当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142866

漏洞标题:中国电信某处弱口令导致getshell影响计费系统/策略管理等多个系统可内网

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2015-09-24 22:18

修复时间:2015-11-12 19:18

公开时间:2015-11-12 19:18

漏洞类型:服务弱口令

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-28: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-08: 细节向核心白帽子及相关领域专家公开
2015-10-18: 细节向普通白帽子公开
2015-10-28: 细节向实习白帽子公开
2015-11-12: 细节向公众公开

简要描述:

getshell,影响计费系统/策略管理等多个系统可内网

详细说明:

涉及到多个电信系统
**.**.**.**:7001/P_MANAGE/

1.jpg


**.**.**.**:7001/petri/

2.jpg


**.**.**.**:7001/ocs/

3.jpg


**.**.**.**:7001/cfgMgr/

4.jpg


好了言归正传
问题出在中间件
**.**.**.**:7001/console/login/LoginForm.jsp
weblogic/weblogic
上传war 拿到shell
/home/bea/bea10/weblogic/user_projects/domains/ygkdomain/config/jdbc/JDBC_Data_Source-1-3408-jdbc.xml

<url>jdbc:oracle:thin:@**.**.**.**:1521:fzjf1</url>
<driver-name>oracle.jdbc.OracleDriver</driver-name>
<properties>
<property>
<name>user</name>
<value>ZHJS_EXCH</value>


