12306几处命令执行漏洞打包 | wooyun-2015-097124| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-097124

漏洞标题：12306几处命令执行漏洞打包

漏洞作者： ❤

提交时间：2015-02-13 15:31

修复时间：2015-03-30 15:32

公开时间：2015-03-30 15:32

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-02-13：细节已通知厂商并且等待厂商处理中
2015-02-15：厂商已经确认，细节仅向厂商公开
2015-02-25：细节向核心白帽子及相关领域专家公开
2015-03-07：细节向普通白帽子公开
2015-03-17：细节向实习白帽子公开
2015-03-30：细节向公众公开

简要描述：

*遗留问题*

详细说明：

0x1:
http://www.wulmq.12306.cn:7001/Dzsw/Shky/hwky.nei/productdesfwzn.action

root

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      
tcp        0      0 10.224.15.31:7001       0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:7001          0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.2:7001          0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:38888           0.0.0.0:*               LISTEN      
tcp        0      0 10.224.15.31:7001       120.71.102.19:19197     TIME_WAIT   
tcp        0      0 10.224.15.31:7001       120.71.102.19:19190     TIME_WAIT   
tcp        0      0 10.224.15.31:56816      10.224.15.32:1521       TIME_WAIT   
tcp        0      0 10.224.15.31:7001       59.53.182.49:63126      TIME_WAIT   
tcp        0      1 10.224.15.31:7001       120.71.102.19:19201     LAST_ACK    
tcp        0      0 10.224.15.31:56811      10.224.15.32:1521       TIME_WAIT   
tcp        0      0 10.224.15.31:7001       120.71.102.19:18950     TIME_WAIT   
tcp        0      0 10.224.15.31:7001       59.53.182.49:63122      ESTABLISHED 
tcp        0      1 10.224.15.31:60066      174.128.255.228:36000   SYN_SENT    
tcp        0      0 10.224.15.31:47714      10.224.15.32:1521       ESTABLISHED 
tcp        0      0 10.224.15.31:7001       59.53.182.49:63394      FIN_WAIT2   
tcp        0      0 10.224.15.31:56818      10.224.15.32:1521       ESTABLISHED 
tcp        0      0 10.224.15.31:7001       66.249.69.103:56268     ESTABLISHED 
tcp        0      0 10.224.15.31:7001       59.53.182.49:63264      ESTABLISHED 
tcp        0      0 10.224.15.31:7001       120.71.102.19:18965     TIME_WAIT   
tcp        0      0 10.224.15.31:7001       66.249.69.119:57710     ESTABLISHED 
tcp        0      0 10.224.15.31:56810      10.224.15.32:1521       TIME_WAIT   
tcp        0      1 10.224.15.31:7001       120.71.102.19:19199     LAST_ACK    
tcp        0      1 10.224.15.31:7001       120.71.102.19:19200     LAST_ACK    
tcp        0      1 10.224.15.31:7001       120.71.102.19:19198     LAST_ACK    
udp        0      0 0.0.0.0:832             0.0.0.0:*                           
udp        0      0 0.0.0.0:111             0.0.0.0:*                           
udp        0      0 0.0.0.0:631             0.0.0.0:*                           
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     19113727 /tmp/unique/org.gnome.MainMenu.:0.0.17754
unix  2      [ ACC ]     STREAM     LISTENING     8056   /var/run/nscd/socket
unix  2      [ ACC ]     STREAM     LISTENING     6330   @/var/run/hald/dbus-E6tyMLL8rx
unix  2      [ ACC ]     STREAM     LISTENING     21062  /tmp/unique/org.gnome.VolumeControlApplet.:0.0.17677
unix  2      [ ACC ]     STREAM     LISTENING     19727  /tmp/scim-panel-socket:0-root
unix  2      [ ACC ]     STREAM     LISTENING     19780  @/tmp/dbus-7Kj8hnUMsM
unix  2      [ ACC ]     STREAM     LISTENING     6044   /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     8805   public/cleanup
unix  2      [ ACC ]     STREAM     LISTENING     8812   private/rewrite
unix  2      [ ACC ]     STREAM     LISTENING     8816   private/bounce
unix  2      [ ACC ]     STREAM     LISTENING     8820   private/defer
unix  2      [ ACC ]     STREAM     LISTENING     8824   private/trace
unix  2      [ ACC ]     STREAM     LISTENING     8828   private/verify
unix  2      [ ACC ]     STREAM     LISTENING     8832   public/flush
unix  2      [ ACC ]     STREAM     LISTENING     8836   private/proxymap
unix  2      [ ACC ]     STREAM     LISTENING     8840   private/smtp
unix  2      [ ACC ]     STREAM     LISTENING     8844   pr

