当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112757

漏洞标题:蓝港某站命令执行getshell直入内网(一)

相关厂商:linekong.com

漏洞作者: fuckadmin

提交时间:2015-05-08 09:25

修复时间:2015-05-12 11:17

公开时间:2015-05-12 11:17

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:13

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-08: 细节已通知厂商并且等待厂商处理中
2015-05-08: 厂商已经确认,细节仅向厂商公开
2015-05-12: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

蓝港上市了,赶紧回来大乌云吧。

详细说明:

1.基本信息
URL:adm.linekong.com
站点名称:LineKong ADs
2.存在的问题
配置不当存在invoker/JMXInvokerServlet,可远程部署war来getshell。

1.jpg


3.可深入内网
/etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 a1-39-146.linekong.com a1-39-146 localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
115.182.54.238 img.linekong.com
172.16.1.80     HBASE1
172.16.1.81     HBASE2
172.16.1.82     HBASE3
172.16.1.83     HBASE4


线上环境重要配置文件:linekong-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<linekong>
		
        <project name="epassportmid">
                <property name="url">http://passportm.linekong.com/epassport_mid/xmlRpcServerServlet</property>
                <property name="key">linekongline</property>
        </project>
		<project name="eUnite">
				<property name="filePath">/home/eunite/eadmfile</property>
				<property name="gilrSign">/</property>
				<property name="emailIP">59.151.39.156</property>
				<property name="sendEmailYeWu">qiyunxiao@linekong.com</property>
				<property name="sendEmailChengXu">liujiacheng@linekong.com</property>
		
                <property name="debug">true</property>
        </project>	
		 <project name="eADUnion">
		<!-- 游戏名称和ID -->
		<property name="product">
			倚天@1,问鼎@2,神兽@3,西游记@4,东邪西毒@7,佣兵天下体验区@508,佣兵天下@8,六脉神剑@99,倚天2@10,西游记仙尊@749,凡人修真@750,魔神无双体验区@513,热血西游@11,铁血丹心@15,魔神无双@13,开心大陆@509,魔神传@774
		</property>			
		<property name="webgame">						
			热血西游@11,火影世界@16 
		</property>
		<!--计费类型-->
		<property name="chargeType">CPA@1,CPS@2</property>
		<!--广告分流页地址-->
		<property name="adCount">http://yt.linekong.com/adCount.php?mid=@1,http://hero.linekong.com/adCount.php?mid=@2,http://ss.linekong.com/adCount.php?mid=@3,http://xy.linekong.com/adCount.php?mid=@4,http://dxxd.linekong.com/adCount.php?mid=@7,http://yb.linekong.com/adCount.php?mid=@508,http://yb.linekong.com/adCount.php?mid=@8,http://yt2.linekong.com/adCount.php?mid=@10,http://xz.028yx.com/adCount.php?mid=@749,http://fr.linekong.com/adCount.php?mid=@750,http://ms.linekong.com/adCount.php?mid=@513,http://rx.linekong.com/adCount.php?mid=@11,http://ms.linekong.com/adCount.php?mid=@13,http://tx.028yx.com/adCount.php?mid=@15,http://kx.linekong.com/adCount.php?mid=@509,http://www.huoying.com/adCount.php?mid=@16,http://msz.028yx.com/adCount.php?mid=@774  </property>
	   <!-- 文件上传路径 -->
		<property name="uploadPath">/home/eunite/eadmfile/</property>
		<!-- 露出统计代码 -->
		<property name="showStatCode">
		http://www.linekong.com/adCount/show.php?mid=@1,http://www.linekong.com/adCount/show.php?mid=@2,
		http://www.linekong.com/adCount/show.php?mid=@3,http://www.linekong.com/adCount/show.php?mid=@4
		</property>
		<property name="newsPath">/home/eunite/eadmfile/news/</property>
		<property name="mediaPath">/home/eunite/eadmfile/media/</property>
                <property name="weburl">http://59.151.39.186/common/interface/xmlrpc.php</property>
	</project>
	<!-- 邮件配置 -->
	<project name="eAdMailUserOrder">
		<property name="username">eadmonitor</property>
		<property name="password">eadmonitor@</property>
		<property name="from">eadmonitor@linekong.com</property>		
	</project>
	<project name="EMail">
		<property name="host">
			218.240.145.18
		</property>	
		<property name="auth">true</property>	
	</project>
        
         	
</linekong>


5.发现某黑阔入侵痕迹

2.jpg


仅是对系统进行检测,相关配置文件和截图测试完后会进行删除处理。

漏洞证明:

