当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169339

漏洞标题:江苏有线支付平台(泄露大量内部信息/ROOT权限涉及多个库/涉及大量密钥银行接口以及服务配置)

相关厂商:江苏有线

漏洞作者: 路人甲

提交时间:2016-01-12 14:00

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-12: 细节已通知厂商并且等待厂商处理中
2016-01-12: 厂商已经确认,细节仅向厂商公开
2016-01-22: 细节向核心白帽子及相关领域专家公开
2016-02-01: 细节向普通白帽子公开
2016-02-11: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

详细说明:

http://122.96.58.36/merchant 存在命令执行,写shell,看了下配置,大量的内部配置以及民生银行接口,顺手探测了下内网。

漏洞证明:

1111.png

xinxi1.png

xinxi2.png

xinxi3.png

xinxi4.png

xinxi5.png

xinxi6.png

xinxi7.png

xinxi8.png

xinxi9.png

cspay.jdbc.driver=oracle.jdbc.driver.OracleDriver
cspay.jdbc.url = jdbc:oracle:thin:@172.31.184.15:1521:pay1
cspay.jdbc.username = cspay
cspay.jdbc.password = cspay
#jdbc settings
#system.jdbc.driver = oracle.jdbc.driver.OracleDriver
#system.jdbc.url = jdbc:oracle:thin:@10.95.136.243:1521:pay5
#system.jdbc.username = manager
#system.jdbc.password = ma123
#dbcp settings
#system.dbcp.initialSize=1
#system.dbcp.maxIdle=5
#system.dbcp.maxActive=40
#jdbc settings
#report.jdbc.driver = oracle.jdbc.driver.OracleDriver
#report.jdbc.url = jdbc:oracle:thin:@10.95.136.243:1521:pay5
#report.jdbc.username = combine
#report.jdbc.password = zaq12wsx
#dbcp settings
#report.dbcp.initialSize=1
#report.dbcp.maxIdle=2
#report.dbcp.maxActive=2
#jdbc settings
system.jdbc.driver = oracle.jdbc.driver.OracleDriver
system.jdbc.url = jdbc:oracle:thin:@172.31.184.15:1521:pay1
system.jdbc.username = manager
system.jdbc.password = ma123
#dbcp settings
system.dbcp.initialSize=1
system.dbcp.maxIdle=5
system.dbcp.maxActive=40
#jdbc settings
report.jdbc.driver = oracle.jdbc.driver.OracleDriver
report.jdbc.url = jdbc:oracle:thin:@172.31.184.15:1521:pay1
report.jdbc.username = combine
report.jdbc.password = zaq12wsx
<?xml version="1.0" encoding="UTF-8"?>
<ftp>
	<ftpurl>172.31.184.75</ftpurl>
	<ftppath>logs</ftppath>
	<user>ftptest</user>
	<pwd>ftptest</pwd>
	<filename>test1</filename>
	<localpath>/weblogic/user_projects/domains/tvpay/logs</localpath>
	<onoff>off</onoff>
</ftp>
#民生银行
cmbc.web.SellerEmail=277478578@qq.com  
cmbc.web.MerchantCode=1002201401142561
cmbc.web.payUrl=https://epay.cmbc.com.cn/ipad/service.html
cmbc.web.certFile=epay.sm2
cmbc.web.certPwd=cmbc_epay1234

http://122.96.58.36/hdcspay/1.jspx 9635789

172.31.184.1:80 >>> Open
172.31.184.1:443 >>> Open
172.31.184.11:3306 >>> Open
172.31.184.11:8080 >>> Open
172.31.184.14:3306 >>> Open
172.31.184.15:80 >>> Open
172.31.184.15:1521 >>> Open
172.31.184.15:3306 >>> Open
172.31.184.16:135 >>> Open
172.31.184.16:3389 >>> Open
172.31.184.65:80 >>> Open
172.31.184.65:443 >>> Open
172.31.184.72:21 >>> Open
172.31.184.72:80 >>> Open
172.31.184.74:80 >>> Open
172.31.184.75:21 >>> Open
172.31.184.75:80 >>> Open
172.31.184.75:8080 >>> Open
172.31.184.76:80 >>> Open
172.31.184.77:80 >>> Open
172.31.184.78:80 >>> Open
172.31.184.71:80 >>> Open
172.31.184.73:80 >>> Open
172.31.184.141:80 >>> Open
172.31.184.141:3306 >>> Open
172.31.184.142:80 >>> Open
172.31.184.144:80 >>> Open
172.31.184.148:80 >>> Open
172.31.184.148:443 >>> Open
172.31.184.149:443 >>> Open
172.31.184.149:80 >>> Open
172.31.184.150:80 >>> Open
172.31.184.150:443 >>> Open
172.31.184.151:80 >>> Open
172.31.184.151:443 >>> Open
172.31.184.152:80 >>> Open
172.31.184.152:443 >>> Open
172.31.184.153:80 >>> Open
172.31.184.153:443 >>> Open
172.31.184.155:80 >>> Open
172.31.184.155:443 >>> Open
172.31.184.156:80 >>> Open
172.31.184.156:443 >>> Open
172.31.184.157:80 >>> Open
172.31.184.157:443 >>> Open
172.31.184.158:135 >>> Open
172.31.184.158:80 >>> Open
172.31.184.158:443 >>> Open
172.31.184.158:21 >>> Open
172.31.184.158:3389 >>> Open
172.31.184.193:80 >>> Open
172.31.184.193:443 >>> Open
172.31.184.194:80 >>> Open
172.31.184.254:80 >>> Open
172.31.184.254:443 >>> Open

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-12 17:29

厂商回复:

非常感谢,我们尽快修复该漏洞!

最新状态:

暂无

漏洞评价:

评价

  1. 2016-01-12 14:11 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1296 漏洞数:131 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    我擦

  2. 2016-01-12 14:19 | loli 认证白帽子 ( 普通白帽子 | Rank:649 漏洞数:59 | 每个男人心中都住着一个叫小红的88号技师。)

    心疼宝宝

  3. 2016-01-12 14:48 | 坏男孩-A_A ( 路人 | Rank:28 漏洞数:12 | 膜拜学习中)

    ....

  4. 2016-01-12 14:56 | 进击的zjx ( 普通白帽子 | Rank:1465 漏洞数:179 | 1000rank目标达成!撒花……)

    @子非海绵宝宝 宝宝心里苦,但宝宝不说 2333