易汇金某系统命令执行/涉及311个项目源码/root权限/

2017年4月15日08:48:17评论290 views字数 240阅读0分48秒阅读模式

摘要

2016-04-03：细节已通知厂商并且等待厂商处理中
2016-04-03：厂商已经确认，细节仅向厂商公开
2016-04-13：细节向核心白帽子及相关领域专家公开
2016-04-23：细节向普通白帽子公开
2016-05-03：细节向实习白帽子公开
2016-05-07：厂商已经修复漏洞并主动公开，细节向公众公开

漏洞概要关注数(14) 关注此漏洞

缺陷编号： WooYun-2016-192133

漏洞标题：易汇金某系统命令执行/涉及311个项目源码/root权限/

漏洞作者： j14n

提交时间： 2016-04-03 16:44

修复时间： 2016-05-07 11:40

公开时间： 2016-05-07 11:40

漏洞类型：命令执行

危害等级：高

自评Rank： 15

漏洞状态：厂商已经修复

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：远程命令执行补丁不及时

2人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

mask 区域

1.http://**.**.**/loginfrom=%2F_
 *****列化*****
 **********
 *****c7abda936e85d84ed9ba.png&qu*****
 *****c/ho*****
 *****f3270a1497c14938f982.png&qu*****
 *****af64c5fe90ec8145d1f1.png&qu*****
 **********
 *****kins/u*****
 **********
 *****38828b95a860585b97e7.png&qu*****
 **********
 *****s//zhiqiang.*****
 **********
 *****6f67e9dec8a95eda9a41.png&qu*****
 *****enkins*****
 *****jo*****
 *****;qa_eh*****
 *****-insp*****
 *****-kapt*****
 *****tcha-we*****
 *****-keyc*****
 *****ng-k*****
 *****gateway-*****
 *****-kpos*****
 *****pos-we*****
 *****-list*****
 *****istpri*****
 *****ng-m*****
 *****all-we*****
 *****ng-m*****
 *****ber-cas*****
 *****ber-cas*****
 *****-memb*****
 *****ber-web*****
 *****-memb*****
 *****erchan*****
 *****-moni*****
 *****ng-n*****
 *****-noti*****
 *****-octo*****
 *****-open*****
 *****nmall-w*****
 *****perati*****
 *****-pom-*****
 *****ng-p*****
 *****os-web*****
 *****ng-p*****
 *****repayc*****
 *****repayg*****
 *****ateway-we*****
 *****-prep*****
 *****pay-web*****
 *****repayw*****
 *****-publ*****
 *****ng-q*****
 *****-quar*****
 *****uickre*****
 *****ng-r*****
 *****ng-r*****
 *****ng-r*****
 *****ng-r*****
 *****kin*****
 *****ng-s*****
 *****-sett*****
 *****tings-w*****
 *****etting*****
 *****ng-s*****
 *****-sett*****
 *****-spli*****
 *****-stat*****
 *****-tran*****
 *****ng-w*****
 *****let-web*****
 *****-wech*****
 *****-wech*****
 *****ithhol*****
 *****pl*****
 *****-bankch*****
 *****-bankch*****
 *****ng-bil*****
 *****ng-bil*****
 *****ng-bos*****
 *****ng-bos*****
 *****ng-cas*****
 *****ng-cas*****
 *****king-*****
 *****hangesett*****
 *****oreignex*****
 *****-fundac*****
 *****ng-gat*****
 *****ng-gat*****
 *****ng-kpo*****
 *****-listpr*****
 *****ember-ca*****
 *****ng-mem*****
 *****ng-mem*****
 *****ng-mon*****
 *****ng-not*****
 *****ng-pre*****
 *****-prepay*****
 *****ng-qua*****
 *****king-*****
 *****king-*****
 *****king-*****
 *****ng-set*****
 *****ng-set*****
 *****ng-wec*****
 *****ng-wec*****
 *****</co*****
 **********
 *****ecae16ef8a5b0aa2c78c.png&qu*****
 **********
 *****Ethernet  HWaddr *****
 *****.1  Bcast:0.0.0*****
 *****484:7aff:fefe:9*****
 *****G MULTICAST  MT*****
 *****rrors:0 dropped:*****
 *****ors:0 dropped:0 o*****
 *****ons:0 txq*****
 *****6 GiB)  TX bytes:*****
 **********
 *****et  HWaddr 00:*****
 *****cast:124.193.180.71*****
 *****26:b9ff:fe62:11*****
 *****G MULTICAST  MT*****
 *****rors:0 dropped:0*****
 *****rors:0 dropped:0*****
 *****s:0 txqueu*****
 *****.9 MiB)  TX bytes*****
 **********
 *****et  HWaddr 00:*****
 *****Bcast:172.19.27.25*****
 *****26:b9ff:fe62:11*****
 *****G MULTICAST  MT*****
 *****rors:0 dropped:19*****
 *****rors:0 dropped:0 *****
 *****s:0 txqueu*****
 ***** GiB)  TX bytes:100*****
 **********
 *****et  HWaddr 00:*****
 *****TICAST  MTU:*****
 *****:0 dropped:0 ov*****
 *****:0 dropped:0 ov*****
 *****s:0 