当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0213360

漏洞标题:新浪微博某系统存在远程命令执行漏洞

相关厂商:新浪微博

漏洞作者: 猪猪侠

提交时间:2016-05-27 10:37

修复时间:2016-07-11 11:30

公开时间:2016-07-11 11:30

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-27: 细节已通知厂商并且等待厂商处理中
2016-05-27: 厂商已经确认,细节仅向厂商公开
2016-06-06: 细节向核心白帽子及相关领域专家公开
2016-06-16: 细节向普通白帽子公开
2016-06-26: 细节向实习白帽子公开
2016-07-11: 细节向公众公开

简要描述:

新浪微博某系统存在远程命令执行漏洞

详细说明:

# 网站
http://rap.weibo.cn/account/doLogin.do
# 漏洞描述
CVE-2016-3081 | Apache Struts S2-032

漏洞证明:

/sbin/ifconfig -a
eth0      Link encap:Ethernet  HWaddr 5C:F3:FC:E9:60:18  
          inet addr:123.125.22.107  Bcast:123.125.22.255  Mask:255.255.255.0
          inet6 addr: fe80::5ef3:fcff:fee9:6018/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:322142515 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38594293 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:27978652525 (26.0 GiB)  TX bytes:4331448588 (4.0 GiB)
eth1      Link encap:Ethernet  HWaddr 5C:F3:FC:E9:60:1A  
          inet addr:10.13.3.107  Bcast:10.13.3.255  Mask:255.255.255.0
          inet6 addr: fe80::5ef3:fcff:fee9:601a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3143756252 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2469049790 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1745303941236 (1.5 TiB)  TX bytes:1698391257991 (1.5 TiB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:685579793 errors:0 dropped:0 overruns:0 frame:0
          TX packets:685579793 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:178317445321 (166.0 GiB)  TX bytes:178317445321 (166.0 GiB)
usb0      Link encap:Ethernet  HWaddr 5E:F3:FC:E1:60:17  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain localhost
172.16.35.215   D11114152.lbs.weibo.cn
10.13.1.34      wapcd01.D12070606.tqt.web.mobile.sina.cn wapcd01
10.13.1.35      wapcd02.D12070607.tqt.web.mobile.sina.cn wapcd02
10.13.1.36      wapcd03.D12070649.tqt.web.mobile.sina.cn wapcd03
10.13.1.37      wapcd04.D12070650.tqt.web.mobile.sina.cn wapcd04
10.13.3.106     wapcd05.mobile.weibo.com wapcd05
10.13.3.107     wapcd06.mobile.weibo.com wapcd06
172.16.181.239  wapcd239.mobile.weibo.com       wapcd239
172.16.181.240  wapcd240.mobile.weibo.com       wapcd240
172.16.181.241  wapcd241.mobile.weibo.com       wapcd241
172.16.181.40  wapcd40.mobile.weibo.com       wapcd40
172.16.181.49  wapcd49.mobile.weibo.com       wapcd49
172.16.181.59  wapcd59.mobile.weibo.com       wapcd59
172.16.181.67  wapcd67.mobile.weibo.com       wapcd67

修复方案:

补丁啊

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-27 11:21

厂商回复:

感谢关注新浪安全,问题修复中。

最新状态:

暂无