绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网

admin
admin
admin
139803
文章
114
评论
2017年4月19日23:33:28评论363 views字数 243阅读0分48秒阅读模式
摘要

2016-04-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-21: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(3) 关注此漏洞

缺陷编号: WooYun-2016-193269

漏洞标题: 绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网

相关厂商: 绿地集团

漏洞作者: 路人甲

提交时间: 2016-04-06 20:59

公开时间: 2016-05-21 21:00

漏洞类型: 命令执行

危害等级: 中

自评Rank: 10

漏洞状态: 未联系到厂商或者厂商积极忽略

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 远程命令执行 补丁不及时

0人收藏

漏洞详情

披露状态:

2016-04-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

mask 区域 
1.http://**.**.**/loginfrom=%2f_
 *****列化*****
 *****ers/admin/*****
 *****erProperty plugin=&q*****
 &l*****
 *****r_-UserPropert*****
 *****d9e6d027386b5d630181.png&qu*****
 **********
 *****4ec1d14a0afea3ba9645.png&qu*****
 **********
 *****个*****
 **********
 *****1f745568a0986619cd5f.png&qu*****
 *****restartQATom*****
 *****1ffb1af51cb0a91504b9.png&qu*****
 **********
 *****er plugin="m*****
 *****
 *****se</dontNotifyEveryU*****
 **********
 *****14fc7408c71b787f5463.png&qu*****
 **********
 *****istory *****
 **********
 *****;cd /j*****
 *****s*****
 *****..*****
 *****/
 *****
 *****ebup_admi*****
 *****orkspace/gr*****
 *****s*****
 *****ebup_*****
 *****s*****
 *****sr*****
 *****s*****
 *****tab*****
 *****s*****
 *****-l*****
 *****w*****
 *****ebup_dao/src/database/*.* *****
 *****webup_dao/src/database/*.******
 *****lyway-3.*****
 *****s*****
 *****e./flywa*****
 *****s*****
 *****de&g*****
 **********
 **********
 **********
 ***** -*****
 **********
 *****at 00:2a:6a:e6:4*****
 *****6:3e:01:00:04*****
 *****a:6a:e6:4c:bc*****
 *****16:3e:01:00:d*****
 *****6:3e:01:02:88*****
 *****6:3e:01:00:aa*****
 *****0:0c:9f:f2:bc*****
 *****6:3e:01:02:51*****
 *****:3e:01:00:dc *****
 *****a:6a:e6:4b:7c*****
 *****2a:6a:e6:4c:b*****
 *****6:3e:01:00:77*****
 *****00:0c:9f:f3:2*****
 *****16:3e:01:00:e*****
 *****:3e:01:00:30 *****
 *****3e:01:02:51 [*****
 *****de&g*****
 **********
 *****fig*****
 **********
 *****BROADCAST,RUNNING,*****
 ***** 255.255.248.0  br*****
 *****ec  txqueuelen *****
 *****6  bytes 56323*****
 *****opped 0  ove*****
 *****1  bytes 7158*****
 *****overruns 0  carr*****
 **********
 *****AST,RUNNING,MUL*****
 ***** 255.255.252.0  br*****
 *****6e  txqueuelen *****
 *****07  bytes 8068*****
 *****opped 0  ove*****
 ***** bytes 1231981*****
 *****overruns 0  carr*****
 **********
 *****BACK,RUNNING*****
 *****0.1  netma*****
 *****len 0  (Loc*****
 *****6  bytes 8095*****
 *****opped 0  ove*****
 *****6  bytes 8095*****
 *****overruns 0  carr*****
 **********
 *****de&g*****
 **********
 *****c/pa*****
 **********
 *****0:root:/roo*****
 *****bin:/sbi*****
 *****:/sbin:/sb*****
 *****r/adm:/sb*****
 *****ool/lpd:/s*****
 *****:/sbin:/*****
 *****wn:/sbin:/s*****
 *****:/sbin:/*****
 *****/spool/mail*****
 *****tor:/root:/*****
 *****/usr/games:*****
 *****/var/ftp:/s*****
 *****body:/:/s*****
 *****sage bus:/:/*****
 *****for polkitd:*****
 *****ck:/var/run/avahi-*****
 *****Stack:/var/lib/avah*****
 ***** for libstoragemgmt:*****
 *****/ntp:/sbi*****
 *****c/abrt:/sb*****
 *****pool/postfix*****
 *****d SSH:/var/empty*****
 *****lib/chrony:/*****
 *****aemon:/:/s*****
 *****::/:/sbi*****
 *****tegration Server:/va*****
 *****cod*****

漏洞证明:

http://121.41.122.20:8080/login?from=%2f

jenkins java反序列化命令执行

/var/lib/jenkins/users/admin/config.xml

code 区域 
<hudson.tasks.Mailer_-UserProperty plugin="">
       <emailAddress></emailAddress>
     </hudson.tasks.Mailer_-UserProperty>

绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网

root权限

绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网

涉及多个源码

绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网

/var/lib/jenkins/jobs//restartQATomcat/config.xml

绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网

code 区域 
<hudson.tasks.Mailer plugin="">
       <recipients></recipients>
       <dontNotifyEveryUnstableBuild>false</dontNotifyEveryUnstableBuild>

绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网

cat /root/.bash_history 部分内容

code 区域 
cd /jenkins
 ls
 cd ..
 cd /
 find -name kpluswebup_admin_webapp
 cd /var/lib/jenkins/workspace/greenlandB2B2C/
 ls
 cd kpluswebup_dao/
 ls
 cd src
 ls
 cd database/
 ls
 ll -l
 pwd
 cp /var/lib/jenkins/workspace/greenlandB2B2C/kpluswebup_dao/src/database/*.* /usr/local/flyway-3.2.1-prod/sql/
  cp /var/lib/jenkins/workspace/greenlandB2B2C/kpluswebup_dao/src/database/*.* /usr/local/flyway-3.2.1-prod/sql/
 cd /usr/local/flyway-3.2.1-dev/
 ls
 ./flyway migrate./flyway migrate
 ls

内网环境

arp -a

code 区域 
? (121.43.107.248) at 00:2a:6a:e6:4b:7c [ether] on eth1
 ? (10.117.29.174) at 00:16:3e:01:00:04 [ether] on eth0
 ? (10.117.31.249) at 00:2a:6a:e6:4c:bc [ether] on eth0
 ? (121.43.104.132) at 00:16:3e:01:00:dc [ether] on eth1
 ? (10.117.29.148) at 00:16:3e:01:02:88 [ether] on eth0
 ? (121.43.105.36) at 00:16:3e:01:00:aa [ether] on eth1
 ? (10.117.31.247) at 00:00:0c:9f:f2:bc [ether] on eth0
 ? (121.43.104.59) at 00:16:3e:01:02:51 [ether] on eth1
 ? (10.117.29.46) at 00:16:3e:01:00:dc [ether] on eth0
 ? (10.117.31.248) at 00:2a:6a:e6:4b:7c [ether] on eth0
 ? (121.43.107.249) at 00:2a:6a:e6:4c:bc [ether] on eth1
 ? (121.43.104.78) at 00:16:3e:01:00:77 [ether] on eth1
 ? (121.43.107.247) at 00:00:0c:9f:f3:20 [ether] on eth1
 ? (121.43.106.225) at 00:16:3e:01:00:ee [ether] on eth1
 ? (10.117.29.41) at 00:16:3e:01:00:30 [ether] on eth0
 ? (10.117.28.2) at 00:16:3e:01:02:51 [ether] on eth0

ifconfig -a

code 区域 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 10.117.29.228  netmask 255.255.248.0  broadcast 10.117.31.255
         ether 00:16:3e:00:2c:ec  txqueuelen 1000  (Ethernet)
         RX packets 132128846  bytes 5632328121 (5.2 GiB)
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 1381751  bytes 7158778617 (6.6 GiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 121.43.104.51  netmask 255.255.252.0  broadcast 121.43.107.255
         ether 00:16:3e:00:30:6e  txqueuelen 1000  (Ethernet)
         RX packets 1907762507  bytes 80680399263 (75.1 GiB)
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 6381535  bytes 12319814865 (11.4 GiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
 lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
         inet 127.0.0.1  netmask 255.0.0.0
         loop  txqueuelen 0  (Local Loopback)
         RX packets 2410396  bytes 809594596 (772.0 MiB)
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 2410396  bytes 809594596 (772.0 MiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

cat /etc/passwd

code 区域 
root:x:0:0:root:/root:/bin/bash
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt
 mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
 operator:x:11:0:operator:/root:/sbin/nologin
 games:x:12:100:games:/usr/games:/sbin/nologin
 ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
 nobody:x:99:99:Nobody:/:/sbin/nologin
 dbus:x:81:81:System message bus:/:/sbin/nologin
 polkitd:x:999:998:User for polkitd:/:/sbin/nologin
 avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
 avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
 libstoragemgmt:x:998:997:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
 ntp:x:38:38::/etc/ntp:/sbin/nologin
 abrt:x:173:173::/etc/abrt:/sbin/nologin
 postfix:x:89:89::/var/spool/postfix:/sbin/nologin
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
 chrony:x:997:996::/var/lib/chrony:/sbin/nologin
 nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
 tcpdump:x:72:72::/:/sbin/nologin
 jenkins:x:996:995:Jenkins Continuous Integration Server:/var/lib/jenkins:/bin/false

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin