易汇金某系统命令执行/涉及311个项目源码/root权限/

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0192133

漏洞标题：易汇金某系统命令执行/涉及311个项目源码/root权限/

漏洞作者： j14n

提交时间：2016-04-03 16:44

修复时间：2016-05-07 11:40

公开时间：2016-05-07 11:40

漏洞类型：命令执行

危害等级：高

自评Rank：15

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-04-03：细节已通知厂商并且等待厂商处理中
2016-04-03：厂商已经确认，细节仅向厂商公开
2016-04-13：细节向核心白帽子及相关领域专家公开
2016-04-23：细节向普通白帽子公开
2016-05-03：细节向实习白帽子公开
2016-05-07：厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

详细说明：

mask 区域

1.http://**.**.**/loginfrom=%2F_
*****^列化^*****
*****^^^*****
*****c7abda936e85d84ed9ba.png&qu*****
*****c/ho*****
*****f3270a1497c14938f982.png&qu*****
*****af64c5fe90ec8145d1f1.png&qu*****
**********
*****kins/u*****
**********
*****38828b95a860585b97e7.png&qu*****
**********
*****s//zhiqiang.*****
**********
*****6f67e9dec8a95eda9a41.png&qu*****
*****enkins*****
*****^jo*****
*****;qa_eh*****
*****-insp*****
*****-kapt*****
*****tcha-we*****
*****-keyc*****
*****ng-k*****
*****gateway-*****
*****-kpos*****
*****pos-we*****
*****-list*****
*****istpri*****
*****ng-m*****
*****all-we*****
*****ng-m*****
*****ber-cas*****
*****ber-cas*****
*****-memb*****
*****ber-web*****
*****-memb*****
*****erchan*****
*****-moni*****
*****ng-n*****
*****-noti*****
*****-octo*****
*****-open*****
*****nmall-w*****
*****perati*****
*****-pom-*****
*****ng-p*****
*****os-web*****
*****ng-p*****
*****repayc*****
*****repayg*****
*****ateway-we*****
*****-prep*****
*****pay-web*****
*****repayw*****
*****-publ*****
*****ng-q*****
*****-quar*****
*****uickre*****
*****ng-r*****
*****ng-r*****
*****ng-r*****
*****ng-r*****
*****kin*****
*****ng-s*****
*****-sett*****
*****tings-w*****
*****etting*****
*****ng-s*****
*****-sett*****
*****-spli*****
*****-stat*****
*****-tran*****
*****ng-w*****
*****let-web*****
*****-wech*****
*****-wech*****
*****ithhol*****
*****pl*****
*****-bankch*****
*****-bankch*****
*****ng-bil*****
*****ng-bil*****
*****ng-bos*****
*****ng-bos*****
*****ng-cas*****
*****ng-cas*****
*****king-*****
*****hangesett*****
*****oreignex*****
*****-fundac*****
*****ng-gat*****
*****ng-gat*****
*****ng-kpo*****
*****-listpr*****
*****ember-ca*****
*****ng-mem*****
*****ng-mem*****
*****ng-mon*****
*****ng-not*****
*****ng-pre*****
*****-prepay*****
*****ng-qua*****
*****king-*****
*****king-*****
*****king-*****
*****ng-set*****
*****ng-set*****
*****ng-wec*****
*****ng-wec*****
*****</co*****
**********
*****ecae16ef8a5b0aa2c78c.png&qu*****
**********
*****Ethernet  HWaddr *****
*****.1  Bcast:0.0.0*****
*****484:7aff:fefe:9*****
*****G MULTICAST  MT*****
*****rrors:0 dropped:*****
*****ors:0 dropped:0 o*****
*****ons:0 txq*****
*****6 GiB)  TX bytes:*****
**********
*****et  HWaddr 00:*****
*****cast:124.193.180.71*****
*****26:b9ff:fe62:11*****
*****G MULTICAST  MT*****
*****rors:0 dropped:0*****
*****rors:0 dropped:0*****
*****s:0 txqueu*****
*****.9 MiB)  TX bytes*****
**********
*****et  HWaddr 00:*****
*****Bcast:172.19.27.25*****
*****26:b9ff:fe62:11*****
*****G MULTICAST  MT*****
*****rors:0 dropped:19*****
*****rors:0 dropped:0 *****
*****s:0 txqueu*****
***** GiB)  TX bytes:100*****
**********
*****et  HWaddr 00:*****
*****TICAST  MTU:*****
*****:0 dropped:0 ov*****
*****:0 dropped:0 ov*****
*****s:0 txqueu*****
*****.0 b)  TX by*****