连接数据库看到大量数据

TABLE_NAME
VARCHAR2
TEMP_CHECK_DETAIL_COUNT
TS_TRANS_SEND_CONTRAST
TEMP_CHILD_STOCK
TEMP_EXCH_CONFIG_INFO
TEMP_GOODS_LOST
TEMP_GOODS_RECV_COUNT
TEMP_GOODS_SEND_COUNT
TEMP_LOG_SR
TEMP_MSG_LOG_DETAIL
TEMP_MSG_TYPE_CHECK
TEMP_SR_LOW_ALERT_INDEX
TEMP_SR_LOW_PERF_INDEX
TEMP_SR_TIME_OUT
TEMP_STOCK_DETAILS
TEMP_STORE_CHECK
TEMP_STORE_DETAILS
TEMP_TRANS_CHECK_COUNT
TEMP_TRANS_CHECK_DETAIL
TEMP_TRANS_DETAILS
TEMP_UPDOWN_DETAILS
TEMP_UP_STOCK_CHECK
TI_EXCH_MSG_LOG
TI_EXCH_STORAGE_LOG
TI_EXCH_TRANS_LOG
TI_LOG_SR
TS_CLEAR_GOODS_CNT
TS_GOODS_STOCK_OVERDUE
TS_IN_STOCK_CNT
TS_OUT_STOCK_CNT
TS_STORAGE_CNT
TS_TRANS_RECV_CONTRAST
TEMP_CHILD_NODE
WEB_EXCH_LOG
TP_EXCH_SPARE_DEF
TP_EXCH_BUSI_ID_DEF
TP_EXCH_GOODS_CYCLE
TP_EXCH_CONFIG_NETBUSI
S_ALERT_CODE_DEF
S_ERROR_DEF
WEB_EXCH_ROLERES
TP_AREA
TP_ONE_SEND_MANY_CONFIG
TP_TABLE_DEF
WEB_EXCH_ELEMENT
TP_EXCH_FILE_BUSI
S_AC_FILE_RULE_DEF
WEB_EXCH_CATALOG
TP_EXCH_BUSI_CLASS_DEF
T_SYS_STATUS_NODIFY_INDEX
T_PARAM_FILE_RULE
TP_FILE_INDEX
TP_EXCH_FILTER_BUSI
TP_EXCH_CONFIG_NET
TP_TRANS_FLOW_MODEL_RELATION
TP_INFO_KPI_INDEX_DEF
SERVICE_CONTEXT_DEF
S_ALERT_CODE_SR
TP_ALERT_SMS_TEXT
SERVER_ROUTE_LIST
TP_EXCH_NET_ID_DEF
TP_PROVINCE_SR
TP_PROVINCE
TP_SCAN_NET_LIMIT
S_EXCH_COMMAND_DEF
S_TRANS_TYPE_DEF
S_MODEL_CODE_DEF
TP_OUTDB_FLAG
TP_NET_MONITOR_DEF
S_LOG_TYPE_DEF
WEB_EXCH_PWDHISTORY
S_TRANS_FLOW_DEF
S_FILE_NAME_RULE_DEF
S_CHECK_NAME_DEF
S_MSG_TYPE_DEF
WF_APPLICATION
WEB_EXCH_USERROLE
WEB_EXCH_USER
TP_EXCH_PROC_SCHEDULE
TP_EXCH_CHANNEL_DEF
TP_EXCH_FILE_BUSI2
S_CYCLE_UNIT_DEF
S_WEB_OPER_TYPE_DEF
S_PRODUCT_TYPE_DEF
S_ALERT_DISPLAY_DEF
TP_BASE
S_ALERT_LEVEL_DEF
S_SCHEDULER_DEF
VALID_AVP_VALUE
WEB_EXCH_ROLE
TP_DR_ID
S_COMPRESS_TYPE_DEF
S_TRANS_PROTOCOL_DEF
S_TRANS_PRIORITY_DEF
S_TIME_UNIT_DEF
S_CLIENT_TYPE_DEF
TP_MIB_INFO_CONFIG
S_TRANS_DIRECTION_DEF
TP_SCAN_ALERT_PATH_DEF
S_WEB_USER_LOCKED_DEF
S_PRODUCER_DEF
S_SPARE_TYPE_DEF
TP_SCAN_LIMIT_DEF
S_MONTH_TABLE_DEF
S_OUTDB_FLAG_DEF
TG_EXCH_ALERT
TP_DISK_QUOTA_DEF
TP_EXCH_LOGIN_INFO
TP_EXCH_GOODS_CLASS_DEF
TP_EXCH_BACK_PATH
TP_SR_AREA
TP_MIB_NET_INFO_DEF
TP_CLEAR_BACK_PATH_DEF
S_ALERT_TIME_LAST
TS_INFO_010
TS_INFO_011
TS_LAST_FILE_INFO_001
TS_LAST_FILE_INFO_002
TS_LAST_FILE_INFO_004
TS_LAST_FILE_INFO_010
TS_LAST_FILE_INFO_011
TS_ROUTE_CONN_TIME
TS_ROUTE_DISCONN_TIME
TS_ROUTE_INFO_CNT
TS_SEND_GOODS_UNIX
TS_SR_HIGH_ALERT_INDEX
TS_SR_HIGH_PERF_INDEX
TS_SR_LOW_ALERT_INDEX
TS_SR_LOW_PERF_INDEX
TS_SYS_HIGHT_ALERT_INDEX
TS_SYS_HIGHT_EVENT_INDEX
TS_SYS_LOW_EVENT_INDEX
TS_TRANS_DATA_DETAIL
T_DAILY_TRANS_LOG
WEB_REPORT_DEF
WF_ALERT_LOG
WF_BILLFLOW
WF_DISTRIBUTE_RULE
WF_HOSTINFO
WF_LOG_PROCESS
WF_MQ_ATTR
WF_MQ_PRO_FLOW
WF_NODECONNECTOR
