当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132949

漏洞标题:从一个小小的服务器漏洞最终可影响拿到上海市闵行区所有居民健康资料

相关厂商:上海市教育局

漏洞作者: 卖C4的小男孩

提交时间:2015-08-10 10:27

修复时间:2015-09-26 14:22

公开时间:2015-09-26 14:22

漏洞类型:基础设施弱口令

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-10: 细节已通知厂商并且等待厂商处理中
2015-08-12: 厂商已经确认,细节仅向厂商公开
2015-08-22: 细节向核心白帽子及相关领域专家公开
2015-09-01: 细节向普通白帽子公开
2015-09-11: 细节向实习白帽子公开
2015-09-26: 细节向公众公开

简要描述:

只是小菜,吐槽一下,是有多有钱。。1T的内存服务器我就见到了三台
如果有什么描述的不好的地方请管理员帮忙修改,如果需要继续提供资料审核可以加我QQ所要。

详细说明:

本漏洞没有任何技术含量。。。高手误喷!谢谢。。
偶然间发现一个网站
gonghui.pudong-edu.sh.cn
看域名就知道是政府的网站,XXOO一番顺利拿到webshell
webshell URL:http://gonghui.pudong-edu.sh.cn/3.aspx密码123
发现服务器是处于内网,LCX转发链接上,
进去以后发现是2008服务器,上面就一个站,浪费。。。
前面提了这服务器是处于内网,内网IP地址为10.64.13.58

11.png


由于小菜技术不行所以直接大范围的扫描3389来爆破。。经过又一番XXOO发现,我特么误打误撞竟然进了上海市教育局的内网。。
通过最简单的爆破3389顺利拿到140台服务器权限。。。这种安全意识我也是醉了。。
上面是铺垫下面进入正题。
3389链接到一台不一样的服务器此服务器配置逆天
10.105.158.202@administrator;P@ssw0rd

数据库.png


60核处理器、、(其实是8核开的线程) 关键是1TB的内存。。比我的笔记本硬盘都大。。对这个服务器继续进行探索发现这是一台HIS服务器。。里面有1tb的数据库。。本菜直接吓尿。。

mhsqxt.png


模非这就是在黑产领域传说的HIS??这要是拿出去卖了,分分钟变成高富帅啊!
但是我没那个胆,也没有那个心,

84万个人资料,.png

随便翻一下就是84万的数据。。也是牛逼。。
查看了一下这服务器的网络连接,发现他还链接着另外三个网络

32.png


经过研究发现其中10.96.36.40的网络是链接到闵行区卫生局的网络。。
再上神器扫描爆破大法,
又爆出服务器20余台。。通过这些服务器直接获得了整个闵行区医疗卫生系统的数据库。。
见下图

2.png

3.png

333.png

1321.png

3423.png


下面这些信息应征了我上面说的问题

QQ截图20150809213710.png


这个网站直接暴露了整个卫生局的数据库架构,也应征了我上面说那个高配服务器里面存放了闵行区的健康信息
下面是获得的一些信息
上海市教育网服务器弱口令:

