当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131786

漏洞标题:民安保险某核心系统弱口令导致shell

相关厂商:民安保险

漏洞作者: 路人甲

提交时间:2015-08-05 11:57

修复时间:2015-08-10 11:58

公开时间:2015-08-10 11:58

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-05: 细节已通知厂商并且等待厂商处理中
2015-08-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

民安保险某核心系统弱口令导致shell

详细说明:

http://218.17.200.230/

1.png


weblogic弱口令

2.png


3.jpg


#
# hosts         This file describes a number of hostname-to-address
#               mappings for the TCP/IP subsystem.  It is mostly
#               used at boot time, when no name servers are running.
#               On small systems, this file can be used instead of a
#               "named" name server.
# Syntax:
#    
# IP-Address  Full-Qualified-Hostname  Short-Hostname
#
127.0.0.1       localhost
# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback
fe00::0         ipv6-localnet
ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts
172.10.2.70     svsrv1.site svsrv1
172.10.5.200 N6270A
172.10.5.201 N6270B
172.10.5.210 FAS3220A
172.10.5.211 FAS3220B
172.10.2.70 svsrv1
172.10.2.71 svsrv2
172.10.2.72 svsrv3
172.10.2.73 svsrv4
172.10.2.74 svsrv5
172.10.2.75 svsrv6


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
games:x:12:100:Games account:/var/games:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
news:x:9:13:News system:/etc/news:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false
gdm:x:50:104:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
suse-ncc:x:102:105:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
wlgma:x:1000:1000::/home/wlgma:/bin/bash

漏洞证明:

http://218.17.200.230/

1.png


weblogic弱口令

2.png


3.jpg


#
# hosts         This file describes a number of hostname-to-address
#               mappings for the TCP/IP subsystem.  It is mostly
#               used at boot time, when no name servers are running.
#               On small systems, this file can be used instead of a
#               "named" name server.
# Syntax:
#    
# IP-Address  Full-Qualified-Hostname  Short-Hostname
#
127.0.0.1       localhost
# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback
fe00::0         ipv6-localnet
ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts
172.10.2.70     svsrv1.site svsrv1
172.10.5.200 N6270A
172.10.5.201 N6270B
172.10.5.210 FAS3220A
172.10.5.211 FAS3220B
172.10.2.70 svsrv1
172.10.2.71 svsrv2
172.10.2.72 svsrv3
172.10.2.73 svsrv4
172.10.2.74 svsrv5
172.10.2.75 svsrv6


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
games:x:12:100:Games account:/var/games:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
news:x:9:13:News system:/etc/news:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false
gdm:x:50:104:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
suse-ncc:x:102:105:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
wlgma:x:1000:1000::/home/wlgma:/bin/bash

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-10 11:58

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无

漏洞评价:

评论

  1. 2015-08-10 15:35 | 暮夕水寒 ( 普通白帽子 | Rank:106 漏洞数:35 | 专注低水平)

    不好意思,这个漏洞因为没有在民安财产有限公司的漏洞目录下,所以我以为没有人提交。刚刚才在最新公开里看到你已经提交过了。是我重复提交了,抱歉,路人甲。我不知道应该怎么解决。。。