当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171577

漏洞标题:上汽通用某站漏洞(涉及海量信息/大量顾客信息记录泄露/大量员工内部信息)

相关厂商:上汽通用

漏洞作者: 路人甲

提交时间:2016-01-22 11:25

修复时间:2016-03-08 21:29

公开时间:2016-03-08 21:29

漏洞类型:命令执行

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-22: 细节已通知厂商并且等待厂商处理中
2016-01-26: 厂商已经确认,细节仅向厂商公开
2016-02-05: 细节向核心白帽子及相关领域专家公开
2016-02-15: 细节向普通白帽子公开
2016-02-25: 细节向实习白帽子公开
2016-03-08: 细节向公众公开

简要描述:

详细说明:

**.**.**.**:9080/DMSFrameworkWeb/ 首先发现这样一个站点,判断不出,经过转发进入内网。找到目录,写了shell,期间ipconfig了下,发现dns是 **.**.**.**,访问了下主域名发现是上汽通用主站,配置了数据库,发现也是车辆以及车辆维修更换信息,经判断应该是上汽某工作站,域也有好几个。泄露了大量工单信息以及员工内部工作信息,
数据过大,截取部分。
不知道上汽通用和上汽大众是不是属于一个厂商,如果是请审核调整下,

漏洞证明:

1111.png

yu.png

ipconfig.png

db.png

db1.png

xinxi.png

xinxi1.png

xinxi2.png

xinxi3.png

xinxi4.png

xinxi5.png

xinxi6.png

xinxi7.png

xinxi8.png

xinxi9.png

xinxi10.png

xinxi11.png

xinxi12.png

xinxi13.png

xinxi14.png

<name>jdbc/dsASMSSDE</name>
  <jdbc-driver-params>
    <url>jdbc:oracle:thin:@localhost:1521:dmsasc</url>
    <driver-name>oracle.jdbc.xa.client.OracleXADataSource</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>owdmsasc</value>
      </property>
    </properties>
    <password-encrypted>{AES}BPAYZgiSrVAc9IUov2OQQ+f3OHQH8s5F7jF+KSHyxbU=</password-encrypted> sgm_ap0m58_user
  <name>jdbc/dsEWS</name>
  <jdbc-driver-params>
    <url>jdbc:oracle:thin:@localhost:1521:dmsasc</url>
    <driver-name>oracle.jdbc.xa.client.OracleXADataSource</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>eservice</value>
      </property>
    </properties>
    <password-encrypted>{AES}+6rCjolg3gQOg3Ov4v550de9pgaxHhGL8yAFGJpVu48=</password-encrypted> sgm_ap0m58_user

