记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网

2016-05-22 02:20

mask 区域
1.http://**.**.**/loginfrom=%2f_

*****列化*****

*****ers/admin/*****

*****erProperty plugin=&q*****

[email protected] &l*****

*****r_-UserPropert*****

*****d9e6d027386b5d630181.png&qu*****

**********

*****4ec1d14a0afea3ba9645.png&qu*****

**********

*****个*****

**********

*****1f745568a0986619cd5f.png&qu*****

*****restartQATom*****

*****1ffb1af51cb0a91504b9.png&qu*****

**********

*****er plugin="m*****

[email protected] *****

*****se</dontNotifyEveryU*****

**********

*****14fc7408c71b787f5463.png&qu*****

**********

*****istory *****

**********

*****;cd /j*****

*****s*****

*****..*****

*****/

*****

*****ebup_admi*****

*****orkspace/gr*****

*****s*****

*****ebup_*****

*****s*****

*****sr*****

*****s*****

*****tab*****

*****s*****

*****-l*****

*****w*****

*****ebup_dao/src/database/*.* *****

*****webup_dao/src/database/*.******

*****lyway-3.*****

*****s*****

*****e./flywa*****

*****s*****

*****de&g*****

**********

**********

**********

***** -*****

**********

*****at 00:2a:6a:e6:4*****

*****6:3e:01:00:04*****

*****a:6a:e6:4c:bc*****

*****16:3e:01:00:d*****

*****6:3e:01:02:88*****

*****6:3e:01:00:aa*****

*****0:0c:9f:f2:bc*****

*****6:3e:01:02:51*****

*****:3e:01:00:dc *****

*****a:6a:e6:4b:7c*****

*****2a:6a:e6:4c:b*****

*****6:3e:01:00:77*****

*****00:0c:9f:f3:2*****

*****16:3e:01:00:e*****

*****:3e:01:00:30 *****

*****3e:01:02:51 [*****

*****de&g*****

**********

*****fig*****

**********

*****BROADCAST,RUNNING,*****

***** 255.255.248.0 br*****

*****ec txqueuelen *****

*****6 bytes 56323*****

*****opped 0 ove*****

*****1 bytes 7158*****

*****overruns 0 carr*****

**********

*****AST,RUNNING,MUL*****

***** 255.255.252.0 br*****

*****6e txqueuelen *****

*****07 bytes 8068*****

*****opped 0 ove*****

***** bytes 1231981*****

*****overruns 0 carr*****

**********

*****BACK,RUNNING*****

*****0.1 netma*****

*****len 0 (Loc*****

*****6 bytes 8095*****

*****opped 0 ove*****

*****6 bytes 8095*****

*****overruns 0 carr*****

**********

*****de&g*****

**********

*****c/pa*****

**********

*****0:root:/roo*****

*****bin:/sbi*****

*****:/sbin:/sb*****

*****r/adm:/sb*****

*****ool/lpd:/s*****

*****:/sbin:/*****

*****wn:/sbin:/s*****

*****:/sbin:/*****

*****/spool/mail*****

*****tor:/root:/*****

*****/usr/games:*****

*****/var/ftp:/s*****

*****body:/:/s*****

*****sage bus:/:/*****

*****for polkitd:*****

*****ck:/var/run/avahi-*****

*****Stack:/var/lib/avah*****

***** for libstoragemgmt:*****

*****/ntp:/sbi*****

*****c/abrt:/sb*****

*****pool/postfix*****

*****d SSH:/var/empty*****

*****lib/chrony:/*****

*****aemon:/:/s*****

*****::/:/sbi*****

*****tegration Server:/va*****

*****cod*****

漏洞证明:

http://121.41.122.20:8080/login?from=%2f

jenkins java反序列化命令执行

/var/lib/jenkins/users/admin/config.xml

code 区域
<hudson.tasks.Mailer_-UserProperty plugin="[email protected] ">

<emailAddress>[email protected] </emailAddress>

</hudson.tasks.Mailer_-UserProperty>



111.png



root权限

111.png





涉及多个源码



111.png



/var/lib/jenkins/jobs//restartQATomcat/config.xml

111.png





code 区域
<hudson.tasks.Mailer plugin="[email protected] ">

<recipients>[email protected] </recipients>

<dontNotifyEveryUnstableBuild>false</dontNotifyEveryUnstableBuild>





111.png





cat /root/.bash_history 部分内容



code 区域
cd /jenkins

ls

cd ..