10.24.0.210@administrator;123
10.65.136.60@administrator;123
10.69.88.107@administrator;123456
10.64.13.58@administrator;admin@123
10.69.88.109@administrator;123456
10.69.128.131@administrator;123456
10.69.88.108@administrator;123456
10.69.88.113@administrator;123456
10.69.88.115@administrator;123456
10.69.88.112@administrator;123456
10.69.88.102@administrator;123456
10.69.88.126@administrator;123456
10.69.88.130@administrator;123456
10.69.88.132@administrator;123456
10.69.88.117@administrator;123456
10.69.88.118@administrator;123456
10.69.88.123@administrator;123456
10.69.88.105@administrator;123456
10.69.88.133@administrator;123456
10.69.88.135@administrator;123456
10.75.163.208@administrator;1
10.69.88.111@administrator;123456
10.69.88.121@administrator;123456
10.106.58.35@administrator;P@ssw0rd
10.72.58.216@administrator;123
10.89.43.242@administrator;123
10.75.208.70@administrator;123456
10.69.193.33@administrator;123456
10.69.88.101@administrator;123456
10.90.30.246@administrator;123456
10.69.88.114@administrator;123456
10.105.5.235@administrator;123456
10.75.160.32@administrator;123456
10.69.88.106@administrator;123456
10.69.88.131@administrator;123456
10.105.5.236@administrator;123456
10.69.88.104@administrator;123456
10.69.88.122@administrator;123456
10.71.72.248@administrator;123456
10.105.158.202@administrator;P@ssw0rd
10.75.160.31@administrator;123456
10.69.88.134@administrator;123456
10.69.88.136@administrator;123456
10.65.148.130@administrator;123456
10.75.32.2@administrator;123456
10.96.36.40@administrator;P@ssw0rd
10.69.88.129@administrator;123456
10.69.88.110@administrator;123456
10.105.10.200@administrator;000000
10.69.88.125@administrator;123456
10.73.3.200@administrator;000000
10.90.2.249@administrator;admin@123
10.105.31.193@administrator;Admin123
10.105.78.2@administrator;Admin123
10.24.0.176@administrator;Passw0rd
10.71.200.214@administrator;admin@123
10.105.78.178@administrator;Admin123
10.113.72.4@administrator;111111
10.64.13.57@administrator;admin@123
10.24.0.175@administrator;Passw0rd
10.107.59.111@administrator;admin
10.113.145.150@administrator;111111
10.90.2.250@administrator;admin@123
10.105.158.201@administrator;password
10.105.66.4@administrator;12345678
10.107.58.110@administrator;P@ssw0rd
10.114.84.243@administrator;123456
10.114.176.209@administrator;server
10.96.36.35@administrator;password
10.71.201.204@administrator;admin@123
10.64.13.38@administrator;admin@123
10.136.0.11@administrator;123456
10.138.128.20@administrator;111111
10.138.130.254@administrator;111111
10.138.194.252@administrator;123
10.139.105.10@administrator;123456
10.138.194.200@administrator;123
10.71.72.133@administrator;admin
10.113.128.1@administrator;12345678
10.141.49.250@administrator;123
10.137.16.5@administrator;P@ssw0rd
10.141.232.6@administrator;P@ssw0rd
10.141.232.5@administrator;P@ssw0rd
10.68.182.212@administrator;12345
10.64.12.221@administrator;123.com
10.65.140.138@administrator;123.com
10.105.201.168@administrator;1q2w3e4r
10.64.12.203@administrator;123.com
10.75.147.3@administrator;123123
10.64.226.100@administrator;123.com
10.68.152.136@administrator;123.com
10.64.94.10@administrator;123.com
10.65.136.50@administrator;123.com
10.72.184.133@administrator;123.com
10.71.64.55@administrator;123.com
10.64.12.224@administrator;123.com
10.106.58.18@admin;admin
10.113.6.202@administrator;123.com
10.71.64.39@administrator;123.com
10.137.80.5@administrator;123.com
10.136.0.80@administrator;123.com
10.139.226.144@administrator;123.com
10.138.194.251@administrator;123.com
10.161.251.208@administrator;123456
10.161.251.207@administrator;123456
10.71.200.156@administrator;www.123.com
10.64.12.231@administrator;123.com
10.71.26.8@administrator;admin123456
10.141.33.3@administrator;zxcvbnm
10.161.16.3@administrator;321
10.88.5.92@administrator;admin123
10.139.129.183@administrator;111
10.106.50.61@administrator;666666
10.169.11.30@administrator;P@ssw0rd
10.169.115.5@administrator;1
10.88.5.91@administrator;admin123
10.169.111.6@administrator;123456
10.141.34.152@administrator;112233
10.65.144.61@admin;admin123
10.170.200.1@administrator;admin
10.170.220.112@administrator;123456
10.171.40.43@administrator;123
10.172.245.253@administrator;123456
10.170.142.227@admin;P@ssw0rd
10.113.194.200@admin$;123456
10.64.12.222@administrator;123.com
10.122.100.3@administrator;111111
10.107.58.130@administrator;Admin123
10.170.110.201@administrator;123456
10.139.226.143@test;123
10.122.4.2@administrator;1
10.121.106.251@administrator;123456
10.121.161.200@administrator;123456
10.122.37.250@administrator;111111
10.153.67.3@administrator;123.com
10.251.21.201@administrator;admin
10.71.200.171@administrator;123.com
10.122.92.2@administrator;1qaz2wsx
10.24.201.60@administrator;Passw0rd
10.124.17.99@administrator;manager


