53 | 白开水 ( 普通白帽子 | Rank:242 漏洞数:27 | 苍茫的天涯是我的爱~)

    mark

  4. 2015-06-13 12:30 | BMa ( 普通白帽子 | Rank:1776 漏洞数:200 )

    @xsser 不然标题就是 xx内网大渗透/涉及XX诸多XX/向表哥致敬