**********
*****et  HWaddr 00:*****
*****TICAST  MTU:*****
*****:0 dropped:0 ov*****
*****:0 dropped:0 ov*****
*****s:0 txqueu*****
*****.0 b)  TX by*****
**********
*****cap:Local*****
*****27.0.0.1  M*****
*****r: ::1/128*****
*****UNNING  MTU:*****
*****errors:0 dropped*****
*****rors:0 dropped:0 *****
*****ons:0 txq*****
*****4 GiB)  TX bytes:46*****
**********
*****rnet  HWaddr 1*****
*****8db:61ff:feb3:b*****
*****G MULTICAST  MT*****
*****:0 dropped:0 ov*****
*****rs:0 dropped:0 o*****
*****ons:0 txq*****
***** b)  TX bytes:2*****
**********
*****rnet  HWaddr 4*****
*****02d:f3ff:feaa:b*****
*****G MULTICAST  MT*****
*****ors:0 dropped:0 *****
*****ors:0 dropped:0 *****
*****ons:0 txq*****
*****.3 MiB)  TX byte*****
**********
*****rnet  HWaddr 8*****
*****0cb:60ff:fe15:6*****
*****G MULTICAST  MT*****
*****rors:0 dropped:0*****
*****rors:0 dropped:0*****
*****ons:0 txq*****
*****.7 MiB)  TX bytes*****
**********
*****rnet  HWaddr C*****
*****cc5:a8ff:feee:8*****
*****G MULTICAST  MT*****
*****rors:0 dropped:0*****
*****rors:0 dropped:0*****
*****ons:0 txq*****
*****.2 MiB)  TX bytes*****
**********
*****rnet  HWaddr D*****
*****86c:f2ff:fed3:9*****
*****G MULTICAST  MT*****
*****ors:0 dropped:0 *****
*****ors:0 dropped:0 *****
*****ons:0 txq*****
*****.7 MiB)  TX byte*****
**********
*****rnet  HWaddr C*****
*****42f:27ff:feb0:9*****
*****G MULTICAST  MT*****
*****rors:0 dropped:0*****
*****rors:0 dropped:0*****
*****ons:0 txq*****
*****0 GiB)  TX bytes:*****
**********
*****rnet  HWaddr 3*****
*****c5b:e1ff:fe40:e*****
*****G MULTICAST  MT*****
*****rrors:0 dropped:*****
*****ors:0 dropped:0 o*****
*****ons:0 txq*****
*****0 GiB)  TX bytes:*****
**********
*****de&g*****
*****c/pa*****
*****0:root:/roo*****
*****bin:/sbi*****
*****:/sbin:/sb*****
*****r/adm:/sb*****
*****ool/lpd:/s*****
*****:/sbin:/*****
*****wn:/sbin:/s*****
*****:/sbin:/*****
*****/spool/mail*****
*****spool/uucp:/*****
*****tor:/root:/*****
*****/usr/games:*****
*****var/gopher:/*****
*****/var/ftp:/s*****
*****body:/:/s*****
*****sage bus:/:/*****
*****memory owner:/d*****
*****/var/cache/rpc*****
*****c/abrt:/sb*****
***** User:/var/lib*****
***** NFS User:/var/li*****
***** daemon:/:/*****
*****/ntp:/sbi*****
*****r":/var/empty/*****
*****pool/postfix*****
*****d SSH:/var/empty*****
*****::/:/sbi*****
*****be used by OProfile:/*****
*****:/var/www:/*****
*****/var/cache/ngi*****
*****/home/guomin*****
*****home/wen.x*****
*****home/luwei.p*****
*****ver:/var/lib*****
*****home/jingcha*****
*****/home/junjun*****
*****/store-home/qa*****
*****/home/yanwu*****
*****r:/var/lib/red*****
*****b:/home/gi*****
*****home/liang.z*****
*****data/store-hom*****
*****/var/lib/lda*****
*****rt/dist/uplo*****
*****port/YBZF:*****
*****/merchant-sftp/q*****
*****erchant-sftp/dev/*****
*****erchant-sftp/dev/*****
*****/merchant-sftp/q*****
*****/merchant-sftp/q*****
*****/merchant-sftp/q*****
*****ser:/var/lib/bean*****
*****/merchant-sftp/q*****
*****/home/db2in*****
*****home/cbp:*****
*****/home/ftpsite*****
*****:/home/ftpsi*****
*****home/ftpsite*****
*****ome/ftpsite*****
*****/www/doc/yan.ga*****
*****/ftpsite:/*****
*****ser:/var/lib/do*****
*****e/data/merchantrep*****
*****/data/merchantrepo*****
*****merchant-sftp/dev*****
*****merchant-sftp/qa/*****
*****cod*****