下面这些是闵行区卫生局的弱口令:

10.96.36.221@administrator;P@ssw0rd
10.96.36.201@administrator;P@ssw0rd
10.96.36.211@administrator;P@ssw0rd
10.96.36.40@administrator;P@ssw0rd
10.96.36.108@administrator;password
10.96.36.222@administrator;P@ssw0rd
10.96.36.61@administrator;P@ssw0rd
10.96.36.27@administrator;password
10.96.36.51@administrator;password
10.96.36.124@administrator;password
10.96.36.183@administrator;admin
10.96.36.192@administrator;password
10.96.36.35@administrator;password
10.96.36.38@administrator;password
10.96.36.37@administrator;password
10.96.36.213@administrator;P@ssw0rd
10.96.36.217@administrator;P@ssw0rd
10.96.36.214@administrator;P@ssw0rd
10.96.36.64@administrator;P@ssw0rd
10.96.36.50@administrator;password
10.96.36.25@administrator;password
10.96.36.175@administrator;P@ssw0rd


下面是闵行区卫生局重要数据库的地址用户名和密码
db.cc.driver-url = jdbc:sqlserver://172.16.100.49:1433;DatabaseName=ccbusiness
db.cc.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.cc.user = cc
db.cc.password = cc.cc
db.jkw.driver-url = jdbc:sqlserver://172.16.100.49:1433;DatabaseName=MHJKW
db.jkw.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.jkw.user = db
db.jkw.password = db.mhjkw.cn
db.db2.driver-url = jdbc:db2://172.16.100.33:50000/MHJKW
db.db2.driver-class = com.ibm.db2.jcc.DB2Driver
db.db2.user = db2inst2
db.db2.password = db#2!ponpon
db.gm.driver-url = jdbc:sqlserver://10.98.24.4:1433;DatabaseName=bslis
db.gm.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.gm.user = sa
db.gm.password = linlin1983
db.hc.driver-url = jdbc:sqlserver://10.98.96.8:1433;DatabaseName=bslis
db.hc.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.hc.user = sa
db.hc.password = hc01_hc01
db.lb.driver-url = jdbc:sqlserver://10.98.0.6:1433;DatabaseName=bslis
db.lb.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.lb.user = user
db.lb.password = user
db.zq.driver-url = jdbc:sqlserver://10.97.160.7:1433;DatabaseName=bslis
db.zq.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.zq.user = sa
db.zq.password = sa
db.hq.driver-url = jdbc:sqlserver://10.98.16.6:1433;DatabaseName=bslis
db.hq.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.hq.user = sa
db.hq.password = sa
db.ml.driver-url = jdbc:sqlserver://10.98.192.8:1433;DatabaseName=bslis
db.ml.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.ml.user = sa
db.ml.password = mlyy139
db.xz.driver-url = jdbc:sqlserver://10.97.34.5:1433;DatabaseName=bslis
db.xz.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.xz.user = sa
db.xz.password = nimda
db.mq.driver-url = jdbc:sqlserver://10.98.168.6:1433;DatabaseName=bslis
db.mq.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.mq.user = sa
db.mq.password = bsoftsa
db.jc.driver-url = jdbc:sqlserver://10.98.164.5:1433;DatabaseName=bslis
db.jc.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.jc.user = sa
db.jc.password = jcsa
db.qb.driver-url = jdbc:sqlserver://10.98.64.3:1433;DatabaseName=bslis
db.qb.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.qb.user = sa
db.qb.password = qb01_qb01
db.pj.driver-url = jdbc:sqlserver://10.97.128.6:1433;DatabaseName=bslis
db.pj.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.pj.user = sa
db.pj.password = PJserver123
db.wj.driver-url = jdbc:sqlserver://10.98.236.118:1433;DatabaseName=bslis
db.wj.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.wj.user = sa
db.wj.password = mpb23-
db.xh.driver-url = jdbc:sqlserver://10.98.110.2:1433;DatabaseName=bslis
db.xh.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.xh.user = sa
db.xh.password = sa
db.sq.driver-url = jdbc:sqlserver://10.96.36.40:1433;DatabaseName=mhsqxt
db.sq.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.sq.user = sa
db.sq.password = server@123
db.jkw.driver-url = jdbc:sqlserver://10.96.36.37:11433;DatabaseName=mhjkw
db.jkw.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.jkw.user = db
db.jkw.password = db.mhjkw.cn
db.12051.driver-url = jdbc:sqlserver://10.98.24.4:1433;DatabaseName=bsrun
db.12051.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12051.user = sa
db.12051.password = linlin1983
db.12101.driver-url = jdbc:sqlserver://10.98.96.8:1433;DatabaseName=bsrun
db.12101.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12101.user = sa
db.12101.password = hc01_hc01
db.12021.driver-url = jdbc:sqlserver://10.98.0.6:1433;DatabaseName=bsrun
db.12021.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12021.user = user
db.12021.password = user
db.12111.driver-url = jdbc:sqlserver://10.97.160.7:1433;DatabaseName=bsrun
db.12111.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12111.user = sa
db.12111.password = sa
db.12011.driver-url = jdbc:sqlserver://10.98.16.6:1433;DatabaseName=bsrun
db.12011.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12011.user = sa
db.12011.password = sa
db.12071.driver-url = jdbc:sqlserver://10.97.34.5:1433;DatabaseName=bsrun
db.12071.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12071.user = sa
db.12071.password = nimda
db.12081.driver-url = jdbc:sqlserver://10.98.192.8:1433;DatabaseName=bsrun
db.12081.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12081.user = sa
db.12081.password = mlyy139
db.12091.driver-url = jdbc:sqlserver://10.98.168.6:1433;DatabaseName=bsrun
db.12091.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12091.user = sa
db.12091.password = bsoftsa
db.99031.driver-url = jdbc:sqlserver://10.98.17.20:1433;DatabaseName=bsrun
db.99031.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.99031.user = sa
db.99031.password = abc123$%^
下面是上面那些数据库的作用:

