当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167872

漏洞标题:运营商安全之中国电信189邮箱系统可Getshell(内含多库可致大量内网敏感信息泄漏)

相关厂商:中国电信

漏洞作者: 李旭敏

提交时间:2016-01-07 12:56

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-07: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开

简要描述:

可泄漏近大量用户姓名,联系方式,地址。
大量内网敏感信息。

详细说明:

http://**.**.**.**:4180/login/login.do 存在sturts2命令执行漏洞
web路径为: /opt/hermes/billManager/resin_billmanager/webapps/bill/

3.png


4.png


内附大量用户信息。

5.jpg


数据库太多了,就不仔细一一连接了。可以肯定的是,这绝对绝对不是测试系统!

漏洞证明:

<!-- 数据库的引用名称 -->
<hermes>
<user>{IDEA}raC3qKC2</user>
<password>{IDEA}raC3qKC2</password>
<database>HERMES</database>
<server>ORADB</server>
<driver>oracle</driver>
</hermes>
<aimc-test-229>
<user>{IDEA}pKywsKg=</user>
<password>{IDEA}W1Gm6xJC3Fer</password>
<database>AIMC-TEST-229</database>
<server>AIMC-TEST-229</server>
<driver>oracle</driver>
</aimc-test-229>
<hermes-db-240>
<user>{IDEA}raC3qKC2</user>
<password>{IDEA}raC3qKC2</password>
<database>HERMES</database>
<server>HERMES</server>
<driver>oracle</driver>
</hermes-db-240>
<integ-db-240>
<user>{IDEA}jIuRgII=</user>
<password>{IDEA}jIuRgII=</password>
<database>INTEG</database>
<server>INTEG</server>
<driver>oracle</driver>
</integ-db-240>
<ms1-index-db>
<user>{IDEA}t6qqsQ==</user>
<password>{IDEA}9PT09PT0</password>
<database>test</database>
<server>**.**.**.**</server>
<driver>mysql</driver>


com.mysql.jdbc.Driver
jdbc:mysql**.**.**.**:3306/Bill189DB?user=root&password=bI11i89db

1.png


某表段包含过亿数据,无奈mysql查询时直接卡死,管理员也没有进行索引

2.png


<project basedir="." default="mysql189bill" name="189bill">
<path id="mySqlDriver.classpath">
<pathelement location="../lib/mysql-connector-java-5.1.18-bin.jar"/>
</path>
<path id="oracleDriver.classpath">
<pathelement location="../lib/classes12.jar"/>
</path>
<target name="db_189bill" description="sql for 189bill">
<sql driver="oracle.jdbc.driver.OracleDriver"
url="jdbc:oracle:thin:ehome_bill/ehomebill090512@**.**.**.**:1521:prtdb"
userid="ehome_bill" password="ehomebill090512"
onerror="continue" print="yes"
src="oracle.sql"
classpathref="oracleDriver.classpath"
/>
</target>
<target description="Executes an SQL Script" name="mysql189bill">
<sql classpathref="mySqlDriver.classpath"
driver="com.mysql.jdbc.Driver"
src="${sqlfile}" print="yes"
url="jdbc:mysql://localhost:3306/Bill189DB?autoReconnect=true&amp;useUnicode=true&amp;characterEncoding=gbk"
userid="root"
password="123456"/>
</target>

<!-- ?????欢 -->
<property name="serv.user" value="hermes" />
<property name="serv.password-scp" value="!@#$&amp;*()@" />
<property name="serv.port" value="22" />
<property name="serv.knownhosts" value="/opt/hermes/.ssh/known_hosts" />
<!-- scp ?版??″?; -->
<target name="scp2server">


<forward_alias_domain>**.**.**.**</forward_alias_domain>
<ldap_url>ldap**.**.**.**:8889</ldap_url>
<ldap_authtype>simple</ldap_authtype>
<ldap_username>admin</ldap_username>


