漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0149785
漏洞标题:运营商安全之中国电信某命令执行导致可内网漫游
相关厂商:中国电信
漏洞作者: 路人甲
提交时间:2015-10-27 15:27
修复时间:2015-12-14 15:12
公开时间:2015-12-14 15:12
漏洞类型:命令执行
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开
简要描述:
运营商安全之中国电信某命令执行导致可内网漫游
详细说明:
**.**.**.**/admin/AdminAction_AdminLogin.action
**.**.**.**/cmd.jsp
一句话
jdbc_url=jdbc:mysql**.**.**.**:3306/aqx
jdbc_username=root
jdbc_password=1234
**.**.**.**/resource/doc/aqx.sql
备份文件
安全侠。(安全侠智能科技有限公司是国内首家解决儿童安全的科技公司,以守护中国家庭幸福为使命,致力于全方位防护儿童安全成长,专注解决儿童成长中遇到的各种安全问题。)
AQXSMS_USERNAME=anquanxia
AQXSMS_PASSWORD=As1212
http://**.**.**.**/api/json/sms.action
看起来不像是电信啊,会不会是搞偏了。
搞了个代理到内网看看。
惊喜大大的
电信内网,可漫游。
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
INSERT INTO `tb_user` VALUES ('40288a434c21f6e0014c22190c110002', '18079108252', '1', '澶у?姘存?', null, 'resourcehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/userheadicon/A6B5ACB7D14D4875A76BC310D59F2AB8.jpg', null, '1', '2015-03-25 09:04:29');
INSERT INTO `tb_user` VALUES ('40288a434c21f6e0014c221cbaff000b', '17770050676', '123456', '?跺?', null, 'resourcehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/userheadicon/68416A01E74A426DA207B27E52A98D27.jpg', null, '1', '2015-03-25 09:04:30');
INSERT INTO `tb_user` VALUES ('40288a434c222564014c222c3d650005', '18679827379', '111111', '??ご寮?, null, 'resourcehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/userheadicon/6EFDA59164994ACCAEB7D78DB0AE44AC.jpg', null, '1', '2015-03-25 09:04:30');
INSERT INTO `tb_user` VALUES ('40288a434c25a260014c267e72bb0003', '18970096713', '1', '189****6713', null, null, null, '1', '2015-03-25 09:04:31');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c269e7c820002', '18970096712', '123456', '189****6712', null, null, null, '1', '2015-03-25 09:04:31');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26a9174b0007', '18970096715', '1', '189****6715', null, null, null, '1', '2015-03-25 09:04:32');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26add9ad000a', '18970096716', '1', '189****6716', null, null, null, '1', '2015-03-25 09:04:32');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26b0d7ca000c', '18970096718', '1', '189****6718', null, null, null, '1', '2015-03-25 09:04:33');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26b25d80000e', '18970096719', '1', '189****6719', null, null, null, '1', '2015-03-25 09:04:33');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26b58b090010', '18970096721', '1', '189****6721', null, null, null, '1', '2015-03-25 09:04:34');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26c0c2120016', '18970096725', '1', '189****6725', null, null, null, '1', '2015-03-25 09:04:35');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26c2cdc00018', '18970096729', '1', '189****6729', null, null, null, '1', '2015-03-25 09:04:35');
INSERT INTO `tb_user` VALUES ('40288a434c26d16e014c26db47400001', '13713197097', '07550755', '137****7097', null, null, null, '1', '2015-03-25 09:04:36');
INSERT INTO `tb_user` VALUES ('40288a434c27016d014c271df997000d', '18523091661', '13713197097', '185****1661', null, null, null, '1', '2015-03-25 09:04:38');
漏洞证明:
**.**.**.**/admin/AdminAction_AdminLogin.action
**.**.**.**/cmd.jsp
一句话
jdbc_url=jdbc:mysql**.**.**.**:3306/aqx
jdbc_username=root
jdbc_password=1234
**.**.**.**/resource/doc/aqx.sql
备份文件
安全侠。(安全侠智能科技有限公司是国内首家解决儿童安全的科技公司,以守护中国家庭幸福为使命,致力于全方位防护儿童安全成长,专注解决儿童成长中遇到的各种安全问题。)
AQXSMS_USERNAME=anquanxia
AQXSMS_PASSWORD=As1212
http://**.**.**.**/api/json/sms.action
看起来不像是电信啊,会不会是搞偏了。
搞了个代理到内网看看。
惊喜大大的
电信内网,可漫游。
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
**.**.**.**/nei.jsp?**.**.**.**:80
INSERT INTO `tb_user` VALUES ('40288a434c21f6e0014c22190c110002', '18079108252', '1', '澶у?姘存?', null, 'resourcehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/userheadicon/A6B5ACB7D14D4875A76BC310D59F2AB8.jpg', null, '1', '2015-03-25 09:04:29');
INSERT INTO `tb_user` VALUES ('40288a434c21f6e0014c221cbaff000b', '17770050676', '123456', '?跺?', null, 'resourcehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/userheadicon/68416A01E74A426DA207B27E52A98D27.jpg', null, '1', '2015-03-25 09:04:30');
INSERT INTO `tb_user` VALUES ('40288a434c222564014c222c3d650005', '18679827379', '111111', '??ご寮?, null, 'resourcehttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/userheadicon/6EFDA59164994ACCAEB7D78DB0AE44AC.jpg', null, '1', '2015-03-25 09:04:30');
INSERT INTO `tb_user` VALUES ('40288a434c25a260014c267e72bb0003', '18970096713', '1', '189****6713', null, null, null, '1', '2015-03-25 09:04:31');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c269e7c820002', '18970096712', '123456', '189****6712', null, null, null, '1', '2015-03-25 09:04:31');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26a9174b0007', '18970096715', '1', '189****6715', null, null, null, '1', '2015-03-25 09:04:32');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26add9ad000a', '18970096716', '1', '189****6716', null, null, null, '1', '2015-03-25 09:04:32');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26b0d7ca000c', '18970096718', '1', '189****6718', null, null, null, '1', '2015-03-25 09:04:33');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26b25d80000e', '18970096719', '1', '189****6719', null, null, null, '1', '2015-03-25 09:04:33');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26b58b090010', '18970096721', '1', '189****6721', null, null, null, '1', '2015-03-25 09:04:34');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26c0c2120016', '18970096725', '1', '189****6725', null, null, null, '1', '2015-03-25 09:04:35');
INSERT INTO `tb_user` VALUES ('40288a434c268fae014c26c2cdc00018', '18970096729', '1', '189****6729', null, null, null, '1', '2015-03-25 09:04:35');
INSERT INTO `tb_user` VALUES ('40288a434c26d16e014c26db47400001', '13713197097', '07550755', '137****7097', null, null, null, '1', '2015-03-25 09:04:36');
INSERT INTO `tb_user` VALUES ('40288a434c27016d014c271df997000d', '18523091661', '13713197097', '185****1661', null, null, null, '1', '2015-03-25 09:04:38');
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:13
确认时间:2015-10-30 15:10
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.
最新状态:
暂无