txqueu*****
 *****.0 b)  TX by*****
 **********
 *****et  HWaddr 00:*****
 *****TICAST  MTU:*****
 *****:0 dropped:0 ov*****
 *****:0 dropped:0 ov*****
 *****s:0 txqueu*****
 *****.0 b)  TX by*****
 **********
 *****cap:Local*****
 *****27.0.0.1  M*****
 *****r: ::1/128*****
 *****UNNING  MTU:*****
 *****errors:0 dropped*****
 *****rors:0 dropped:0 *****
 *****ons:0 txq*****
 *****4 GiB)  TX bytes:46*****
 **********
 *****rnet  HWaddr 1*****
 *****8db:61ff:feb3:b*****
 *****G MULTICAST  MT*****
 *****:0 dropped:0 ov*****
 *****rs:0 dropped:0 o*****
 *****ons:0 txq*****
 ***** b)  TX bytes:2*****
 **********
 *****rnet  HWaddr 4*****
 *****02d:f3ff:feaa:b*****
 *****G MULTICAST  MT*****
 *****ors:0 dropped:0 *****
 *****ors:0 dropped:0 *****
 *****ons:0 txq*****
 *****.3 MiB)  TX byte*****
 **********
 *****rnet  HWaddr 8*****
 *****0cb:60ff:fe15:6*****
 *****G MULTICAST  MT*****
 *****rors:0 dropped:0*****
 *****rors:0 dropped:0*****
 *****ons:0 txq*****
 *****.7 MiB)  TX bytes*****
 **********
 *****rnet  HWaddr C*****
 *****cc5:a8ff:feee:8*****
 *****G MULTICAST  MT*****
 *****rors:0 dropped:0*****
 *****rors:0 dropped:0*****
 *****ons:0 txq*****
 *****.2 MiB)  TX bytes*****
 **********
 *****rnet  HWaddr D*****
 *****86c:f2ff:fed3:9*****
 *****G MULTICAST  MT*****
 *****ors:0 dropped:0 *****
 *****ors:0 dropped:0 *****
 *****ons:0 txq*****
 *****.7 MiB)  TX byte*****
 **********
 *****rnet  HWaddr C*****
 *****42f:27ff:feb0:9*****
 *****G MULTICAST  MT*****
 *****rors:0 dropped:0*****
 *****rors:0 dropped:0*****
 *****ons:0 txq*****
 *****0 GiB)  TX bytes:*****
 **********
 *****rnet  HWaddr 3*****
 *****c5b:e1ff:fe40:e*****
 *****G MULTICAST  MT*****
 *****rrors:0 dropped:*****
 *****ors:0 dropped:0 o*****
 *****ons:0 txq*****
 *****0 GiB)  TX bytes:*****
 **********
 *****de&g*****
 *****c/pa*****
 *****0:root:/roo*****
 *****bin:/sbi*****
 *****:/sbin:/sb*****
 *****r/adm:/sb*****
 *****ool/lpd:/s*****
 *****:/sbin:/*****
 *****wn:/sbin:/s*****
 *****:/sbin:/*****
 *****/spool/mail*****
 *****spool/uucp:/*****
 *****tor:/root:/*****
 *****/usr/games:*****
 *****var/gopher:/*****
 *****/var/ftp:/s*****
 *****body:/:/s*****
 *****sage bus:/:/*****
 *****memory owner:/d*****
 *****/var/cache/rpc*****
 *****c/abrt:/sb*****
 ***** User:/var/lib*****
 ***** NFS User:/var/li*****
 ***** daemon:/:/*****
 *****/ntp:/sbi*****
 *****r":/var/empty/*****
 *****pool/postfix*****
 *****d SSH:/var/empty*****
 *****::/:/sbi*****
 *****be used by OProfile:/*****
 *****:/var/www:/*****
 *****/var/cache/ngi*****
 *****/home/guomin*****
 *****home/wen.x*****
 *****home/luwei.p*****
 *****ver:/var/lib*****
 *****home/jingcha*****
 *****/home/junjun*****
 *****/store-home/qa*****
 *****/home/yanwu*****
 *****r:/var/lib/red*****
 *****b:/home/gi*****
 *****home/liang.z*****
 *****data/store-hom*****
 *****/var/lib/lda*****
 *****rt/dist/uplo*****
 *****port/YBZF:*****
 *****/merchant-sftp/q*****
 *****erchant-sftp/dev/*****
 *****erchant-sftp/dev/*****
 *****/merchant-sftp/q*****
 *****/merchant-sftp/q*****
 *****/merchant-sftp/q*****
 *****ser:/var/lib/bean*****
 *****/merchant-sftp/q*****
 *****/home/db2in*****
 *****home/cbp:*****
 *****/home/ftpsite*****
 *****:/home/ftpsi*****
 *****home/ftpsite*****
 *****ome/ftpsite*****
 *****/www/doc/yan.ga*****
 *****/ftpsite:/*****
 *****ser:/var/lib/do*****
 *****e/data/merchantrep*****
 *****/data/merchantrepo*****
 *****merchant-sftp/dev*****
 *****merchant-sftp/qa/*****
 *****cod*****