别名   类型   IP  数据库  账户   密码  
数据类型 端口
4
APP业务库 目标数据库 172.16.100.49 ccbusiness cc cc.cc
sqlserver 1433
28
社区综管平台库-古美 源数据库 10.98.26.2 yyglpt bsoft bsoft
sqlserver 1433
17
梅陇his库 源数据库 10.98.192.8 bsrun sa mlyy139
sqlserver 1433
19
马桥his库 源数据库 10.98.168.6 bsrun sa bsoftsa
sqlserver 1433
20
华曹his库 源数据库 10.98.96.8 bsrun sa hc01_hc01
sqlserver 1433
21
颛桥his库 源数据库 10.97.160.7 bsrun sa sa
sqlserver 1433
22
新虹his库 源数据库 10.98.110.2 bsrun sa sa
sqlserver 1433
24
虹桥his库 源数据库 10.98.20.6 bsrun sa sa
sqlserver 1433
25
莘庄his库 源数据库 10.97.34.5 bsrun sa nimda
sqlserver 1433
26
APP平台库 源数据库 172.16.100.49 DCS_Test pt bsoft
sqlserver 1433
16
浦江his库 源数据库 10.97.128.6 bsrun sa PJserver123
sqlserver 1433
15
吴泾his库 源数据库 10.98.236.118 bsrun sa mpb23-
sqlserver 1433
5
GP库 源数据库 10.96.36.156 mhsqxt sa P@ssw0rd@123
sqlserver 1433
6
学生档案 源数据库 10.96.36.155 sq_report sa P@ssw0rd
sqlserver 1433
7
闵行公卫系统测试库1 源数据库 10.96.36.222 mhsqxt_test1 sa server@123
sqlserver 1433
8
闵行公卫系统正式库 源数据库 10.96.36.40 mhsqxt sa server@123
sqlserver 1433
9
古美his库 源数据库 10.98.24.4 bsrun sa linlin1983
sqlserver 1433
江川his库 源数据库 10.98.164.5 bsrun sa jcsa
sqlserver 1433
28
社区综管平台库-古美 源数据库 10.98.26.2 yyglpt bsoft bsoft
sqlserver 1433


那么以上就是整个过程!

