当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-011248

漏洞标题:土豆网某后台命令执行漏洞

相关厂商:土豆网

漏洞作者: 可乐超人

提交时间:2012-08-23 20:41

修复时间:2012-10-07 20:42

公开时间:2012-10-07 20:42

漏洞类型:命令执行

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-08-23: 细节已通知厂商并且等待厂商处理中
2012-08-25: 厂商已经确认,细节仅向厂商公开
2012-09-04: 细节向核心白帽子及相关领域专家公开
2012-09-14: 细节向普通白帽子公开
2012-09-24: 细节向实习白帽子公开
2012-10-07: 细节向公众公开

简要描述:

土豆网某后台Struts2漏洞补丁不及时,导致远程命令执行,进一步可能导致服务器沦陷以及用户数据丢失

详细说明:

http://editor.tudou.com/examinate/system/login.do
土豆网某后台Struts2漏洞补丁不及时,导致远程命令执行,进一步可能导致服务器沦陷以及用户数据丢失

漏洞证明:

网站物理路径: /home/security/apache-tomcat-6.0.18/webapps/ROOT
java.home: /usr/java/jdk1.6.0_11/jre
java.version: 1.6.0_11
os.name: Linux
os.arch: i386
os.version: 2.6.18-194.3.1.el5
user.name: security
user.home: /home/security
user.dir: /home/security/apache-tomcat-6.0.18/bin
java.class.version: 50.0
java.class.path: :/home/security/apache-tomcat-6.0.18/bin/bootstrap.jar
java.library.path: /usr/java/jdk1.6.0_11/jre/lib/i386/server:/usr/java/jdk1.6.0_11/jre/lib/i386:/usr/java/jdk1.6.0_11/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
file.separator: /
path.separator: :
java.vendor: Sun Microsystems Inc.
java.vendor.url: http://java.sun.com/
java.vm.specification.version: 1.0
java.vm.specification.vendor: Sun Microsystems Inc.
java.vm.specification.name: Java Virtual Machine Specification
java.vm.version: 11.0-b16
java.vm.vendor: Sun Microsystems Inc.
java.vm.name: Java HotSpot(TM) Server VM
java.specification.version: 1.6
java.specification.vender:
java.specification.name: Java Platform API Specification
java.io.tmpdir: /home/security/apache-tomcat-6.0.18/temp
hibernate信息
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
avahi-autoipd:x:100:104:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
nagios:x:500:500::/usr/local/nagios:/sbin/nologin
control:x:501:501::/home/control:/bin/bash
sc_admin:x:502:502::/home/sc_admin:/bin/bash
sc_fulltext:x:503:503::/home/sc_fulltext:/bin/bash
security:x:504:504::/home/security:/bin/bash
dplayer:x:505:505::/home/dplayer:/bin/bash
total 716
-rw-r--r-- 1 security security 17519 May 22 2010 bootstrap.jar
-rw-r--r-- 1 security security 9915 May 22 2010 catalina.bat
-rwxr-xr-x 1 security security 12957 May 22 2010 catalina.sh
-rw-r--r-- 1 security security 2374 May 22 2010 catalina-tasks.xml
-rw-r--r-- 1 security security 9341 May 22 2010 commons-daemon.jar
-rw-r--r-- 1 security security 1342 May 22 2010 cpappend.bat
-rw-r--r-- 1 security security 2104 May 22 2010 digest.bat
-rwxr-xr-x 1 security security 1624 May 22 2010 digest.sh
-rw-r--r-- 1 security security 74398 May 22 2010 jsvc.tar.gz
-rw-r--r-- 1 security security 4947 May 22 2010 service.bat
-rw-r--r-- 1 security security 3307 May 22 2010 setclasspath.bat
-rwxr-xr-x 1 security security 4447 May 22 2010 setclasspath.sh
-rw-r--r-- 1 security security 2096 May 22 2010 shutdown.bat
-rwxr-xr-x 1 security security 1563 May 22 2010 shutdown.sh
-rw-r--r-- 1 security security 2097 May 22 2010 startup.bat
-rwxr-xr-x 1 security security 1956 May 22 2010 startup.sh
-rw-r--r-- 1 security security 57344 May 22 2010 tomcat6.exe
-rw-r--r-- 1 security security 98304 May 22 2010 tomcat6w.exe
-rw-r--r-- 1 security security 18984 May 22 2010 tomcat-juli.jar
-rw-r--r-- 1 security security 189757 May 22 2010 tomcat-native.tar.gz
-rw-r--r-- 1 security security 3189 May 22 2010 tool-wrapper.bat
-rwxr-xr-x 1 security security 3291 May 22 2010 tool-wrapper.sh
-rw-rw-r-- 1 security security 29071 Aug 23 20:20 velocity.log
-rw-rw-r-- 1 security security 100112 Aug 23 20:13 velocity.log.1
-rw-r--r-- 1 security security 2101 May 22 2010 version.bat
-rwxr-xr-x 1 security security 1567 May 22 2010 version.sh


修复方案:

你懂得。。。

版权声明:转载请注明来源 可乐超人@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2012-08-25 10:28

厂商回复:

添加对漏洞的补充说明以及做出评价的理由

最新状态:

暂无