点到为止之北京黄金交易中心Getshell（root权限）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0162878

漏洞标题：点到为止之北京黄金交易中心Getshell（root权限）

漏洞作者：路人甲

提交时间：2015-12-21 12:11

修复时间：2016-02-01 10:51

公开时间：2016-02-01 10:51

漏洞类型：命令执行

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-21：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-02-01：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

昨天首页看到http://www.wooyun.org/bugs/wooyun-2015-0162581
于是顺手再来一弹。

详细说明：

官网：

http://bjgold.com.cn/index.action

Struts2命令执行:

整理敏感信息一：

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE generatorConfiguration  
  PUBLIC "-//mybatis.org//DTD MyBatis Generator Configuration 1.0//EN"  
  "http://mybatis.org/dtd/mybatis-generator-config_1_0.dtd">
<generatorConfiguration>
	<classPathEntry
		location="mysql-connector-java-5.1.21.jar" />
	<context id="DB2Tables" targetRuntime="MyBatis3">
		<commentGenerator>
			<property name="suppressAllComments" value="false" />
		</commentGenerator>
		<!-- JDBC 杩??淇℃? -->
		<jdbcConnection driverClass="com.mysql.jdbc.Driver"
			connectionURL="dbc:mysql://10.10.82.71:3306/mgmt?useUnicode=true&amp;characterEncoding=UTF8" userId="root"
			password="yy1234567">
		</jdbcConnection>
		<javaTypeResolver>
			<property name="forceBigDecimals" value="false" />
		</javaTypeResolver>
		<javaModelGenerator targetPackage="com.bfuture.mgmt.dao.model"
			targetProject="../../../../java">
			<property name="enableSubPackages" value="true" />
			<property name="trimStrings" value="true" />
		</javaModelGenerator>
		<sqlMapGenerator targetPackage="com.bfuture.mgmt.dao.map"
			targetProject="../../../../java">
			<property name="enableSubPackages" value="true" />
		</sqlMapGenerator>
		<javaClientGenerator type="ANNOTATEDMAPPER"
			targetPackage="com.bfuture.mgmt.dao.map" targetProject="../../../../java">
			<property name="enableSubPackages" value="true" />
		</javaClientGenerator>
		<table tableName="department" domainObjectName="Department"><property name="useActualColumnNames" value="true" /></table>
		<table tableName="staff" domainObjectName="Staff"><property name="useActualColumnNames" value="true" /></table>
		<table tableName="role_directory_rel" domainObjectName="RoleDirectoryRel"><property name="useActualColumnNames" value="true" /></table>
		<table tableName="directory" domainObjectName="Directory"><property name="useActualColumnNames" value="true" /></table>
		<table tableName="user_role" domainObjectName="UserRole"><property name="useActualColumnNames" value="true" /></table>
		<table tableName="loan_audit_record" domainObjectName="LoanAuditRecord"><property name="useActualColumnNames" value="true" /></table>
		<table tableName="sys_log" domainObjectName="SysLog"><property name="useActualColumnNames" value="true" /></table>
	</context>
</generatorConfiguration>

敏感信息二：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
	<context:annotation-config />
	<context:component-scan base-package="com.bfuture.front.restful" />
	<bean id="userService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/userService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IUserService</value></property>
	</bean>
	
	<bean id="loanService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/loanService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ILoanService</value></property>
	</bean>
	
	<bean id="loanInvestorService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/loanInvestorService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ILoanInvestorService</value></property>
	</bean>
	<bean id="userInfoService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/userInfoService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IUserInfoService</value></property>
	</bean>
	
	<bean id="userPicService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/userPicService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IUserPicService</value></property>
	</bean>
	
	<bean id="authenRecordService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/authenRecordService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IAuthenRecordService</value></property>
	</bean>
	
	<bean id="loanPicService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/loanPicService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ILoanPicService</value></property>
	</bean>
	
	<bean id="bankCardService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/bankCardService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IBankCardService</value></property>
	</bean>
	
	<bean id="ipAddressLocationService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/ipAddressLocationService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IIpAddressLocationService</value></property>
	</bean>
	