WF_PROCESS
WF_PROCESS_MQ
WF_TIME_PLAN
WF_TIME_RUN_PLAN
TL_EXCH_GOODS_STOCK
TO_FILE_PERF_INDEX_B
TO_FILE_PERF_NMP_A
TO_FILE_PERF_NMP_B
TO_INFO_001_A
TO_INFO_001_B
TO_INFO_002_A
TO_INFO_002_B
TO_INFO_003_A
TO_INFO_003_B
TO_INFO_004_A
TO_INFO_004_B
TO_INFO_007_A
TO_INFO_007_B
TO_INFO_008_A
TO_INFO_008_B
TO_INFO_009_A
TO_INFO_009_B
TO_INFO_010_A
TO_INFO_010_B
TO_INFO_011_A
TO_INFO_011_B
TO_ROAM_UPDOWN_A
TO_ROAM_UPDOWN_B
TO_SMS_SR_DEF
TO_SMS_TEXT_DEF
TO_SR_ALERT_INDEX_A
TO_SR_ALERT_INDEX_B
TO_SR_PERF_INDEX_A
TO_SR_PERF_INDEX_B
TO_SYS_HIGHT_ALERT_INDEX_A
TO_SYS_HIGHT_ALERT_INDEX_B
TO_SYS_HIGHT_EVENT_INDEX_A
TO_SYS_HIGHT_EVENT_INDEX_B
TO_SYS_LOW_EVENT_INDEX_A
TO_SYS_LOW_EVENT_INDEX_B
TP_COLLECT_FILE_SN_DEF
TP_MIB_SR_TRNASCTL_DEF
TP_PARAM_STATUS
TS_AUTO_OVERDUE_CLEAR
TS_CHECK_INDB_UNIX
TS_CHECK_OUTDB_UNIX
TS_CHECK_RECV_UNIX
TS_EVAL_MID_DATA_DETAIL
TS_EXCH_LOG_CHECK_UNIX
TS_EXCH_TRANS_LOG_CNT
TS_EXCH_TRANS_RECV
TS_EXCH_TRANS_SEND
TS_FILE_AUDIT_CONF_INCREMENTAL
TS_FILE_AUDIT_CONF_INDEX
TS_FILE_AUDIT_EVENT_INDEX
TS_FILE_HIGH_ALERT_INDEX
TS_FILE_HIGH_PERF_INDEX
TS_FILE_LOW_ALERT_INDEX
TS_FILE_LOW_PERF_INDEX
TS_FILE_MID_PERF_INDEX
TS_INFO_001
TS_INFO_002
TS_INFO_003
TS_INFO_004
TS_INFO_005
TS_INFO_006
TS_INFO_007
TS_INFO_008
TS_INFO_009
TD_AUTO_OVERDUE_CLEAR
TD_CHECK_INDB_UNIX
TD_CHECK_OUTDB_UNIX
TD_CHECK_RECV_UNIX
TD_CLEAR_CHECK
B_IPC_CFG
DCC_AVP_VALUE
MEM_KEY_CFG
MEM_KEY_PROC_RELA
MIB_EVENT_ATTR_COMP
MIB_INSERT_INTERFACE
MIB_OBJ_TM
MIB_OBJ_INST_TM
MIB_OBJ_ATTR_VALUE
MIB_PEERINFO_CNT
MIB_PRODUCT_TRANS_CNT
MIB_PRODUCT_TRANS_TRAP_CNT
MIB_ROUTE_INFO_CNT
MIB_ROUTE_TRAP_CNT
MIB_SR_CCA_CNT
MIB_SR_CCR_CNT
MIB_TRANS_ALL_PERF_CNT
MIB_TRANS_FAIL_CNT
MIB_TRANS_FAIL_MONITOR
MIB_TRANS_REFUSE_CNT
SNMP_AGENT_LIST
SR_MONITOR
SR_MONITOR_ALERT
STAT_INTERFACE
S_MSG_BUSI_DEF
TD_CONFIG_BACK_PATH
TD_EXCH_LOG_CHECK
TD_GOODS_STOCK_PATH
TD_INDB_CHECK
TD_REPORT_STORE
TD_REPORT_UPDOWN
TD_SEND_GOODS_UNIX
TD_STORAGE_ACCOUNT
TD_STORAGE_ACCOUNT_CHECK
TD_STORE_CHECK
TEMP_1
TG_ALERT_SR
TG_EXCH_ALERT2
TG_LOG_ROUTE_SELECT
TG_LOG_ROUTE_UPDATE
TL_EXCH_ACTION_LOG
TL_SR_LOW_PERF_INDEX
TMP_STAT_INTERFACT
TO_ALERT_SMS
TO_FILE_ALERT_INDEX_A
TO_FILE_ALERT_INDEX_B
TO_FILE_ALERT_LAST
TO_FILE_EVENT_INDEX_A
TO_FILE_EVENT_INDEX_B
TO_FILE_EVENT_LAST
TO_FILE_FAIL_003_A
TO_FILE_FAIL_003_B
TO_FILE_FAIL_INDEX_A
TO_FILE_FAIL_INDEX_B
TO_FILE_FAIL_NMP_A
TO_FILE_FAIL_NMP_B
TO_FILE_OVERSTOCE_INDEX_A
TO_FILE_OVERSTOCE_INDEX_B
TO_FILE_PERF_INDEX_A


然后探测下内网
**.**.**.**:7001/ma/out.jsp

7.jpg


5.jpg


6.jpg

漏洞证明:

7.jpg

修复方案:

修改密码

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-09-28 19:17

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无


漏洞评价:

评论