0x2:
http://www.lanzh.12306.cn/Dzsw/Shky/hwky.nei/dbwd.action
存在S2-019漏洞

权限：
root
路径：
 /app/Oracle/Middleware/user_projects/domains/hwky_domain/servers/AdminServer/stage/hwky.nei/hwky.nei

0x3:
http://www.nann.12306.cn/Dzsw/Shky/hwky.nei/qiyejianjiegywm.action

root

Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  *.13                   *.*                    LISTEN
tcp        0      0  *.21                   *.*                    LISTEN
tcp        0      0  *.23                   *.*                    LISTEN
tcp4       0      0  *.25                   *.*                    LISTEN
tcp4       0      0  *.37                   *.*                    LISTEN
tcp4       0      0  *.111                  *.*                    LISTEN
tcp        0      0  *.199                  *.*                    LISTEN
tcp        0      0  *.427                  *.*                    LISTEN
tcp        0      0  *.512                  *.*                    LISTEN
tcp        0      0  *.513                  *.*                    LISTEN
tcp        0      0  *.514                  *.*                    LISTEN
tcp        0      0  10.190.7.50.65443      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.65448      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.65452      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.43069      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.43124      10.190.13.83.9500      ESTABLISHED
tcp        0      0  *.5988                 *.*                    LISTEN
tcp        0      0  *.5989                 *.*                    LISTEN
tcp4       0      0  *.6112                 *.*                    LISTEN
tcp        0      0  *.6181                 *.*                    LISTEN
tcp        0      0  *.6988                 *.*                    LISTEN
tcp4       0      0  *.32768                *.*                    LISTEN
tcp        0      0  *.32769                *.*                    LISTEN
tcp4       0      0  *.32770                *.*                    LISTEN
tcp4       0      0  *.32771                *.*                    LISTEN
tcp4       0      0  *.32772                *.*                    LISTEN
tcp        0      0  10.190.7.50.49002      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.49003      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.49006      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.49008      10.190.13.83.9500      ESTABLISHED
tcp6       0      0  ::1.9001                                      *.*                    LISTEN
tcp4       0      0  10.190.7.50.7002       10.190.7.36.29122      ESTABLISHED
tcp        0      0  10.190.7.50.34662      10.190.7.41.1521       ESTABLISHED
tcp        0      0  10.190.7.50.34663      10.190.7.41.1521       ESTABLISHED
tcp4       0      0  10.190.7.50.9001       10.190.7.36.29138      FIN_WAIT_2
tcp4       0      0  10.190.7.50.9001       10.190.7.37.29164      ESTABLISHED
tcp        0      0  127.0.0.1.9001         *.*                    LISTEN
tcp4       0      0  *.38888                *.*                    LISTEN
tcp4       0      0  10.190.7.50.38888      10.190.7.51.2380       ESTABLISHED
tcp        0      0  10.190.7.50.60113      10.190.7.49.7001       ESTABLISHED
tcp        0      0  10.190.7.50.60144      10.190.7.49.7002       ESTABLISHED
tcp        0      0  *.16191                *.*                    LISTEN
tcp        0      0  10.190.7.50.33107      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.7002       *.*                    LISTEN
tcp        0      0  10.190.7.50.34298      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.9001       *.*                    LISTEN
tcp        0      0  10.190.7.50.36709      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.38380      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.38643      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.38644      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.38680      10.190.13.83.9500      ESTABLISHED
tcp        0      0  10.190.7.50.38681      10.190.13.83.

漏洞证明：

修复方案：

*遗留问题*

版权声明：转载请注明来源 ❤@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：9

确认时间：2015-02-15 08:29

厂商回复：

正在修复，谢谢。

漏洞评价：

2015-02-13 15:37 | 疯子 ( 普通白帽子 | Rank:242 漏洞数:42 | 世人笑我太疯癫，我笑世人看不穿~)

ID不错
2015-02-13 16:17 | 动后河 ( 实习白帽子 | Rank:51 漏洞数:13 | ☭)

猜测1：struts2猜测2：不是主站猜测3：已经多人光顾
2015-04-01 14:31 | tSt ( 路人 | Rank:27 漏洞数:7 | 在开发里运维最强，运维里网络最强，网络里...)

ID不错啊

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-097124

漏洞标题：12306几处命令执行漏洞打包

相关厂商：12306

漏洞作者： ❤

提交时间：2015-02-13 15:31

修复时间：2015-03-30 15:32

公开时间：2015-03-30 15:32

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 ❤@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-097124

漏洞标题：12306几处命令执行漏洞打包

相关厂商：12306

漏洞作者： ❤

提交时间：2015-02-13 15:31

修复时间：2015-03-30 15:32

公开时间：2015-03-30 15:32

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-097124"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 ❤@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：