<V_NEW_USER_URL>http://**.**.**.**/webmail/activeUser.jsp?action=0#toUserID=%s#ip=%s</V_NEW_USER_URL>
<V_COMMEND_USER_URL>http://**.**.**.**/webmail/activeUser.jsp?action=1#toUserID=%s#recommendUserID=%s#ip=%s</V_COMMEND_USER_URL>
<MT_URL>**.**.**.**:8082/uwpp/request/mt.jsp?sp_code=21CN#cp_code=21CNEMAIL#cp_id=21cnemail#cp_pwd=myemail137#service_id=DXZCYJ#fee=%s#des=%s#src=2100#content=%s#fmt=GBK#msg_type=3#link_id=%s#region=%s</MT_URL>
<CORP_MT_URL>**.**.**.**:8082/uwpp/request/corp.jsp?cp_code=21CNEMAIL#cp_id=21cnemail#cp_pwd=myemail137#des=%s#content=%s#sp_code=21CN</CORP_MT_URL>


<server_ip> hermes_appdog_host</server_ip>
<server_port>110</server_port>
<server_conn_timeout>5</server_conn_timeout>
<server_transport_timeout>5</server_transport_timeout>
<test_account>hermesmon@1</test_account>
<test_account_pwd>hermesmon</test_account_pwd>
<smon_server_ip>**.**.**.**</smon_server_ip>
<smon_server_port>8000</smon_server_port>


<server_name>guid-svr1</server_name>
<sap_name>guid-svc-sock-sap</sap_name>
<test_account>hermesmon@**.**.**.**</test_account>
<test_account_pwd>hermesmon</test_account_pwd>
<client_group_name>guid</client_group_name>
<server_group_id>0</server_group_id>
<check_interval>2</check_interval>
</watch_object>
<watch_object id="2">
<name>UD</name>
<enable>yes</enable>
<!--modify by liyang-->
<server_name>ud-svr1</server_name>
<sap_name>ud-svc-sock-sap</sap_name>
<server_conn_timeout>5</server_conn_timeout>
<server_transport_timeout>5</server_transport_timeout>
<test_account>hermesmon@1</test_account>
<test_account_pwd>hermesmon</test_account_pwd>
<client_group_name>lmtp</client_group_name>
<server_group_id>1</server_group_id>
<check_interval>2</check_interval>
<restart_retry_times>3</restart_retry_times>
</watch_object>
<watch_object id="3">
<name>ms</name>
<enable>yes</enable>
<!--modify by liyang-->
<server_name>ms-svr1</server_name>
<sap_name>ms-svc-sock-sap</sap_name>
<test_account>zas@testmail.**.**.**.**</test_account>
<test_account_pwd>111111</test_account_pwd>
<client_group_name>lmtp</client_group_name>
<server_group_id>1</server_group_id>
<check_interval>2</check_interval>
<restart_retry_times>3</restart_retry_times>
</watch_object>
<watch_object id="4">
<name>session</name>
<enable>yes</enable>
<!--modify by liyang-->
<server_name>session-svr1</server_name>
<sap_name>session-svc-sock-sap</sap_name>
<server_conn_timeout>5</server_conn_timeout>
<server_transport_timeout>5</server_transport_timeout>
<test_account>hermesmon@1</test_account>
<test_account_pwd>hermesmon</test_account_pwd>
<client_group_name>session</client_group_name>
<server_group_id>1</server_group_id>
<check_interval>2</check_interval>
</watch_object>
<watch_object id="5">
<name>pop3</name>
<enable>yes</enable>
<!--modify by liyang-->
<server_name>pop3-svr1</server_name>
<sap_name>pop3-svc-sock-sap</sap_name>
<server_conn_timeout>5</server_conn_timeout>
<server_transport_timeout>5</server_transport_timeout>
<test_account>hermesmon@1</test_account>
<test_account_pwd>hermesmon</test_account_pwd>
<client_group_name>lmtp</client_group_name>
<server_group_id>1</server_group_id>
<check_interval>2</check_interval>
</watch_object>
<watch_object id="6">
<name>lmtp</name>
<enable>yes</enable>
<!--modify by liyang-->
<server_name>lmtp-svr1</server_name>
<sap_name>lmtp-svc-sock-sap</sap_name>
<server_conn_timeout>5</server_conn_timeout>
<server_transport_timeout>5</server_transport_timeout>
<test_account>hermesmon@1</test_account>
<test_account_pwd>hermesmon</test_account_pwd>
<client_group_name>lmtp</client_group_name>
<server_group_id>1</server_group_id>
<check_interval>2</check_interval>
</watch_object>
<watch_object id="7">
<name>imap</name>
<enable>yes</enable>
<!--modify by liyang-->
<server_name>imap-svr1</server_name>
<sap_name>imap-svc-sock-sap</sap_name>
<server_conn_timeout>5</server_conn_timeout>
<server_transport_timeout>5</server_transport_timeout>
<test_account>hermesmon@1</test_account>
<test_account_pwd>hermesmon</test_account_pwd>
<client_group_name>lmtp</client_group_name>
<server_group_id>1</server_group_id>
<check_interval>2</check_interval>
</watch_object>
<watch_object id="8">
<name>eop</name>
<enable>yes</enable>
<!--modify by liyang-->
<server_name>eop-svr1</server_name>
<sap_name>eop-svc-sock-sap</sap_name>
<server_conn_timeout>5</server_conn_timeout>
<server_transport_timeout>5</server_transport_timeout>
<test_account>zas@1</test_account>
<test_account_pwd>111111</test_account_pwd>
<client_group_name>eop</client_group_name>
<server_group_id>1</server_group_id>
<check_interval>2</check_interval>
</watch_object>
</app_client_conf>
<ip_allow_list>
<ip1>**.**.**.**</ip1>
<ip2>**.**.**.**</ip2>
<ip2>**.**.**.**</ip2>