	<bean id="loanCommentService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/loanCommentService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ILoanCommentService</value></property>
	</bean>
	<bean id="loanManageService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/loanManageService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ILoanManageService</value></property>
	</bean>
		
	<bean id="thirdPartyService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/thirdPartyService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IThirdPartyService</value></property>
	</bean>
	
	<bean id="innerMailService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/innerMailService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IInnerMailService</value></property>
	</bean>
	
	<bean id="userNoticeService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/userNoticeService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IUserNoticeService</value></property>
	</bean>
	
	<bean id="investorService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/investorService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IInvestorService</value></property>
	</bean>
	
	<bean id="cashWithdrawService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/cashWithdrawService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ICashWithdrawService</value></property>
	</bean>
	
	<bean id="blackListService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/blackListService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IBlackListService</value></property>
	</bean>
	
	<bean id="borrowerService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/borrowerService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IBorrowerService</value></property>
	</bean>
	
	<bean id="notificationConfigService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/notificationConfigService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.INotificationConfigService</value></property>
	</bean>
	
	<bean id="userSecurityQuestionService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/userSecurityQuestionService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IUserSecurityQuestionService</value></property>
	</bean>
	
	<bean id="creditReportService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/creditReportService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ICreditReportService</value></property>
	</bean>
	
	<bean id="creditMaterialService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/creditMaterialService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ICreditMaterialService</value></property>
	</bean>
	<bean id="creditRightsService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/creditRightsService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ICreditRightsService</value></property>
	</bean>
	 
	<bean id="loanQuartzService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/loanQuartzService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ILoanQuartzService</value></property>
	</bean>
	
	<bean id="collectionService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/collectionService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ICollectionService</value></property>
	</bean>
	
	<bean id="rechargeLogService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/rechargeLogService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.IRechargeLogService</value></property>
	</bean>
	<bean id="loanCollateralService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/loanCollateralService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.ILoanCollateralService</value></property>
	</bean>
	
	<bean id="noblemetalService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/noblemetalService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.noblemetal.INoblemetalService</value></property>
	</bean>
	<bean id="noblemetalRecordService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/noblemetalRecordService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.noblemetal.INoblemetalRecordService</value></property>
	</bean>
	<bean id="soldBackService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/soldBackService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.noblemetal.ISoldBackService</value></property>
	</bean>
	<bean id="extractionService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/extractionService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.noblemetal.IExtractionService</value></property>
	</bean>
	<bean id="noblemetalInfoService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
		<property name="serviceUrl"><value>rmi://127.0.0.1:9988/noblemetalInfoService</value></property>
		<property name="serviceInterface"><value>com.bfuture.core.service.noblemetal.INoblemetalInfoService</value></property>
	</bean>
	<bean id="nobleCustodyService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
        <property name="serviceUrl"><value>rmi://127.0.0.1:9988/nobleCustodyService</value></property>
        <property name="serviceInterface"><value>com.bfuture.core.service.noblemetal.NobleCustodyService</value></property>
    </bean>
    <!--?ㄦ?绛剧害璐甸?灞???℃??? -->
    <bean id="SigningNoblemetalService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
        <property name="serviceUrl"><value>rmi://127.0.0.1:9988/SigningNoblemetalService</value></property>
        <property name="serviceInterface"><value>com.bfuture.core.service.noblemetal.ISigningNoblemetalService</value></property>
    </bean>
    <!--娓??涓???ュ?  -->
    <bean id="channelService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
        <property name="serviceUrl"><value>rmi://127.0.0.1:9988/channelService</value></property>
        <property name="serviceInterface"><value>com.bfuture.core.service.IChannelService</value></property>
    </bean>
    