cd /

find -name kpluswebup_admin_webapp

cd /var/lib/jenkins/workspace/greenlandB2B2C/

ls

cd kpluswebup_dao/

ls

cd src

ls

cd database/

ls

ll -l

pwd

cp /var/lib/jenkins/workspace/greenlandB2B2C/kpluswebup_dao/src/database/*.* /usr/local/flyway-3.2.1-prod/sql/

cp /var/lib/jenkins/workspace/greenlandB2B2C/kpluswebup_dao/src/database/*.* /usr/local/flyway-3.2.1-prod/sql/

cd /usr/local/flyway-3.2.1-dev/

ls

./flyway migrate./flyway migrate

ls





内网环境



arp -a



code 区域
? (121.43.107.248) at 00:2a:6a:e6:4b:7c [ether] on eth1

? (10.117.29.174) at 00:16:3e:01:00:04 [ether] on eth0

? (10.117.31.249) at 00:2a:6a:e6:4c:bc [ether] on eth0

? (121.43.104.132) at 00:16:3e:01:00:dc [ether] on eth1

? (10.117.29.148) at 00:16:3e:01:02:88 [ether] on eth0

? (121.43.105.36) at 00:16:3e:01:00:aa [ether] on eth1

? (10.117.31.247) at 00:00:0c:9f:f2:bc [ether] on eth0

? (121.43.104.59) at 00:16:3e:01:02:51 [ether] on eth1

? (10.117.29.46) at 00:16:3e:01:00:dc [ether] on eth0

? (10.117.31.248) at 00:2a:6a:e6:4b:7c [ether] on eth0

? (121.43.107.249) at 00:2a:6a:e6:4c:bc [ether] on eth1

? (121.43.104.78) at 00:16:3e:01:00:77 [ether] on eth1

? (121.43.107.247) at 00:00:0c:9f:f3:20 [ether] on eth1

? (121.43.106.225) at 00:16:3e:01:00:ee [ether] on eth1

? (10.117.29.41) at 00:16:3e:01:00:30 [ether] on eth0

? (10.117.28.2) at 00:16:3e:01:02:51 [ether] on eth0





ifconfig -a



code 区域
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

inet 10.117.29.228 netmask 255.255.248.0 broadcast 10.117.31.255

ether 00:16:3e:00:2c:ec txqueuelen 1000 (Ethernet)

RX packets 132128846 bytes 5632328121 (5.2 GiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 1381751 bytes 7158778617 (6.6 GiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0



eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 121.43.104.51 netmask 255.255.252.0 broadcast 121.43.107.255

ether 00:16:3e:00:30:6e txqueuelen 1000 (Ethernet)

RX packets 1907762507 bytes 80680399263 (75.1 GiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 6381535 bytes 12319814865 (11.4 GiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0



lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

loop txqueuelen 0 (Local Loopback)

RX packets 2410396 bytes 809594596 (772.0 MiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 2410396 bytes 809594596 (772.0 MiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0





cat /etc/passwd



code 区域
root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

polkitd:x:999:998:User for polkitd:/:/sbin/nologin

avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin

avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin

libstoragemgmt:x:998:997:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

abrt:x:173:173::/etc/abrt:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

chrony:x:997:996::/var/lib/chrony:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

tcpdump:x:72:72::/:/sbin/nologin

jenkins:x:996:995:Jenkins Continuous Integration Server:/var/lib/jenkins:/bin/false





修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2016-0193269

阅读:111618 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“绿地集团全球会员(绿地会)某系统存在命令执行漏洞/root权限/涉及多个项目源码/可探测内网”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云