当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2016-0167075
漏洞标题:
复旦大学某站命令执行getshell
相关厂商:
复旦大学
漏洞作者:
j0k3r
提交时间:
2016-01-04 13:49
修复时间:
2016-01-10 09:00
公开时间:
2016-01-10 09:00
漏洞类型:
命令执行
危害等级:
自评Rank:
13
漏洞状态:
漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2016-01-04: 细节已通知厂商并且等待厂商处理中
2016-01-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

目标:http://chenxi.fudan.edu.cn/admin/login.action
同服有三个站,数学学院和医学院

6.png


8.png


如下,

2.png


root权限

1.png


/etc/passwd中,

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
postfix:x:104:111::/var/spool/postfix:/bin/false
dovecot:x:105:113:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:114:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:115::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
tomcat7:x:109:116::/usr/share/tomcat7:/bin/false
wxbcx:x:1000:1000:wxbcx,,,:/home/wxbcx:/bin/bash
redis:x:110:119:redis server,,,:/var/lib/redis:/bin/false
git:x:999:999::/var/opt/gitlab:/bin/sh
gitlab-www:x:998:998::/var/opt/gitlab/nginx:/bin/false
gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/nologin
gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh
snort:x:111:120:Snort IDS:/var/log/snort:/bin/false


站点目录,

/home/wxbcx/dream/software/tomcat/webapps/web/web/


拿到shell

3.png


4.png


5.png


漏洞证明:

2.png


3.png


5.png


/etc/passwd

/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
postfix:x:104:111::/var/spool/postfix:/bin/false
dovecot:x:105:113:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:114:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:115::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
tomcat7:x:109:116::/usr/share/tomcat7:/bin/false
wxbcx:x:1000:1000:wxbcx,,,:/home/wxbcx:/bin/bash
redis:x:110:119:redis server,,,:/var/lib/redis:/bin/false
git:x:999:999::/var/opt/gitlab:/bin/sh
gitlab-www:x:998:998::/var/opt/gitlab/nginx:/bin/false
gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/nologin
gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh
snort:x:111:120:Snort IDS:/var/log/snort:/bin/false

修复方案:

后门地址:http://chenxi.fudan.edu.cn/web/1.jsp 密码joker
请自行删除

版权声明:转载请注明来源 j0k3r@乌云

>

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-10 09:00

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无