2015-03-20: 细节已通知厂商并且等待厂商处理中 2015-03-25: 厂商已经主动忽略漏洞,细节向公众公开
中国石化某站文件下载数据库连接信息泄露
中国石化某站文件下载数据库连接信息泄露。地址:http://218.58.78.123:8080/web.rar
数据库信息:
数据库信息代码如下:
<?xml version="1.0"?><!--2008-09-24 portal--><configuration> <!--AJAX begin--> <configSections> <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/> <sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="Everywhere"/> <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/> <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/> </sectionGroup> </sectionGroup> </sectionGroup> </configSections> <!--AJAX end--> <appSettings> <add key="ConnCountInPool" value="5"/> <add key="ConnectionString" value="Data Source=orcl;User ID=hsejwbx;Password=hsejwbx;"/> <add key="FCKeditor:BasePath" value="~/fckEditor/"/> <add key="FCKeditor:UserFilesPath" value="/SlnPortal/KnowledgeArt/xkziArticle/UserFiles"/> <add key="IsRoleLoadAll" value="0"/> <!--菜单是否折叠兄弟节点--> <add key="IsMenuCollapseBrothers" value="1"/> <!--菜单路径为空时main框架是否显示其子菜单页面--> <add key="IsDisplayChildMenu" value="1"/> <!--是否中石化提升系统--> <!--<add key="IsPtscts" value="1"/>--> <!--是否角色委托--> <add key="IsUserDelegate" value="0"/> <add key="EncryptMode" value="1"/> <add key="--ValidationExpression" value="(?!^[0-9]*$)(?!^[\Wa-zA-Z]*$)^([\W0-9A-Za-z]{6,6})$"/> <add key="--ErrorMessage" value="密码格式不正确!"/> <add key="--EnableImport" value="1"/> <!--密码失效日期:以月为单位--> <add key="--ExpiryDate" value="3"/> <!--密码重置为1,需要登录时重新设置密码--> <add key="--LoginReset" value="1"/> <!--设置桌面快捷方式显示图片的大小--> <add key="QuickLinkWidth" value="128"/> <add key="QuickLinkHeight" value="95"/> <add key="TopMenuCount" value="20"/><!--header顶部横向一级菜单显示个数--> <add key="IsDomainUserLogin" value="2"/><!--0普通登录;1域用户登录;2既可以域用户登录,也可以普通用户登录--> <add key="DomainServerIP" value="192.168.100.1"/> <!--用salien.com必须web服务器也在域里,用ip地址就不用在域里。--> <add key="WebSeriveSSO" value="http://localhost:14338/SSOService2/OThinkerSSO.asmx"/> <!--公共密码--> <add key="--CommonPassword" value="111"/> <!--是否绑定IP--> <add key="--IsBandIP" value="1"/> <!-- 班次个数 --> <add key="--ShiftCount" value="3"/> <!-- 班次时间点 --> <add key="--Shift_TIME_0" value="06:00:00"/> <add key="--Shift_TIME_1" value="14:00:00"/> <add key="--Shift_TIME_2" value="22:00:00"/> <add key="ChartHttpHandler" value="Storage=memory;Timeout=180;Url=~/temp/;"/> <!-- 菜单是否加密 --> <add key="IsMenuEncrypt" value="0"/> <!--下拉框显示样式1 旧版 2 新版--> <!--<add key="DropDownListVersion" value ="2"/>--> <!--add zxm 090508 查询时错误提示方式("Off" 错误明细; "On" 错误简单提示 )--> <add key="customErrors" value="On"/> <!--<add key="PrintPagePath" value ="../../report/generates/printpage.aspx"/>--> <!--add zxm 0906(true 弹出打印对话框; false 不弹出打印对话框)--> <!--<add key="DirectPrint" value ="true"/>--> <!--add 090616(审批:1 旧版; 2 新版 ;默认为2)--> <add key="WorkFlowVersion" value="2"/> <!--add 090619(打印注册:1 脚本; 2 cookie ;默认为1)--> <add key="PrintRegister" value="2"/> <add key="afc" value="../../masterkey/slnmesflowchart2.html"/> <!--是否工程分类;瓦斯不分类,镇海分类--> <add key="isPrjSort" value="true"/> <!--是否存在属性分组--> <add key="isGroupP" value="false"/> </appSettings> <!--Web Parts Connection--> <connectionStrings> <clear/> <add name="LocalSQLServer" connectionString="Server=.;Database=aspnetdb;trusted_connection=yes"/> <add name="OraAspNetConString" connectionString="Data Source=221;User ID=ptsb_zh;Password=ptsb_zh;"/> </connectionStrings> <system.web> <pages enableEventValidation="false" enableSessionState="true" validateRequest="false"><!--theme="Blue"--> <controls> <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> </controls> </pages> <httpHandlers> <add path="ChartAxd.axd" verb="*" type="Dundas.Charting.WebControl.ChartHttpHandler" validate="false"/> <add path="*.aspx" verb="*" type="SlnPortal.Utility.MyHandlerFactory"/> <!--AJAX begin--> <remove verb="*" path="*.asmx"/> <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false"/> </httpHandlers> <httpModules> <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> </httpModules> <!--AJAX end--> <httpRuntime maxRequestLength="1048576" executionTimeout="3600"/> <compilation debug="true"> <assemblies> <add assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add assembly="System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.DirectoryServices.Protocols, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.ServiceProcess, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Web.RegularExpressions, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/></assemblies> </compilation> <customErrors mode="Off"/> <authentication mode="Forms"> <forms name="SlnPortalUserCookie" loginUrl="Login.aspx" defaultUrl="default.aspx" protection="Encryption" path="/"><!--Login_NJ.aspx-menutop_NJ.aspx-menutop_zhy.aspx--> </forms> </authentication> <webParts enableExport="true"> <personalization defaultProvider="CustomOraclePersonalizationProvider"> <providers> <add connectionStringName="OraAspNetConString" applicationName="PortalTest" name="CustomOraclePersonalizationProvider" type="SlnPortal.Utility.Personalization.SlnOraclePersonalizationProvider,SlnPortal, Version=3.0.0.3, Culture=neutral"/> </providers> <authorization> <allow users="*" verbs="enterSharedScope"/> <allow users="*" verbs="modifyState"/> </authorization> </personalization> </webParts> <!---负载平衡的环境需要设置machineKey--> <!--<machineKey validationKey="90CBB9B2FAD04C6F869A58D6A42AED0D13F3440227CD725F6008BC4835B7C0BFBEFFAE214DC81DAE3CD7E395A70B0D6C492EFB8C8BE69F9E86D006D2320FE524"decryptionKey="69A5A438452FCB3C031FEA245DEF770191A16609E9E4A62F" validation="SHA1" decryption="3DES" />--> <!--StateServer:Session can not invalidation,InProc;timeout的单位是分--> <sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="240"/> <globalization requestEncoding="gb2312" responseEncoding="gb2312"/><!--utf-8--> <xhtmlConformance mode="Legacy"/> </system.web> <!--AJAX begin--> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <add name="ScriptModule" preCondition="integratedMode" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> </modules> <handlers> <remove name="WebServiceHandlerFactory-Integrated"/> <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> </handlers> </system.webServer> <!--AJAX end--></configuration>
。。。
危害等级:无影响厂商忽略
忽略时间:2015-03-25 09:42
2015-03-25:谢谢
呵呵,忽略了再说谢谢,
@独孤求败 未超时的情况下点击了确认,但乌云认为超时了。这两天多次联系乌云要修改状态,未果。不好意思。但还是要谢谢您。