漏洞证明:


大概的网络架构
从webshell进入教育局内网(10.64.13.58 administrator密码admin@123),在内网里面可以链接到HIS服务器(10.105.158.202@administrator;P@ssw0rd),从HIS服务器可以链接到闵行区卫生局内网及数据库
可以想像如果我技术再好那么一些,造成的破坏会多么严重!
下面是获得的一些信息
上海市教育网服务器弱口令:
10.24.0.210@administrator;123
10.65.136.60@administrator;123
10.69.88.107@administrator;123456
10.64.13.58@administrator;admin@123
10.69.88.109@administrator;123456
10.69.128.131@administrator;123456
10.69.88.108@administrator;123456
10.69.88.113@administrator;123456
10.69.88.115@administrator;123456
10.69.88.112@administrator;123456
10.69.88.102@administrator;123456
10.69.88.126@administrator;123456
10.69.88.130@administrator;123456
10.69.88.132@administrator;123456
10.69.88.117@administrator;123456
10.69.88.118@administrator;123456
10.69.88.123@administrator;123456
10.69.88.105@administrator;123456
10.69.88.133@administrator;123456
10.69.88.135@administrator;123456
10.75.163.208@administrator;1
10.69.88.111@administrator;123456
10.69.88.121@administrator;123456
10.106.58.35@administrator;P@ssw0rd
10.72.58.216@administrator;123
10.89.43.242@administrator;123
10.75.208.70@administrator;123456
10.69.193.33@administrator;123456
10.69.88.101@administrator;123456
10.90.30.246@administrator;123456
10.69.88.114@administrator;123456
10.105.5.235@administrator;123456
10.75.160.32@administrator;123456
10.69.88.106@administrator;123456
10.69.88.131@administrator;123456
10.105.5.236@administrator;123456
10.69.88.104@administrator;123456
10.69.88.122@administrator;123456
10.71.72.248@administrator;123456
10.105.158.202@administrator;P@ssw0rd
10.75.160.31@administrator;123456
10.69.88.134@administrator;123456
10.69.88.136@administrator;123456
10.65.148.130@administrator;123456
10.75.32.2@administrator;123456
10.96.36.40@administrator;P@ssw0rd
10.69.88.129@administrator;123456
10.69.88.110@administrator;123456
10.105.10.200@administrator;000000
10.69.88.125@administrator;123456
10.73.3.200@administrator;000000
10.90.2.249@administrator;admin@123
10.105.31.193@administrator;Admin123
10.105.78.2@administrator;Admin123
10.24.0.176@administrator;Passw0rd
10.71.200.214@administrator;admin@123
10.105.78.178@administrator;Admin123
10.113.72.4@administrator;111111
10.64.13.57@administrator;admin@123
10.24.0.175@administrator;Passw0rd
10.107.59.111@administrator;admin
10.113.145.150@administrator;111111
10.90.2.250@administrator;admin@123
10.105.158.201@administrator;password
10.105.66.4@administrator;12345678
10.107.58.110@administrator;P@ssw0rd
10.114.84.243@administrator;123456
10.114.176.209@administrator;server
10.96.36.35@administrator;password
10.71.201.204@administrator;admin@123
10.64.13.38@administrator;admin@123
10.136.0.11@administrator;123456
10.138.128.20@administrator;111111
10.138.130.254@administrator;111111
10.138.194.252@administrator;123
10.139.105.10@administrator;123456
10.138.194.200@administrator;123
10.71.72.133@administrator;admin
10.113.128.1@administrator;12345678
10.141.49.250@administrator;123
10.137.16.5@administrator;P@ssw0rd
10.141.232.6@administrator;P@ssw0rd
10.141.232.5@administrator;P@ssw0rd
10.68.182.212@administrator;12345
10.64.12.221@administrator;123.com
10.65.140.138@administrator;123.com
10.105.201.168@administrator;1q2w3e4r
10.64.12.203@administrator;123.com
10.75.147.3@administrator;123123
10.64.226.100@administrator;123.com
10.68.152.136@administrator;123.com
10.64.94.10@administrator;123.com
10.65.136.50@administrator;123.com
10.72.184.133@administrator;123.com
10.71.64.55@administrator;123.com
10.64.12.224@administrator;123.com
10.106.58.18@admin;admin
10.113.6.202@administrator;123.com
10.71.64.39@administrator;123.com
10.137.80.5@administrator;123.com
10.136.0.80@administrator;123.com
10.139.226.144@administrator;123.com
10.138.194.251@administrator;123.com
10.161.251.208@administrator;123456
10.161.251.207@administrator;123456
10.71.200.156@administrator;www.123.com
10.64.12.231@administrator;123.com
10.71.26.8@administrator;admin123456
10.141.33.3@administrator;zxcvbnm
10.161.16.3@administrator;321
10.88.5.92@administrator;admin123
10.139.129.183@administrator;111
10.106.50.61@administrator;666666
10.169.11.30@administrator;P@ssw0rd
10.169.115.5@administrator;1
10.88.5.91@administrator;admin123
10.169.111.6@administrator;123456
10.141.34.152@administrator;112233
10.65.144.61@admin;admin123
10.170.200.1@administrator;admin
10.170.220.112@administrator;123456
10.171.40.43@administrator;123
10.172.245.253@administrator;123456
10.170.142.227@admin;P@ssw0rd
10.113.194.200@admin$;123456
10.64.12.222@administrator;123.com
10.122.100.3@administrator;111111
10.107.58.130@administrator;Admin123
10.170.110.201@administrator;123456
10.139.226.143@test;123
10.122.4.2@administrator;1
10.121.106.251@administrator;123456
10.121.161.200@administrator;123456
10.122.37.250@administrator;111111
10.153.67.3@administrator;123.com
10.251.21.201@administrator;admin
10.71.200.171@administrator;123.com
10.122.92.2@administrator;1qaz2wsx
10.24.201.60@administrator;Passw0rd
10.124.17.99@administrator;manager
下面这些是闵行区卫生局的弱口令:
10.96.36.221@administrator;P@ssw0rd
10.96.36.201@administrator;P@ssw0rd
10.96.36.211@administrator;P@ssw0rd
10.96.36.40@administrator;P@ssw0rd
10.96.36.108@administrator;password
10.96.36.222@administrator;P@ssw0rd
10.96.36.61@administrator;P@ssw0rd
10.96.36.27@administrator;password
10.96.36.51@administrator;password
10.96.36.124@administrator;password
10.96.36.183@administrator;admin
10.96.36.192@administrator;password
10.96.36.35@administrator;password
10.96.36.38@administrator;password
10.96.36.37@administrator;password
10.96.36.213@administrator;P@ssw0rd
10.96.36.217@administrator;P@ssw0rd
10.96.36.214@administrator;P@ssw0rd
10.96.36.64@administrator;P@ssw0rd
10.96.36.50@administrator;password
10.96.36.25@administrator;password
10.96.36.175@administrator;P@ssw0rd
下面是闵行区卫生局重要数据库的地址用户名和密码