<user>{IDEA}raC3qKC2</user>
<password>{IDEA}raC3qKC2</password>
<database>189TEST</database>
<server>189TEST</server>
<driver>oracle</driver>
<charset>AMERICAN_AMERICA.WE8ISO8859P1</charset>
</hermes>
<aimc>
<user>{IDEA}qay8pKui</user>
<password>{IDEA}e2CSP5MYy+Kropr09/bx</password>
<database>AIMC-LIYANG</database>
<server>AIMC-LIYANG</server>
<driver>oracle</driver>
<charset>AMERICAN_AMERICA.US7ASCII</charset>
</aimc>
<hermes_test>
<user>{IDEA}QJmV9bejPbU=</user>
<password>{IDEA}QJmV9bejPbU=</password>
<database>mailads</database>
<server>MAILADS</server>
<driver>oracle</driver>
</hermes_test>
<ms-index-db>
<user>{IDEA}raC3qKC2</user>
<password>{IDEA}UjWzQr6BCwu8jQ==</password>
<database>hermes</database>
<server>ms_index_host</server>
<driver>mysql</driver>
</ms-index-db>
<pub-temp-db>
<user>{IDEA}t6qqsQ==</user>
<password>{IDEA}9Pf28fDz</password>
<database>public</database>
<server>localhost</server>
<driver>mysql</driver>
</pub-temp-db>
<public-db>
<user>{IDEA}t6qjqrexrw==</user>
<password>{IDEA}t6qjqrexrw==</password>
<database>DB3</database>
<server>PUBLIC_DB</server>
<driver>oracle</driver>


修复方案:

6.png

8.png


你们是当社工库一样使用了么?
数据库太多了,就不仔细一一连接了。可以肯定的是,这绝对绝对不是测试系统!
数据库太多了,就不仔细一一连接了。可以肯定的是,这绝对绝对不是测试系统!

版权声明:转载请注明来源 李旭敏@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-11 15:42

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无


漏洞评价:

评价

  1. 2016-01-07 13:08 | whynot ( 普通白帽子 | Rank:553 漏洞数:100 | 为你解冻冰河 为你放弃世界有何不可)

    前排留名 求大牛指导structs200getshell技巧

  2. 2016-01-07 14:00 | 小红猪 ( 普通白帽子 | Rank:285 漏洞数:49 | little red pig!)

    我草!

  3. 2016-01-07 14:44 | 牛 小 帅 ( 普通白帽子 | Rank:1071 漏洞数:248 | 1.乌云最帅的男人 ...)

    @李旭敏 求指导那两个后台getshell

  4. 2016-01-07 17:04 | 蓝天 ( 普通白帽子 | Rank:414 漏洞数:101 | 互联网上拾破烂的胖子)

    牛逼666666666666 李姐姐 我要给你生猴子

  5. 2016-01-07 18:44 | Can ( 实习白帽子 | Rank:73 漏洞数:22 | 天地不仁 以万物为刍狗)

    .........为什么我40rank了还是一名路人

  6. 2016-01-07 21:49 | 坏男孩-A_A ( 路人 | Rank:28 漏洞数:12 | 膜拜学习中)

    牛鼻啊