当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167036

漏洞标题:华夏基金某站命令执行可Getshell涉及多台内网主机/敏感信息泄露

相关厂商:华夏基金

漏洞作者: k0_pwn

提交时间:2016-01-03 19:40

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:命令执行

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-03: 细节已通知厂商并且等待厂商处理中
2016-01-03: 厂商已经确认,细节仅向厂商公开
2016-01-13: 细节向核心白帽子及相关领域专家公开
2016-01-23: 细节向普通白帽子公开
2016-02-02: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

rt,听说有小礼物:)

详细说明:

虽然81端口无法访问内容了,但weblogic中间件还在,导致weblogic的java反序列化仍然存在
地址

http://218.247.188.69:81


查看ipconfig

屏幕快照 2016-01-03 下午3.03.22.png


涉及多台内网主机,看名字,有app的,有服务器,有ftp的

屏幕快照 2016-01-03 下午3.09.39.png


可以上传文件,添加用户,3389已开,添加了一个test用户(已删除)

屏幕快照 2016-01-03 下午3.32.35.png


屏幕快照 2016-01-03 下午4.17.14.png


3389已开

屏幕快照 2016-01-03 下午5.45.25.png


各种敏感文件任意读取,这里用config.xml举例,其中涉及到和内网的数据库连接,地址192.168.2.202 1521端口

<?xml version="1.0" encoding="UTF-8"?>
<Domain AdministrationPortEnabled="true" ConfigurationVersion="8.1.6.0" Name="chinaamcdomain">
    <Server ListenAddress="" ListenPort="8001" Name="myserver"
        NativeIOEnabled="true" ReliableDeliveryPolicy="RMDefaultPolicy" ServerVersion="8.1.6.0">
        <SSL Enabled="false" HostnameVerificationIgnored="false"
            IdentityAndTrustLocations="KeyStores" Name="myserver"/>
        <Log FileName=".\logs\myserver.log" Name="myserver" NumberOfFilesLimited="true"/>
        <WebServer LogFileLimitEnabled="true"
            LogFileName=".\logs\access.log" Name="myserver"/>
        <ExecuteQueue Name="NewQueue" ThreadCount="40"/>
        <ExecuteQueue Name="weblogic.kernel.Default" ThreadCount="70"/>
    </Server>
    <JMSFileStore Directory="rmfilestore" Name="FileStore"/>
    <WSReliableDeliveryPolicy DefaultRetryCount="10"
        DefaultTimeToLive="60000" Name="RMDefaultPolicy" Store="FileStore"/>
    <Security Name="chinaamcdomain"
        PasswordPolicy="wl_default_password_policy"
        Realm="wl_default_realm" RealmSetup="true"/>
    <EmbeddedLDAP
        CredentialEncrypted="{3DES}s6Z983eQ3F/tXrf7XLkC6NTfwiVesL8YlAT01mOHudA=" Name="chinaamcdomain"/>
    <SecurityConfiguration
        CredentialEncrypted="{3DES}THOnOB8v5r+PbRU6JH6shyoEaOFhknNcWyJApcf+EyjsdsKQDIAelwxWtfwk26HzfulR4Ten+xiGTUiFCZ/kvapRo0jVRSe4"
        Name="chinaamcdomain" RealmBootStrapVersion="1"/>
    <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
    <FileRealm Name="wl_default_file_realm"/>
    <PasswordPolicy Name="wl_default_password_policy"/>
    <JMSServer Name="WSStoreForwardInternalJMSServermyserver"
        Store="FileStore" Targets="myserver">
        <JMSQueue CreationTime="1212056018062"
            JNDIName="jms.internal.queue.WSStoreForwardQueue"
            JNDINameReplicated="false" Name="WSInternaljms.internal.queue.WSStoreForwardQueuemyserver"/>
        <JMSQueue CreationTime="1212056018281"
            JNDIName="jms.internal.queue.WSDupsEliminationHistoryQueue"
            JNDINameReplicated="false" Name="WSInternaljms.internal.queue.WSDupsEliminationHistoryQueuemyserver"/>
    </JMSServer>
    <Application Name="portal"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="portal" Targets="myserver" URI="portal.war"/>