db.cc.driver-url = jdbc:sqlserver://172.16.100.49:1433;DatabaseName=ccbusiness
db.cc.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.cc.user = cc
db.cc.password = cc.cc
db.jkw.driver-url = jdbc:sqlserver://172.16.100.49:1433;DatabaseName=MHJKW
db.jkw.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.jkw.user = db
db.jkw.password = db.mhjkw.cn
db.db2.driver-url = jdbc:db2://172.16.100.33:50000/MHJKW
db.db2.driver-class = com.ibm.db2.jcc.DB2Driver
db.db2.user = db2inst2
db.db2.password = db#2!ponpon
db.gm.driver-url = jdbc:sqlserver://10.98.24.4:1433;DatabaseName=bslis
db.gm.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.gm.user = sa
db.gm.password = linlin1983
db.hc.driver-url = jdbc:sqlserver://10.98.96.8:1433;DatabaseName=bslis
db.hc.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.hc.user = sa
db.hc.password = hc01_hc01
db.lb.driver-url = jdbc:sqlserver://10.98.0.6:1433;DatabaseName=bslis
db.lb.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.lb.user = user
db.lb.password = user
db.zq.driver-url = jdbc:sqlserver://10.97.160.7:1433;DatabaseName=bslis
db.zq.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.zq.user = sa
db.zq.password = sa
db.hq.driver-url = jdbc:sqlserver://10.98.16.6:1433;DatabaseName=bslis
db.hq.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.hq.user = sa
db.hq.password = sa
db.ml.driver-url = jdbc:sqlserver://10.98.192.8:1433;DatabaseName=bslis
db.ml.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.ml.user = sa
db.ml.password = mlyy139
db.xz.driver-url = jdbc:sqlserver://10.97.34.5:1433;DatabaseName=bslis
db.xz.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.xz.user = sa
db.xz.password = nimda
db.mq.driver-url = jdbc:sqlserver://10.98.168.6:1433;DatabaseName=bslis
db.mq.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.mq.user = sa
db.mq.password = bsoftsa
db.jc.driver-url = jdbc:sqlserver://10.98.164.5:1433;DatabaseName=bslis
db.jc.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.jc.user = sa
db.jc.password = jcsa
db.qb.driver-url = jdbc:sqlserver://10.98.64.3:1433;DatabaseName=bslis
db.qb.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.qb.user = sa
db.qb.password = qb01_qb01
db.pj.driver-url = jdbc:sqlserver://10.97.128.6:1433;DatabaseName=bslis
db.pj.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.pj.user = sa
db.pj.password = PJserver123
db.wj.driver-url = jdbc:sqlserver://10.98.236.118:1433;DatabaseName=bslis
db.wj.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.wj.user = sa
db.wj.password = mpb23-
db.xh.driver-url = jdbc:sqlserver://10.98.110.2:1433;DatabaseName=bslis
db.xh.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.xh.user = sa
db.xh.password = sa
db.sq.driver-url = jdbc:sqlserver://10.96.36.40:1433;DatabaseName=mhsqxt
db.sq.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.sq.user = sa
db.sq.password = server@123
db.jkw.driver-url = jdbc:sqlserver://10.96.36.37:11433;DatabaseName=mhjkw
db.jkw.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.jkw.user = db
db.jkw.password = db.mhjkw.cn
db.12051.driver-url = jdbc:sqlserver://10.98.24.4:1433;DatabaseName=bsrun
db.12051.driver-class = com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12051.user = sa
db.12051.password = linlin1983
db.12101.driver-url = jdbc:sqlserver://10.98.96.8:1433;DatabaseName=bsrun
db.12101.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12101.user = sa
db.12101.password = hc01_hc01
db.12021.driver-url = jdbc:sqlserver://10.98.0.6:1433;DatabaseName=bsrun
db.12021.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12021.user = user
db.12021.password = user
db.12111.driver-url = jdbc:sqlserver://10.97.160.7:1433;DatabaseName=bsrun
db.12111.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12111.user = sa
db.12111.password = sa
db.12011.driver-url = jdbc:sqlserver://10.98.16.6:1433;DatabaseName=bsrun
db.12011.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12011.user = sa
db.12011.password = sa
db.12071.driver-url = jdbc:sqlserver://10.97.34.5:1433;DatabaseName=bsrun
db.12071.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12071.user = sa
db.12071.password = nimda
db.12081.driver-url = jdbc:sqlserver://10.98.192.8:1433;DatabaseName=bsrun
db.12081.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12081.user = sa
db.12081.password = mlyy139
db.12091.driver-url = jdbc:sqlserver://10.98.168.6:1433;DatabaseName=bsrun
db.12091.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.12091.user = sa
db.12091.password = bsoftsa
db.99031.driver-url = jdbc:sqlserver://10.98.17.20:1433;DatabaseName=bsrun
db.99031.driver-class= com.microsoft.sqlserver.jdbc.SQLServerDriver
db.99031.user = sa
db.99031.password = abc123$%^