漏洞证明：

http://124.193.180.70/login?from=%2F

jenkins java反序列化命令执行

root权限

cat /etc/hosts

/root//.jenkins/users/

cat /root/.jenkins/users//zhiqiang.gao/config.xml

ls /root/.jenkins/jobs

311个job

code 区域

qa_ehking-hg
 qa_ehking-inspect
 qa_ehking-kaptcha
 qa_ehking-kaptcha-web-deploy
 qa_ehking-keycenter
 qa_ehking-kpos
 qa_ehking-kpos-gateway-web-deploy
 qa-ehking-kpossdk
 qa_ehking-kpos-web-deploy
 qa_ehking-listprice
 qa-ehking-listprice-ws
 qa_ehking-mall
 qa_ehking-mall-web-deploy
 qa_ehking-member
 qa_ehking-member-cas-server
 qa-ehking-member-cas-server
 qa-ehking-member-web
 qa_ehking-member-web-deploy
 qa-ehking-member-ws
 qa_ehking-merchantreport
 qa-ehking-monitor
 qa_ehking-notice
 qa-ehking-notice-ws
 qa_ehking-octopus
 qa_ehking-openmall
 qa_ehking-openmall-web-deploy
 qa_ehking-operationlog
 qa_ehking-pom-parent
 qa_ehking-pos
 qa_ehking-pos-web-deploy
 qa_ehking-prepay
 qa_ehking-prepaycashier
 qa_ehking-prepaygateway
 qa_ehking-prepaygateway-web-deploy
 qa-ehking-prepaysdk
 qa_ehking-prepay-web-deploy
 qa-ehking-prepaywebsite
 qa_ehking-publish
 qa_ehking-quartz
 qa-ehking-quartz-ws
 qa_ehking-quickrecharge
 qa_ehking-remit
 qa-ehking-res
 qa-ehking-rmb
 qa_ehking-route
 qa_ehking-rz
 qa-ehking-sdk
 qa_ehking-settings
 qa_ehking-settings-web-deploy
 qa-ehking-settings-ws
 qa_ehking-settle
 qa-ehking-settle-ws
 qa_ehking-splitbill
 qa_ehking-statistics
 qa_ehking-transfer
 qa_ehking-wallet
 qa_ehking-wallet-web-deploy
 qa-ehking-wechat-web
 qa-ehking-wechat-ws
 qa_ehking-withholding
 sample
 upload-ehking-bankchannel-web
 upload-ehking-bankchannel-ws
 upload-ehking-billing-ws
 upload-ehking-bill-ws
 upload-ehking-boss-web
 upload-ehking-boss-ws
 upload-ehking-cashier-web
 upload-ehking-cashier-ws
 upload-ehking-ehkpay
 upload-ehking-exchangesettlement-ws
 upload-ehking-foreignexchange-ws
 upload-ehking-fundaccount-ws
 upload-ehking-gateway-web
 upload-ehking-gateway-ws
 upload-ehking-kpossdk
 upload-ehking-listprice-ws
 upload-ehking-member-cas-server
 upload-ehking-member-web
 upload-ehking-member-ws
 upload-ehking-monitor
 upload-ehking-notice-ws
 upload-ehking-prepaysdk
 upload-ehking-prepaywebsite
 upload-ehking-quartz-ws
 upload-ehking-res
 upload-ehking-rmb
 upload-ehking-sdk
 upload-ehking-settings-ws
 upload-ehking-settle-ws
 upload-ehking-wechat-web
 upload-ehking-wechat-ws
 upload-zl-p2p

