当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092777

漏洞标题:从一个漏洞到再次沦陷中国联通企业信息服务平台(含32个省)

相关厂商:中国联通

漏洞作者: cuger

提交时间:2015-01-20 11:59

修复时间:2015-01-25 12:00

公开时间:2015-01-25 12:00

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-20: 细节已通知厂商并且等待厂商处理中
2015-01-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

从一个被忽略的漏洞到再次沦陷中国联通企业信息服务平台,之前找到个文件,数了下有32个省的简称

详细说明:

之所以说再次,是因为之前已经被@s0mun5 沦陷过一次了:

http://wooyun.org/bugs/wooyun-2010-079668


被忽略的漏洞是良品铺子的这个漏洞(已经通过微信联系技术人员修改了密码):

http://wooyun.org/bugs/wooyun-2010-081423


虽然猜出了良品铺子的后台管理口令,不过技术太菜,后台没有拿到shell,该系统是广州信景技术有限公司开发的,还有其他很多成功案例,像中粮我买网、国美等系统也是采用这家公司的,扯远了,回到正题。

漏洞证明:

虽然在后台没有拿到shell,但是后台有短信和邮件的发送接口,如下图所示:

sms1.png


但是这个地方不管是F12,还是查看源文件什么的,是无法直接看到密码的。最后通过burp代理抓到了短信接口的密码,这算是这个系统的一个设计缺陷吧,点击该短信接口,burp拦截后直接返回明文密码,如下图所示:

sms2.jpg


有了短信接口的用户密码,赶紧到那个接口网址去试试,成功登陆:

sms3.png

可以查看所有已发送短信
给自己发条短信测试一下:

sms4.png


IMG_0095.PNG


测试发送短信成功,难道仅仅发发短信就完了?那实在是太没意思了。。。。
素材库—文件库-上传文件,未做任何过滤(以为有了上次会吸取教训,╮(╯▽╰)╭),直接上传webshell,burp代理返回shell路径:

shell.jpg


上菜刀:

chopper.png


开始以为hb.ums86.com只是湖北省的,后来发现,远远不止这些:
tj、gx、zj、yn、ss、sh、sd、sc、nx、ln、jx、js、hi、gs、gd、fj、cq、bh、bj。。。。差不多全国各个省都在这个ip上面
贴一些配置信息吧,

<?xml version="1.0" encoding="utf-8"?><!-- the proxool configuration can be embedded within your own application's.	Anything outside the "proxool" tag is ignored. --><something-else-entirely>	<proxool>		<alias>db_1</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="im_db1" />			<property name="password" value="im_db1" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_epma</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.213:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="epma" />			<property name="password" value="epma01" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_2</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="im_db2" />			<property name="password" value="im_db2" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<!-- 在分配连接前后是否进行有效性测试,这个是解决本问题的关?? -->		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_zx</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="im_zx" />			<property name="password" value="im_zx" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<!-- 在分配连接前后是否进行有效性测试,这个是解决本问题的关?? -->		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_js</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="im_js" />			<property name="password" value="im_js" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<!-- 在分配连接前后是否进行有效性测试,这个是解决本问题的关?? -->		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_jx</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="im_jx" />			<property name="password" value="im_jx" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<!-- 在分配连接前后是否进行有效性测试,这个是解决本问题的关?? -->		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_gd</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="im_gd" />			<property name="password" value="im_gd" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<!-- 在分配连接前后是否进行有效性测试,这个是解决本问题的关?? -->		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_common</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="im_common" />			<property name="password" value="im_common" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_stat</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="im_gd" />			<property name="password" value="im_gd" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_nx</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="im_nx" />			<property name="password" value="im_nx" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_imessage</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="imessage" />			<property name="password" value="imessage" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>		<alias>db_3</alias>		<driver-url>jdbc:oracle:thin:@192.168.1.216:1521/dbtest</driver-url>		<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>		<driver-properties>			<property name="user" value="imessage" />			<property name="password" value="imessage" />		</driver-properties>		<house-keeping-sleep-time>300000</house-keeping-sleep-time>		<simultaneous-build-throttle>2</simultaneous-build-throttle>		<prototype-count>2</prototype-count>		<maximum-connection-count>5</maximum-connection-count>		<maximum-active-time>3600000</maximum-active-time>		<minimum-connection-count>2</minimum-connection-count>		<trace>true</trace>		<test-before-use>true</test-before-use>		<test-after-use>true</test-after-use>		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL		</house-keeping-test-sql>	</proxool>	<proxool>	<alias>db_union_prov</alias>                <driver-url>jdbc:oracle:thin:@192.168.2.223:1521/orcl</driver-url>                <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>                <driver-properties>                        <property name="user" value="im_union_prov" />                        <property name="password" value="ton9y1pl" />                </driver-properties>                <house-keeping-sleep-time>300000</house-keeping-sleep-time>                <simultaneous-build-throttle>100</simultaneous-build-throttle>                <prototype-count>2</prototype-count>                <maximum-connection-count>200</maximum-connection-count>                <maximum-active-time>240000</maximum-active-time>                <minimum-connection-count>2</minimum-connection-count>                <trace>true</trace>                <test-before-use>false</test-before-use>                <test-after-use>false</test-after-use>                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>        </proxool></something-else-entirely>


连接数据库后,全国的企业发送接口都到手了,然后就可以组成短信轰炸机群了,然后就没有然后了。。。。

修复方案:

检查文件的合法性,不能指哪儿补哪儿。

版权声明:转载请注明来源 cuger@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-25 12:00

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2015-01-21 11:16 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

  2. 2015-01-21 12:55 | cuger ( 普通白帽子 | Rank:200 漏洞数:44 | 这个家伙很懒,什么也没留下)

    @wefgod 干哥好久不见

  3. 2015-01-22 17:04 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    @cuger 你认错人了

  4. 2015-01-22 18:21 | cuger ( 普通白帽子 | Rank:200 漏洞数:44 | 这个家伙很懒,什么也没留下)

    @wefgod 哈哈哈哈,怎么可能~

  5. 2015-01-23 09:00 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    @cuger 是啊,我是好几个人哈哈

  6. 2015-01-25 18:37 | cuger ( 普通白帽子 | Rank:200 漏洞数:44 | 这个家伙很懒,什么也没留下)

    我擦。。。。为什么忽略了?

  7. 2015-01-27 15:30 | 菜鸟甲 ( 路人 | Rank:28 漏洞数:14 | 啥也不会的菜鸟)

    我擦。这都能忽略。

  8. 2015-09-16 09:29 | Mark0smith ( 路人 | Rank:12 漏洞数:6 | 我更像是一个小松鼠)

    这个好,我要慢慢体会