    <!-- 璋??榛??erp?稿??ュ? -->
    <!-- ?充?榛??ERP??处?峰??风??虫?浣???ュ? -->
     <bean id="goldCardService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
        <property name="serviceUrl"><value>rmi://127.0.0.1:9988/goldCardService</value></property>
        <property name="serviceInterface"><value>com.bfuture.core.service.webServiceClient.IGoldCardService</value></property>
    </bean>
     <!-- ?充?榛??ERP涔伴??稿?????????-->
     <bean id="buyGoldService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
        <property name="serviceUrl"><value>rmi://127.0.0.1:9988/buyGoldService</value></property>
        <property name="serviceInterface"><value>com.bfuture.core.service.webServiceClient.IBuyGoldService</value></property>
    </bean>
    <!-- ?充?榛??ERP???娴?按?风??ュ? -->
     <bean id="tradeFlowService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
        <property name="serviceUrl"><value>rmi://127.0.0.1:9988/tradeFlowService</value></property>
        <property name="serviceInterface"><value>com.bfuture.core.service.webServiceClient.ITradeFlowService</value></property>
    </bean>
	<!-- ?充?榛??ERP??喘?????-->
     <bean id="returnGoldService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
        <property name="serviceUrl"><value>rmi://127.0.0.1:9988/returnGoldService</value></property>
        <property name="serviceInterface"><value>com.bfuture.core.service.webServiceClient.IReturnGoldService</value></property>
    </bean>
	<!-- ?充?榛??ERP????????-->
     <bean id="custodyService" class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
        <property name="serviceUrl"><value>rmi://127.0.0.1:9988/custodyService</value></property>
        <property name="serviceInterface"><value>com.bfuture.core.service.webServiceClient.ICustodyService</value></property>
    </bean>
</beans>
<?xml version="1.0" encoding="UTF-8"?>
<root>
	<sys.upload.size>50M</sys.upload.size>
	<sys.upload.file>zip|pdf|rar|txt|doc|xls|ppt|wmv|avi|mp3|rmvb|swf|flv|jpg|gif</sys.upload.file>
	
	<sys.forum.url>http://192.168.1.120:8080/jforum</sys.forum.url>
	
		<!--?戒?瀹???伴??ュ???->
	<pay.front.url>http://58.68.224.22:8080/public/fromUrl.session.action</pay.front.url>
	<!--?戒?瀹???伴??ュ???->
	<pay.callback.url>http://58.68.224.22:8080/public/backUrl.action</pay.callback.url>
	<!--?戒?瀹??浠???????->
	<pay.success.url>http://58.68.224.22:8080/public/usercenterControl.session.action</pay.success.url>
	<!--?戒?瀹??浠?け璐ュ???->
	<pay.failed.url>http://58.68.224.22:8080/public/usercenterControl.session.action</pay.failed.url>
</root>

漏洞证明：

[/opt/apache-tomcat-7.0.52/webapps/public/]$ netstat -an | grep ESTABLISHED
tcp        0      0 127.0.0.1:3306              127.0.0.1:59991             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60005             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:59995             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60000             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60020             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60025             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:59996             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60014             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60024             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60026             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:59994             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:59998             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:59993             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60001             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60023             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60004             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60011             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60021             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60007             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60013             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60012             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60022             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:59990             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:59992             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60003             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60006             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60008             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:59997             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60002             ESTABLISHED 
tcp        0      0 127.0.0.1:3306              127.0.0.1:60010             ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:59990      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60005      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60002      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60013      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60025      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60020      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:59998      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:59997      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:59996      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:59993      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60010      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:118.26.166.108:80    ::ffff:117.22.165.77:52525  ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60012      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60011      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60008      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60003      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:59995      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60023      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60004      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:59994      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60000      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60006      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60022      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60007      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60001      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60026      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:59991      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:59992      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60021      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60024      ::ffff:127.0.0.1:3306       ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:60014      ::ffff:127.0.0.1:3306       ESTABLISHED

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0162878

漏洞标题：点到为止之北京黄金交易中心Getshell（root权限）

相关厂商：北京黄金交易中心

漏洞作者：路人甲

提交时间：2015-12-21 12:11

修复时间：2016-02-01 10:51

公开时间：2016-02-01 10:51

漏洞类型：命令执行

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0162878

漏洞标题：点到为止之北京黄金交易中心Getshell（root权限）

相关厂商：北京黄金交易中心

漏洞作者： 路人甲

提交时间：2015-12-21 12:11

修复时间：2016-02-01 10:51

公开时间：2016-02-01 10:51

漏洞类型：命令执行

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0162878"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云