code 区域

docker0   Link encap:Ethernet  HWaddr 56:84:7A:FE:97:99  
           inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
           inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:13110170 errors:0 dropped:0 overruns:0 frame:0
           TX packets:14830097 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:6056157394 (5.6 GiB)  TX bytes:5294182536 (4.9 GiB)
 
 em1       Link encap:Ethernet  HWaddr 00:26:B9:62:11:0D  
           inet addr:124.193.180.70  Bcast:124.193.180.71  Mask:255.255.255.248
           inet6 addr: fe80::226:b9ff:fe62:110d/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:3300757 errors:0 dropped:0 overruns:0 frame:0
           TX packets:4012131 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000 
           RX bytes:984519475 (938.9 MiB)  TX bytes:3340009506 (3.1 GiB)
 
 em2       Link encap:Ethernet  HWaddr 00:26:B9:62:11:0F  
           inet addr:172.19.27.252  Bcast:172.19.27.255  Mask:255.255.255.0
           inet6 addr: fe80::226:b9ff:fe62:110f/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:535974142 errors:0 dropped:193 overruns:0 frame:0
           TX packets:965799870 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000 
           RX bytes:105685119466 (98.4 GiB)  TX bytes:1007707021894 (938.5 GiB)
 
 em3       Link encap:Ethernet  HWaddr 00:26:B9:62:11:11  
           BROADCAST MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000 
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
 
 em4       Link encap:Ethernet  HWaddr 00:26:B9:62:11:13  
           BROADCAST MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000 
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
 
 lo        Link encap:Local Loopback  
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:65536  Metric:1
           RX packets:185128254 errors:0 dropped:0 overruns:0 frame:0
           TX packets:185128254 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:462172414582 (430.4 GiB)  TX bytes:462172414582 (430.4 GiB)
 
 veth4f2a1d0 Link encap:Ethernet  HWaddr 1A:DB:61:B3:B6:EA  
           inet6 addr: fe80::18db:61ff:feb3:b6ea/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:7 errors:0 dropped:0 overruns:0 frame:0
           TX packets:48231 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:558 (558.0 b)  TX bytes:2025950 (1.9 MiB)
 
 veth5c6ef6c Link encap:Ethernet  HWaddr 42:2D:F3:AA:B8:D1  
           inet6 addr: fe80::402d:f3ff:feaa:b8d1/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:205756 errors:0 dropped:0 overruns:0 frame:0
           TX packets:219737 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:20256215 (19.3 MiB)  TX bytes:31567155 (30.1 MiB)
 
 veth60c6078 Link encap:Ethernet  HWaddr 82:CB:60:15:6E:3B  
           inet6 addr: fe80::80cb:60ff:fe15:6e3b/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1107124 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1095082 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:279743582 (266.7 MiB)  TX bytes:271955164 (259.3 MiB)
 
 veth6c7d6ee Link encap:Ethernet  HWaddr CE:C5:A8:EE:87:13  
           inet6 addr: fe80::ccc5:a8ff:feee:8713/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:5363824 errors:0 dropped:0 overruns:0 frame:0
           TX packets:4874106 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:806656141 (769.2 MiB)  TX bytes:4574274512 (4.2 GiB)
 