    </Application>
    <Log FileName=".\logs\chinaamcdomain.log" Name="chinaamcdomain" NumberOfFilesLimited="true"/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        DriverName="oracle.jdbc.OracleDriver" Name="chatodspool"
        PasswordEncrypted="{3DES}QihGOCtObwI="
        Properties="user=weblinkods"
        RemoveInfectedConnectionsEnabled="false" Targets="myserver"
        TestConnectionsOnRelease="true" TestConnectionsOnReserve="true"
        TestTableName="SQL SELECT 1 FROM DUAL" URL="jdbc:oracle:thin:@(DESCRIPTION =(LOAD_BALANCE = yes)(ADDRESS = (PROTOCOL = TCP)(HOST = 180.1.2.198)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = 180.1.2.199)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = RAC)(FAILOVER_MODE =(TYPE = SELECT)(METHOD = BASIC)(RETRIES = 180)(DELAY = 5))))"/>
    <JDBCTxDataSource JNDIName="jdbc/chatods" Name="chatodsDS"
        PoolName="chatodspool" Targets="myserver"/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        ConnectionReserveTimeoutSeconds="60"
        DriverName="oracle.jdbc.OracleDriver" InitialCapacity="5"
        Name="dev/sa" PasswordEncrypted="{3DES}pzzwAKAfT4K4SrbQebRpFg=="
        Properties="user=dev" RemoveInfectedConnectionsEnabled="false"
        Targets="myserver" TestConnectionsOnCreate="true"
        TestConnectionsOnRelease="true" TestConnectionsOnReserve="true"
        TestFrequencySeconds="60" TestTableName="SQL SELECT 1 FROM DUAL"
        URL="jdbc:oracle:thin:@192.168.1.202:1521:astprd" XAPasswordEncrypted=""/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        ConnectionReserveTimeoutSeconds="60"
        DriverName="oracle.jdbc.OracleDriver" InitialCapacity="5"
        Name="hxuser/sa"
        PasswordEncrypted="{3DES}ZTpWRQY77RFZG11lETScvw=="
        Properties="user=chinaamc"
        RemoveInfectedConnectionsEnabled="false" Targets="myserver"
        TestConnectionsOnCreate="true" TestConnectionsOnRelease="true"
        TestConnectionsOnReserve="true" TestFrequencySeconds="60"
        TestTableName="SQL SELECT 1 FROM DUAL"
        URL="jdbc:oracle:thin:@(DESCRIPTION=(FAILOVER = on)(LOAD_BALANCE = off)(ADDRESS=(PROTOCOL = TCP)(HOST = webdb1_vip)(PORT = 1521)) (ADDRESS=(PROTOCOL = TCP)(HOST = webdb2_vip)(PORT = 1521))(CONNECT_DATA=(SERVER = DEDICATED)(SERVICE_NAME = webdb_TAF)))" XAPasswordEncrypted=""/>
    <JDBCTxDataSource JNDIName="hxuser/sa" Name="hxuser/sa"
        PoolName="hxuser/sa" Targets="myserver"/>
    <JDBCTxDataSource JNDIName="dev/sa" Name="dev/sa" PoolName="dev/sa" Targets="myserver"/>
    <Application Name="hxjj"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="hxjj" Targets="myserver" URI="hxjj"/>
    </Application>
    <Application Name="etrading"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="etrading" Targets="myserver" URI="etrading"/>
    </Application>
    <Application Name="product"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="product" Targets="myserver" URI="product"/>
    </Application>
</Domain>


这里我们可以获得serializedsystemini.dat,通过java解密3des加密,这种加密相对老一些,比aes要弱一些

屏幕快照 2016-01-03 下午5.51.57.png


漏洞证明:

屏幕快照 2016-01-03 下午3.03.22.png


屏幕快照 2016-01-03 下午3.09.39.png


屏幕快照 2016-01-03 下午3.32.35.png


屏幕快照 2016-01-03 下午4.17.14.png


屏幕快照 2016-01-03 下午5.45.25.png


<?xml version="1.0" encoding="UTF-8"?>
<Domain AdministrationPortEnabled="true" ConfigurationVersion="8.1.6.0" Name="chinaamcdomain">
    <Server ListenAddress="" ListenPort="8001" Name="myserver"
        NativeIOEnabled="true" ReliableDeliveryPolicy="RMDefaultPolicy" ServerVersion="8.1.6.0">
        <SSL Enabled="false" HostnameVerificationIgnored="false"
            IdentityAndTrustLocations="KeyStores" Name="myserver"/>
        <Log FileName=".\logs\myserver.log" Name="myserver" NumberOfFilesLimited="true"/>
        <WebServer LogFileLimitEnabled="true"
            LogFileName=".\logs\access.log" Name="myserver"/>
        <ExecuteQueue Name="NewQueue" ThreadCount="40"/>
        <ExecuteQueue Name="weblogic.kernel.Default" ThreadCount="70"/>
    </Server>
    <JMSFileStore Directory="rmfilestore" Name="FileStore"/>
    <WSReliableDeliveryPolicy DefaultRetryCount="10"
        DefaultTimeToLive="60000" Name="RMDefaultPolicy" Store="FileStore"/>
    <Security Name="chinaamcdomain"
        PasswordPolicy="wl_default_password_policy"
        Realm="wl_default_realm" RealmSetup="true"/>
    <EmbeddedLDAP
        CredentialEncrypted="{3DES}s6Z983eQ3F/tXrf7XLkC6NTfwiVesL8YlAT01mOHudA=" Name="chinaamcdomain"/>
    <SecurityConfiguration
        CredentialEncrypted="{3DES}THOnOB8v5r+PbRU6JH6shyoEaOFhknNcWyJApcf+EyjsdsKQDIAelwxWtfwk26HzfulR4Ten+xiGTUiFCZ/kvapRo0jVRSe4"
        Name="chinaamcdomain" RealmBootStrapVersion="1"/>
    <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
    <FileRealm Name="wl_default_file_realm"/>
    <PasswordPolicy Name="wl_default_password_policy"/>
    <JMSServer Name="WSStoreForwardInternalJMSServermyserver"
        Store="FileStore" Targets="myserver">
        <JMSQueue CreationTime="1212056018062"
            JNDIName="jms.internal.queue.WSStoreForwardQueue"
            JNDINameReplicated="false" Name="WSInternaljms.internal.queue.WSStoreForwardQueuemyserver"/>
        <JMSQueue CreationTime="1212056018281"
            JNDIName="jms.internal.queue.WSDupsEliminationHistoryQueue"
            JNDINameReplicated="false" Name="WSInternaljms.internal.queue.WSDupsEliminationHistoryQueuemyserver"/>
    </JMSServer>
    <Application Name="portal"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="portal" Targets="myserver" URI="portal.war"/>
    </Application>
    <Log FileName=".\logs\chinaamcdomain.log" Name="chinaamcdomain" NumberOfFilesLimited="true"/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        DriverName="oracle.jdbc.OracleDriver" Name="chatodspool"
        PasswordEncrypted="{3DES}QihGOCtObwI="
        Properties="user=weblinkods"
        RemoveInfectedConnectionsEnabled="false" Targets="myserver"
        TestConnectionsOnRelease="true" TestConnectionsOnReserve="true"
        TestTableName="SQL SELECT 1 FROM DUAL" URL="jdbc:oracle:thin:@(DESCRIPTION =(LOAD_BALANCE = yes)(ADDRESS = (PROTOCOL = TCP)(HOST = 180.1.2.198)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = 180.1.2.199)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = RAC)(FAILOVER_MODE =(TYPE = SELECT)(METHOD = BASIC)(RETRIES = 180)(DELAY = 5))))"/>
    <JDBCTxDataSource JNDIName="jdbc/chatods" Name="chatodsDS"
        PoolName="chatodspool" Targets="myserver"/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        ConnectionReserveTimeoutSeconds="60"
        DriverName="oracle.jdbc.OracleDriver" InitialCapacity="5"
        Name="dev/sa" PasswordEncrypted="{3DES}pzzwAKAfT4K4SrbQebRpFg=="
        Properties="user=dev" RemoveInfectedConnectionsEnabled="false"
        Targets="myserver" TestConnectionsOnCreate="true"
        TestConnectionsOnRelease="true" TestConnectionsOnReserve="true"
        TestFrequencySeconds="60" TestTableName="SQL SELECT 1 FROM DUAL"
        URL="jdbc:oracle:thin:@192.168.1.202:1521:astprd" XAPasswordEncrypted=""/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        ConnectionReserveTimeoutSeconds="60"
        DriverName="oracle.jdbc.OracleDriver" InitialCapacity="5"
        Name="hxuser/sa"
        PasswordEncrypted="{3DES}ZTpWRQY77RFZG11lETScvw=="
        Properties="user=chinaamc"
        RemoveInfectedConnectionsEnabled="false" Targets="myserver"
        TestConnectionsOnCreate="true" TestConnectionsOnRelease="true"
        TestConnectionsOnReserve="true" TestFrequencySeconds="60"
        TestTableName="SQL SELECT 1 FROM DUAL"
        URL="jdbc:oracle:thin:@(DESCRIPTION=(FAILOVER = on)(LOAD_BALANCE = off)(ADDRESS=(PROTOCOL = TCP)(HOST = webdb1_vip)(PORT = 1521)) (ADDRESS=(PROTOCOL = TCP)(HOST = webdb2_vip)(PORT = 1521))(CONNECT_DATA=(SERVER = DEDICATED)(SERVICE_NAME = webdb_TAF)))" XAPasswordEncrypted=""/>
    <JDBCTxDataSource JNDIName="hxuser/sa" Name="hxuser/sa"
        PoolName="hxuser/sa" Targets="myserver"/>
    <JDBCTxDataSource JNDIName="dev/sa" Name="dev/sa" PoolName="dev/sa" Targets="myserver"/>
    <Application Name="hxjj"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="hxjj" Targets="myserver" URI="hxjj"/>
    </Application>
    <Application Name="etrading"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="etrading" Targets="myserver" URI="etrading"/>
    </Application>
    <Application Name="product"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="product" Targets="myserver" URI="product"/>
    </Application>
</Domain>