漏洞证明：

http://124.193.180.70/login?from=%2F
jenkins java反序列化命令执行
root权限

cat /etc/hosts

/root//.jenkins/users/

cat /root/.jenkins/users//zhiqiang.gao/config.xml

ls /root/.jenkins/jobs
311个job

qa_ehking-hg
qa_ehking-inspect
qa_ehking-kaptcha
qa_ehking-kaptcha-web-deploy
qa_ehking-keycenter
qa_ehking-kpos
qa_ehking-kpos-gateway-web-deploy
qa-ehking-kpossdk
qa_ehking-kpos-web-deploy
qa_ehking-listprice
qa-ehking-listprice-ws
qa_ehking-mall
qa_ehking-mall-web-deploy
qa_ehking-member
qa_ehking-member-cas-server
qa-ehking-member-cas-server
qa-ehking-member-web
qa_ehking-member-web-deploy
qa-ehking-member-ws
qa_ehking-merchantreport
qa-ehking-monitor
qa_ehking-notice
qa-ehking-notice-ws
qa_ehking-octopus
qa_ehking-openmall
qa_ehking-openmall-web-deploy
qa_ehking-operationlog
qa_ehking-pom-parent
qa_ehking-pos
qa_ehking-pos-web-deploy
qa_ehking-prepay
qa_ehking-prepaycashier
qa_ehking-prepaygateway
qa_ehking-prepaygateway-web-deploy
qa-ehking-prepaysdk
qa_ehking-prepay-web-deploy
qa-ehking-prepaywebsite
qa_ehking-publish
qa_ehking-quartz
qa-ehking-quartz-ws
qa_ehking-quickrecharge
qa_ehking-remit
qa-ehking-res
qa-ehking-rmb
qa_ehking-route
qa_ehking-rz
qa-ehking-sdk
qa_ehking-settings
qa_ehking-settings-web-deploy
qa-ehking-settings-ws
qa_ehking-settle
qa-ehking-settle-ws
qa_ehking-splitbill
qa_ehking-statistics
qa_ehking-transfer
qa_ehking-wallet
qa_ehking-wallet-web-deploy
qa-ehking-wechat-web
qa-ehking-wechat-ws
qa_ehking-withholding
sample
upload-ehking-bankchannel-web
upload-ehking-bankchannel-ws
upload-ehking-billing-ws
upload-ehking-bill-ws
upload-ehking-boss-web
upload-ehking-boss-ws
upload-ehking-cashier-web
upload-ehking-cashier-ws
upload-ehking-ehkpay
upload-ehking-exchangesettlement-ws
upload-ehking-foreignexchange-ws
upload-ehking-fundaccount-ws
upload-ehking-gateway-web
upload-ehking-gateway-ws
upload-ehking-kpossdk
upload-ehking-listprice-ws
upload-ehking-member-cas-server
upload-ehking-member-web
upload-ehking-member-ws
upload-ehking-monitor
upload-ehking-notice-ws
upload-ehking-prepaysdk
upload-ehking-prepaywebsite
upload-ehking-quartz-ws
upload-ehking-res
upload-ehking-rmb
upload-ehking-sdk
upload-ehking-settings-ws
upload-ehking-settle-ws
upload-ehking-wechat-web
upload-ehking-wechat-ws
upload-zl-p2p