 veth6e3d32d Link encap:Ethernet  HWaddr DA:6C:F2:D3:9E:39  
           inet6 addr: fe80::d86c:f2ff:fed3:9e39/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:199417 errors:0 dropped:0 overruns:0 frame:0
           TX packets:323838 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:31147342 (29.7 MiB)  TX bytes:24046322 (22.9 MiB)
 
 veth960aa8f Link encap:Ethernet  HWaddr C6:2F:27:B0:9E:FC  
           inet6 addr: fe80::c42f:27ff:feb0:9efc/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:2396618 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1465283 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:3278821675 (3.0 GiB)  TX bytes:209524682 (199.8 MiB)
 
 veth9708318 Link encap:Ethernet  HWaddr 3E:5B:E1:40:E4:01  
           inet6 addr: fe80::3c5b:e1ff:fe40:e401/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:11137379 errors:0 dropped:0 overruns:0 frame:0
           TX packets:14392649 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:3264771643 (3.0 GiB)  TX bytes:1634578699 (1.5 GiB)

cat /etc/passwd

code 区域

root:x:0:0:root:/root:/bin/bash
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt
 mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
 uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
 operator:x:11:0:operator:/root:/sbin/nologin
 games:x:12:100:games:/usr/games:/sbin/nologin
 gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
 ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
 nobody:x:99:99:Nobody:/:/sbin/nologin
 dbus:x:81:81:System message bus:/:/sbin/nologin
 vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
 rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
 abrt:x:173:173::/etc/abrt:/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
 nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
 haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
 ntp:x:38:38::/etc/ntp:/sbin/nologin
 saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
 postfix:x:89:89::/var/spool/postfix:/sbin/nologin
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
 tcpdump:x:72:72::/:/sbin/nologin
 oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
 apache:x:48:48:Apache:/var/www:/sbin/nologin
 nginx:x:498:498:nginx user:/var/cache/nginx:/sbin/nologin
 guoming.qin:x:500:500::/home/guoming.qin:/bin/bash
 wen.xu:x:501:500::/home/wen.xu:/bin/bash
 luwei.peng:x:503:500::/home/luwei.peng:/bin/bash
 mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
 jinchao.ma:x:502:500::/home/jingchao.ma:/bin/bash
 junjun.xia:x:1002:500::/home/junjun.xia:/bin/bash
 store:x:505:501::/home/data/store-home/qa/:/sbin/nologin
 yanwu.shi:x:506:500::/home/yanwu.shi:/bin/bash
 redis:x:497:497:Redis Server:/var/lib/redis:/sbin/nologin
 git:x:496:496:GitLab:/home/git/:/bin/bash
 liang.zhou:x:507:507::/home/liang.zhou:/bin/bash
 dev-store:x:508:501::/home/data/store-home/dev/:/bin/bash
 ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin
 upload:x:509:501::/export/dist/upload:/bin/bash
 YBZF:x:510:510::/export/YBZF:/sbin/nologin
 120140188:x:511:501::/home/data/merchant-sftp/qa/120140188:/bin/bash
 120140141:x:512:501::/home/data/merchant-sftp/dev/120140141:/bin/bash
 120140158:x:513:501::/home/data/merchant-sftp/dev/120140158:/bin/bash
 120140175:x:514:501::/home/data/merchant-sftp/qa/120140175:/bin/bash
 120140176:x:515:501::/home/data/merchant-sftp/qa/120140176:/bin/bash
 120140177:x:516:501::/home/data/merchant-sftp/qa/120140177:/bin/bash
 beanstalkd:x:495:495:beanstalkd user:/var/lib/beanstalkd:/sbin/nologin
 120140234:x:517:501::/home/data/merchant-sftp/qa/120140234:/bin/bash
 db2inst1:x:518:2000::/home/db2inst1:/bin/bash
 cbp:x:519:2000::/home/cbp:/bin/bash
 dongdong.wang:x:520:520::/home/ftpsite:/sbin/nologin
 haoran.jiang:x:521:521::/home/ftpsite:/sbin/nologin
 yuan.zhang:x:522:522::/home/ftpsite:/sbin/nologin
 lin.cai:x:523:523::/home/ftpsite:/sbin/nologin
 yan.gao:x:524:524::/home/data/www/doc/yan.gao/:/sbin/nologin
 op:x:525:525::/home/ftpsite:/sbin/nologin
 dockerroot:x:494:494:Docker User:/var/lib/docker:/sbin/nologin
 dev-merchantreport:x:1004:501::/home/data/merchantreport/dev:/sbin/nologin
 qa-merchantreport:x:1005:501::/home/data/merchantreport/qa/:/sbin/nologin
 120140343:x:1006:501::/home/data/merchant-sftp/dev/120140343:/bin/bash
 120140447:x:1007:501::/home/data/merchant-sftp/qa/120140447:/bin/bash