下面是上面那些数据库的作用:
别名 类型 IP 数据库 账户 密码
数据类型 端口
4
APP业务库 目标数据库 172.16.100.49 ccbusiness cc cc.cc
sqlserver 1433
28
社区综管平台库-古美 源数据库 10.98.26.2 yyglpt bsoft bsoft
sqlserver 1433
17
梅陇his库 源数据库 10.98.192.8 bsrun sa mlyy139
sqlserver 1433
19
马桥his库 源数据库 10.98.168.6 bsrun sa bsoftsa
sqlserver 1433
20
华曹his库 源数据库 10.98.96.8 bsrun sa hc01_hc01
sqlserver 1433
21
颛桥his库 源数据库 10.97.160.7 bsrun sa sa
sqlserver 1433
22
新虹his库 源数据库 10.98.110.2 bsrun sa sa
sqlserver 1433
24
虹桥his库 源数据库 10.98.20.6 bsrun sa sa
sqlserver 1433
25
莘庄his库 源数据库 10.97.34.5 bsrun sa nimda
sqlserver 1433
26
APP平台库 源数据库 172.16.100.49 DCS_Test pt bsoft
sqlserver 1433
16
浦江his库 源数据库 10.97.128.6 bsrun sa PJserver123
sqlserver 1433
15
吴泾his库 源数据库 10.98.236.118 bsrun sa mpb23-
sqlserver 1433
5
GP库 源数据库 10.96.36.156 mhsqxt sa P@ssw0rd@123
sqlserver 1433
6
学生档案 源数据库 10.96.36.155 sq_report sa P@ssw0rd
sqlserver 1433
7
闵行公卫系统测试库1 源数据库 10.96.36.222 mhsqxt_test1 sa server@123
sqlserver 1433
8
闵行公卫系统正式库 源数据库 10.96.36.40 mhsqxt sa server@123
sqlserver 1433
9
古美his库 源数据库 10.98.24.4 bsrun sa linlin1983
sqlserver 1433
江川his库 源数据库 10.98.164.5 bsrun sa jcsa
sqlserver 1433
28
社区综管平台库-古美 源数据库 10.98.26.2 yyglpt bsoft bsoft
sqlserver 1433