docker0   Link encap:Ethernet  HWaddr 56:84:7A:FE:97:99  
          inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13110170 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14830097 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6056157394 (5.6 GiB)  TX bytes:5294182536 (4.9 GiB)
em1       Link encap:Ethernet  HWaddr 00:26:B9:62:11:0D  
          inet addr:124.193.180.70  Bcast:124.193.180.71  Mask:255.255.255.248
          inet6 addr: fe80::226:b9ff:fe62:110d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3300757 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4012131 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:984519475 (938.9 MiB)  TX bytes:3340009506 (3.1 GiB)
em2       Link encap:Ethernet  HWaddr 00:26:B9:62:11:0F  
          inet addr:172.19.27.252  Bcast:172.19.27.255  Mask:255.255.255.0
          inet6 addr: fe80::226:b9ff:fe62:110f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:535974142 errors:0 dropped:193 overruns:0 frame:0
          TX packets:965799870 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:105685119466 (98.4 GiB)  TX bytes:1007707021894 (938.5 GiB)
em3       Link encap:Ethernet  HWaddr 00:26:B9:62:11:11  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
em4       Link encap:Ethernet  HWaddr 00:26:B9:62:11:13  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:185128254 errors:0 dropped:0 overruns:0 frame:0
          TX packets:185128254 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:462172414582 (430.4 GiB)  TX bytes:462172414582 (430.4 GiB)
veth4f2a1d0 Link encap:Ethernet  HWaddr 1A:DB:61:B3:B6:EA  
          inet6 addr: fe80::18db:61ff:feb3:b6ea/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:48231 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:558 (558.0 b)  TX bytes:2025950 (1.9 MiB)
veth5c6ef6c Link encap:Ethernet  HWaddr 42:2D:F3:AA:B8:D1  
          inet6 addr: fe80::402d:f3ff:feaa:b8d1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:205756 errors:0 dropped:0 overruns:0 frame:0
          TX packets:219737 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:20256215 (19.3 MiB)  TX bytes:31567155 (30.1 MiB)
veth60c6078 Link encap:Ethernet  HWaddr 82:CB:60:15:6E:3B  
          inet6 addr: fe80::80cb:60ff:fe15:6e3b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1107124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1095082 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:279743582 (266.7 MiB)  TX bytes:271955164 (259.3 MiB)
veth6c7d6ee Link encap:Ethernet  HWaddr CE:C5:A8:EE:87:13  
          inet6 addr: fe80::ccc5:a8ff:feee:8713/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5363824 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4874106 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:806656141 (769.2 MiB)  TX bytes:4574274512 (4.2 GiB)
veth6e3d32d Link encap:Ethernet  HWaddr DA:6C:F2:D3:9E:39  
          inet6 addr: fe80::d86c:f2ff:fed3:9e39/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:199417 errors:0 dropped:0 overruns:0 frame:0
          TX packets:323838 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:31147342 (29.7 MiB)  TX bytes:24046322 (22.9 MiB)
veth960aa8f Link encap:Ethernet  HWaddr C6:2F:27:B0:9E:FC  
          inet6 addr: fe80::c42f:27ff:feb0:9efc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2396618 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1465283 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3278821675 (3.0 GiB)  TX bytes:209524682 (199.8 MiB)
veth9708318 Link encap:Ethernet  HWaddr 3E:5B:E1:40:E4:01  
          inet6 addr: fe80::3c5b:e1ff:fe40:e401/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11137379 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14392649 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3264771643 (3.0 GiB)  TX bytes:1634578699 (1.5 GiB)