修复方案：

jenkins java反序列化命令执行

版权声明：转载请注明来源 j14n@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2016-04-03 22:45

厂商回复：

感谢您的提交，该系统非易宝系统，亦不在服务区内，已转交相关公司负责人，由于信息敏感，在此先确认，避免公开泄漏，鹏博士宽带也可以这样玩

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

2016-04-03 16:51 | hkcs ( 实习白帽子 | Rank:56 漏洞数:9 | 只是路过)

1

311个项目。。。脱了赚翻了

1# 回复此人
2016-04-03 16:59 | j14n ( 普通白帽子 | Rank:2226 漏洞数:401 )

1

好不容易来个首页,就不匿名了。。。。

2# 回复此人
2016-04-03 17:14 | 坏男孩-A_A ( 实习白帽子 | Rank:81 漏洞数:23 | 膜拜学习中)

1

@j14n 原来是大牛您啊

3# 回复此人
2016-04-03 17:22 | j14n ( 普通白帽子 | Rank:2226 漏洞数:401 )

1

@坏男孩-A_A 新手。。

4# 回复此人
2016-04-03 17:25 | 坏男孩-A_A ( 实习白帽子 | Rank:81 漏洞数:23 | 膜拜学习中)

1

@j14n 看看你的rank。。。你说新手= =！

5# 回复此人
2016-04-03 23:01 | j14n ( 普通白帽子 | Rank:2226 漏洞数:401 )

1

@易宝支付易汇金不是你们的？

6# 回复此人
2016-04-03 23:26 | 坏男孩-A_A ( 实习白帽子 | Rank:81 漏洞数:23 | 膜拜学习中)

1

鹏博士宽带也可以这样玩....

7# 回复此人
2016-04-03 23:45 | j14n ( 普通白帽子 | Rank:2226 漏洞数:401 )

1

@坏男孩-A_A 鹏博士的我提交这个的时候已经提交了。。

8# 回复此人
2016-04-04 20:40 | hecate ( 普通白帽子 | Rank:823 漏洞数:129 | ®高级安全工程师 | WooYun认证√)

1

豪华大宝剑是啥意思

9# 回复此人
2016-05-07 12:27 | j14n ( 普通白帽子 | Rank:2226 漏洞数:401 )

0

@易宝支付又提交了一个也没见他来领。

10# 回复此人
2016-05-07 13:50 | 欧尼酱 ( 路人 | Rank:15 漏洞数:7 | 技术马马虎虎)

0

鹏博士宽带也可以这样玩...

11# 回复此人
2016-05-15 16:47 | dragon110 ( 路人 | Rank:12 漏洞数:6 | 其实我是龙6)

0

鹏博士宽带也可以这样玩...

12# 回复此人

漏洞概要 关注数(14) 关注此漏洞

缺陷编号： WooYun-2016-192133

漏洞标题： 易汇金某系统命令执行/涉及311个项目源码/root权限/

相关厂商： 易宝支付

漏洞作者： j14n

提交时间： 2016-04-03 16:44

修复时间： 2016-05-07 11:40

公开时间： 2016-05-07 11:40

漏洞类型： 命令执行

危害等级： 高

自评Rank： 15

漏洞状态： 厂商已经修复

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 远程命令执行 补丁不及时

2人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 j14n@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(14) 关注此漏洞

漏洞标题：易汇金某系统命令执行/涉及311个项目源码/root权限/

相关厂商：易宝支付

漏洞类型：命令执行

危害等级：高

漏洞状态：厂商已经修复

Tags标签：远程命令执行补丁不及时

漏洞评价(共0人评价):

登陆后才能进行评分