屏幕快照 2016-01-03 下午5.51.57.png

修复方案:

升级weblogic或彻底关闭访问权限,加固

版权声明:转载请注明来源 k0_pwn@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-03 20:38

厂商回复:

非常感谢您对我们网站安全的大力支持。

最新状态:

暂无

漏洞评价:

评价

  1. 2016-01-03 20:33 | 少宇 ( 路人 | Rank:14 漏洞数:7 | 多看书,多实践,多泡妹子!!)

    扣屎表哥好厉害,兔子快来约!——i春秋扣屎表哥好厉害,兔子快来约!——i春秋扣屎表哥好厉害,兔子快来约!——i春秋扣屎表哥好厉害,兔子快来约!——i春秋扣屎表哥好厉害,兔子快来约!——i春秋扣屎表哥好厉害,兔子快来约!——i春秋

  2. 2016-01-03 20:36 | 龍 、 ( 普通白帽子 | Rank:432 漏洞数:148 | 你若安好 我就是晴天)

    扣屎表哥好厉害,兔子快来约!

  3. 2016-01-03 20:46 | k0_pwn ( 实习白帽子 | Rank:95 漏洞数:12 | 专注且自由)

    确认的好快。。

  4. 2016-01-03 20:51 | 八戒 ( 路人 | Rank:17 漏洞数:3 | ~~鬼畜之王~~)

    扣屎表哥好厉害,兔子快来约!

  5. 2016-01-03 21:22 | 爱与诚一号 ( 路人 | Rank:2 漏洞数:2 )

    结果礼物呢,??礼物呢,????其实我就想知道礼物呢,?????礼物呢、????????????