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
nginx:x:498:498:nginx user:/var/cache/nginx:/sbin/nologin
guoming.qin:x:500:500::/home/guoming.qin:/bin/bash
wen.xu:x:501:500::/home/wen.xu:/bin/bash
luwei.peng:x:503:500::/home/luwei.peng:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
jinchao.ma:x:502:500::/home/jingchao.ma:/bin/bash
junjun.xia:x:1002:500::/home/junjun.xia:/bin/bash
store:x:505:501::/home/data/store-home/qa/:/sbin/nologin
yanwu.shi:x:506:500::/home/yanwu.shi:/bin/bash
redis:x:497:497:Redis Server:/var/lib/redis:/sbin/nologin
git:x:496:496:GitLab:/home/git/:/bin/bash
liang.zhou:x:507:507::/home/liang.zhou:/bin/bash
dev-store:x:508:501::/home/data/store-home/dev/:/bin/bash
ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin
upload:x:509:501::/export/dist/upload:/bin/bash
YBZF:x:510:510::/export/YBZF:/sbin/nologin
120140188:x:511:501::/home/data/merchant-sftp/qa/120140188:/bin/bash
120140141:x:512:501::/home/data/merchant-sftp/dev/120140141:/bin/bash
120140158:x:513:501::/home/data/merchant-sftp/dev/120140158:/bin/bash
120140175:x:514:501::/home/data/merchant-sftp/qa/120140175:/bin/bash
120140176:x:515:501::/home/data/merchant-sftp/qa/120140176:/bin/bash
120140177:x:516:501::/home/data/merchant-sftp/qa/120140177:/bin/bash
beanstalkd:x:495:495:beanstalkd user:/var/lib/beanstalkd:/sbin/nologin
120140234:x:517:501::/home/data/merchant-sftp/qa/120140234:/bin/bash
db2inst1:x:518:2000::/home/db2inst1:/bin/bash
cbp:x:519:2000::/home/cbp:/bin/bash
dongdong.wang:x:520:520::/home/ftpsite:/sbin/nologin
haoran.jiang:x:521:521::/home/ftpsite:/sbin/nologin
yuan.zhang:x:522:522::/home/ftpsite:/sbin/nologin
lin.cai:x:523:523::/home/ftpsite:/sbin/nologin
yan.gao:x:524:524::/home/data/www/doc/yan.gao/:/sbin/nologin
op:x:525:525::/home/ftpsite:/sbin/nologin
dockerroot:x:494:494:Docker User:/var/lib/docker:/sbin/nologin
dev-merchantreport:x:1004:501::/home/data/merchantreport/dev:/sbin/nologin
qa-merchantreport:x:1005:501::/home/data/merchantreport/qa/:/sbin/nologin
120140343:x:1006:501::/home/data/merchant-sftp/dev/120140343:/bin/bash
120140447:x:1007:501::/home/data/merchant-sftp/qa/120140447:/bin/bash

修复方案：

jenkins java反序列化命令执行

版权声明：转载请注明来源 j14n@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2016-04-03 22:45

厂商回复：

感谢您的提交，该系统非易宝系统，亦不在服务区内，已转交相关公司负责人，由于信息敏感，在此先确认，避免公开泄漏，鹏博士宽带也可以这样玩

漏洞评价：

评价

2016-04-03 16:51 | hkcs ( 实习白帽子 | Rank:56 漏洞数:9 | 只是路过)

311个项目。。。脱了赚翻了
2016-04-03 16:59 | j14n ( 普通白帽子 | Rank:1661 漏洞数:304 | ... . -.-. - . .- --)

好不容易来个首页,就不匿名了。。。。
2016-04-03 17:14 | 坏男孩-A_A ( 实习白帽子 | Rank:81 漏洞数:23 | 膜拜学习中)

@j14n 原来是大牛您啊
2016-04-03 17:22 | j14n ( 普通白帽子 | Rank:1661 漏洞数:304 | ... . -.-. - . .- --)

@坏男孩-A_A 新手。。
2016-04-03 17:25 | 坏男孩-A_A ( 实习白帽子 | Rank:81 漏洞数:23 | 膜拜学习中)

@j14n 看看你的rank。。。你说新手= =！
2016-04-03 23:01 | j14n ( 普通白帽子 | Rank:1661 漏洞数:304 | ... . -.-. - . .- --)

@易宝支付易汇金不是你们的？
2016-04-03 23:26 | 坏男孩-A_A ( 实习白帽子 | Rank:81 漏洞数:23 | 膜拜学习中)

鹏博士宽带也可以这样玩....
2016-04-03 23:45 | j14n ( 普通白帽子 | Rank:1661 漏洞数:304 | ... . -.-. - . .- --)

@坏男孩-A_A 鹏博士的我提交这个的时候已经提交了。。
2016-04-04 20:40 | hecate ( 普通白帽子 | Rank:800 漏洞数:126 | ®高级安全工程师 | WooYun认证√)

豪华大宝剑是啥意思

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0192133

漏洞标题：易汇金某系统命令执行/涉及311个项目源码/root权限/

相关厂商：易宝支付

漏洞作者： j14n

提交时间：2016-04-03 16:44

修复时间：2016-05-07 11:40

公开时间：2016-05-07 11:40

漏洞类型：命令执行

危害等级：高

自评Rank：15

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 j14n@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0192133

漏洞标题：易汇金某系统命令执行/涉及311个项目源码/root权限/

相关厂商：易宝支付

漏洞作者： j14n

提交时间：2016-04-03 16:44

修复时间：2016-05-07 11:40

公开时间：2016-05-07 11:40

漏洞类型：命令执行

危害等级：高

自评Rank：15

漏洞状态：厂商已经修复

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0192133"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 j14n@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：