修复方案:

首先教育局的局域网就很不合理竟然这么简单就进去了。。。其次这弱口令也实在是太严重了。。特别是上面闵行区卫生局的。
我技术也菜,不然也不会只挖出来这么一点东西

版权声明:转载请注明来源 卖C4的小男孩@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-08-12 14:21

厂商回复:

CNVD未直接复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-10 10:44 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    666

  2. 2015-08-10 10:54 | 李白 ( 普通白帽子 | Rank:142 漏洞数:29 )

    可以啊,区级的服务器用1T内存

  3. 2015-08-10 10:56 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    兴许有可能影响整个上海市的医疗网络?

  4. 2015-08-10 10:59 | 卖C4的小男孩 ( 实习白帽子 | Rank:65 漏洞数:6 | 啦啦啦 啦啦啦 我是一个卖C4的小行家!...)

    @疯狗 确实是可以。。。但是技术问题。。。而且不仅仅是上海市的。。我在内网里面看到了,国家残联的接口。。

  5. 2015-08-10 11:00 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @卖C4的小男孩 大牛 抱大腿

  6. 2015-08-10 11:01 | 卖C4的小男孩 ( 实习白帽子 | Rank:65 漏洞数:6 | 啦啦啦 啦啦啦 我是一个卖C4的小行家!...)

    @疯狗 因为这种东西太敏感。。万一要是进去了怎么办。。。不敢继续了。。

  7. 2015-08-10 11:09 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1068 漏洞数:137 | 多乌云、多机会!微信公众号: id:a301zls ...)

    @疯狗 我觉得应该也是...

  8. 2015-08-10 11:25 | Ton7BrEak ( 普通白帽子 | Rank:211 漏洞数:43 | 吃苦耐劳,我只会第一个!)

    挺不错的~关注中~

  9. 2015-08-10 11:27 | Ton7BrEak ( 普通白帽子 | Rank:211 漏洞数:43 | 吃苦耐劳,我只会第一个!)

    才发现居然是上海闵行区的···我去·

  10. 2015-08-10 11:45 | 一只猿 ( 普通白帽子 | Rank:463 漏洞数:89 | 硬件与无线通信研究方向)

    1T内存,,,牛逼

  11. 2015-08-10 12:03 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    卧槽,1T内存?

  12. 2015-08-10 20:23 | 机器猫 ( 普通白帽子 | Rank:1141 漏洞数:253 | 爱生活、爱腾讯、爱网络!)

    @疯狗 我就是上海的,卧槽

  13. 2015-08-17 18:38 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    66666666