1.基本信息
URL:adm.linekong.com
站点名称:LineKong ADs
2.存在的问题
配置不当存在invoker/JMXInvokerServlet,可远程部署war来getshell。

1.jpg


3.可深入内网
/etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 a1-39-146.linekong.com a1-39-146 localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
115.182.54.238 img.linekong.com
172.16.1.80     HBASE1
172.16.1.81     HBASE2
172.16.1.82     HBASE3
172.16.1.83     HBASE4


线上环境重要配置文件:linekong-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<linekong>
		
        <project name="epassportmid">
                <property name="url">http://passportm.linekong.com/epassport_mid/xmlRpcServerServlet</property>
                <property name="key">linekongline</property>
        </project>
		<project name="eUnite">
				<property name="filePath">/home/eunite/eadmfile</property>
				<property name="gilrSign">/</property>
				<property name="emailIP">59.151.39.156</property>
				<property name="sendEmailYeWu">qiyunxiao@linekong.com</property>
				<property name="sendEmailChengXu">liujiacheng@linekong.com</property>
		
                <property name="debug">true</property>
        </project>	
		 <project name="eADUnion">
		<!-- 游戏名称和ID -->
		<property name="product">
			倚天@1,问鼎@2,神兽@3,西游记@4,东邪西毒@7,佣兵天下体验区@508,佣兵天下@8,六脉神剑@99,倚天2@10,西游记仙尊@749,凡人修真@750,魔神无双体验区@513,热血西游@11,铁血丹心@15,魔神无双@13,开心大陆@509,魔神传@774
		</property>			
		<property name="webgame">						
			热血西游@11,火影世界@16 
		</property>
		<!--计费类型-->
		<property name="chargeType">CPA@1,CPS@2</property>
		<!--广告分流页地址-->
		<property name="adCount">http://yt.linekong.com/adCount.php?mid=@1,http://hero.linekong.com/adCount.php?mid=@2,http://ss.linekong.com/adCount.php?mid=@3,http://xy.linekong.com/adCount.php?mid=@4,http://dxxd.linekong.com/adCount.php?mid=@7,http://yb.linekong.com/adCount.php?mid=@508,http://yb.linekong.com/adCount.php?mid=@8,http://yt2.linekong.com/adCount.php?mid=@10,http://xz.028yx.com/adCount.php?mid=@749,http://fr.linekong.com/adCount.php?mid=@750,http://ms.linekong.com/adCount.php?mid=@513,http://rx.linekong.com/adCount.php?mid=@11,http://ms.linekong.com/adCount.php?mid=@13,http://tx.028yx.com/adCount.php?mid=@15,http://kx.linekong.com/adCount.php?mid=@509,http://www.huoying.com/adCount.php?mid=@16,http://msz.028yx.com/adCount.php?mid=@774  </property>
	   <!-- 文件上传路径 -->
		<property name="uploadPath">/home/eunite/eadmfile/</property>
		<!-- 露出统计代码 -->
		<property name="showStatCode">
		http://www.linekong.com/adCount/show.php?mid=@1,http://www.linekong.com/adCount/show.php?mid=@2,
		http://www.linekong.com/adCount/show.php?mid=@3,http://www.linekong.com/adCount/show.php?mid=@4
		</property>
		<property name="newsPath">/home/eunite/eadmfile/news/</property>
		<property name="mediaPath">/home/eunite/eadmfile/media/</property>
                <property name="weburl">http://59.151.39.186/common/interface/xmlrpc.php</property>
	</project>
	<!-- 邮件配置 -->
	<project name="eAdMailUserOrder">
		<property name="username">eadmonitor</property>
		<property name="password">eadmonitor@</property>
		<property name="from">eadmonitor@linekong.com</property>		
	</project>
	<project name="EMail">
		<property name="host">
			218.240.145.18
		</property>	
		<property name="auth">true</property>	
	</project>
        
         	
</linekong>


5.发现某黑阔入侵痕迹

2.jpg


仅是对系统进行检测,相关配置文件和截图测试完后会进行删除处理。

修复方案:

1.删除接口
2.限制访问
3.仔细检查其他站点是否存在类似问题
4.仔细检查站点是否存在其他后门

版权声明:转载请注明来源 fuckadmin@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-05-08 14:22

厂商回复:

感谢作者提出的问题,我们对线上所有服务,检查了一遍。。

最新状态:

2015-05-12:已修复

2015-05-12:已修复