数据库配置

Query#0 : select t.TABLE_NAME,t.NUM_ROWS from user_tables t order by NUM_ROWS desc
TABLE_NAME
VARCHAR2	NUM_ROWS
NUMBER
TT_DELETE_LOG_HISTORY	20076255
TM_WR_CAMPAIGN_VINLIST	17978639
TT_CAMPAIGN_VEHICLE	6234208
WORKITEMHISTORY	5009645
TT_PART_MONTH_REPORT	2061597
TT_PART_PERIOD_REPORT	2061597
TT_PART_FLOW	1854111
TT_BALANCE_REPAIR_PARTS	1753173
TT_BALANCE_UNION_PARTS	1481317
TT_OPERATE_LOG	1373097
TT_REPAIR_ORDER_LINK	1243373
TT_BALANCE_LABOUR	1168300
TA_SMAP_CUST_CLASS_STAT	1079657
TT_CAMPAIGN_COMPLETEVEHICLE	1007851
TT_RO_ASSIGN	887731
TT_ESTIMATE_REPAIR_PARTS	530731
DE_DEMESSAGEIDMAP	485852
TT_PRODUCTIVE_VALUE	438404
TT_RO_BALANCED	375679
TT_BALANCE_ACCOUNTS	375679
TT_RO_CLAIM_MAPPING	375338
TA_SMAP_VEHICLE_BALANCE_DAILY	352946
TA_SMAP_VEHICLE_REPAIR_MONTH	335454
TT_DELETE_LOG	305575
TT_RECEIVE_MONEY	292362
TA_SMAP_VEHICLE_INFO	276797
TM_SGM_UPCFNA_PARTCODE	269298
TT_TRACING_TASK	254044
TT_ESTIMATE_LABOUR	245759
TT_PART_WAITORDER_LIST_DETAIL	225230
TT_DO_RECEIVE_ITEM	205947
TT_PART_SPQ_SHOW_DETAIL	204888
TT_PART_BUY_ITEM	199611
TT_TOOL_FLOW	196431
TT_ORDER_ITEM_RESULT	186091
TT_PART_ORDER_ITEM	184127
TT_BILLING_ITEM	177892
TT_NO_REPORT_ORDER_ITEM	177517
TT_GWM_STATUS	174275
TM_GWM_PRE_WRT_VINLIST	171151
TM_MAIN_PART	160668
DE_ASCRECEIVELOG	158116
TM_CLAIM_LABOUR_HOUR_DATA	132465
DE_ASCSENDSUBLOG	111241
DE_ASCSENDLOG	108752
TT_TOOL_RETURN_ITEM	97614
TT_TOOL_BORROW_ITEM	97599
TT_CLAIM_ORDER	91573
TT_TOOL_BORROW	81741
TT_TOOL_RETURN	80482
TT_CLAIM_PART	73659
TT_CHARGE_DERATE	70075
TM_SPECIAL_SP_LOG	68695
TT_SGM_WR_APPPAYMENT	55735
TA_SMAP_SERVICE_ANALYSIS	54720
TT_ESTIMATE_ORDER	52866
TT_CLAIM_RO_ITEM_MAPPING	51179
TM_OWNER	50247
TM_VEHICLE	46683
TM_PLANT_VEHICLE	45485
TM_REPAIR_ITEM	41082
TT_GWM_RESULT	39529
TM_SGM_UPCFNA_LABOR	39277
TT_SGM_RETURN	35667
TM_SGM_UPCFNA_INFO	35377
TT_PART_PERIOD_REPORT_TMP	35012
TM_VEHICLE_SGM	32444
TM_GWM_WARRANTYCLASS_BY_LABOR	31959
TT_PART_INNER_ITEM	30424
TT_BOOKING_ORDER_ITEM	28250
TM_PART_STOCK	27143
TT_ALLOCATE_OUT_ITEM	26468
TT_BALANCE_REPAIR_PARTS_3R	24598
TT_INSURANCE_FLOW	22974
TT_TERMLY_MAINTAIN	22641
TT_PART_FLOW_3R	22640
TT_NEW_IN_CAR	22572
TT_PART_BUY	22131
TT_CLAIM_MONTH_REPORT	21453
TT_BALANCE_UNION_PARTS_3R	21254
TM_CLAIM_LABOUR	20722
TT_SPQ_EXCEPTION_MESSAGE	20695
TT_BALANCE_LABOUR_3R	19075
TT_GWM_STATUS_3R	18772
TT_INVOICE	18269
TT_PART_PERIOD_REPORT_BAK	17495
TT_CLAIM_OTHER_CHARGE	17471
TT_PRE_RECEIVE_MONEY	17222
TT_CLAIM_PART_PRINT	15753
TT_GWM_RESULT_DSP_REASON	15261
TM_CLAIM_ADD_LABOUR_HOUR	15136
TA_SMAP_BUICK_CUST_STAT	13680
TA_SMAP_LOST_CUST_ANALYSIS	13680
TT_RO_ASSIGN_3R	13598
TT_BALANCE_ADD_ITEM	13438
TA_SMAP_BUICK_CUST_STATOEM	13260
TT_SHORT_PART	12970
TT_PART_INNER	12945
TT_TRACING_TASK_QUESTION	11648
TT_CLAIM_PART_RTN_ITEM	11503
TT_BOOKING_ORDER	10741
TT_PRODUCTIVE_VALUE_3R	10498
TT_RESERVED_CHANGE	10414
TT_BILLING	9563
TT_DO_RECEIVE	9554
TM_ASC_PT_SP_PART_LIST	9369
TT_PART_INVENTORY_ITEM	8861
TT_INSURANCE_EXPIRE	7816
TT_CAMPAIGN_FINISH_VEHICLE	7801
TT_BOOKING_PROMPT	7619
TT_MONITOR_VEHICLE	7229
TT_CLAIM_ORDER_3R	7222
TT_PART_ALLOCATE_OUT	6902
TT_BOOKING_ORDER_REMIND	6682
TT_VEHICLE_BLOCK	6603
TL_CLAP_BPOINT_CHANGE_LOG	6459
TT_RO_BALANCED_3R	6120
TT_BALANCE_ACCOUNTS_3R	6120
TT_BALANCE_ACCOUNTS_EXT	6034
TA_ASC_MONTHLY_REPORT_MODEL	5554
TI_PART_STOCK	5413
TT_SGM_WR_LABOROP_MAP_FVS	5130
TI_OWNER_VEHICLE	5057
TT_PART_ALLOCATE_ITEM	4923
TT_ORDER_RESULT	4914
TT_CLAIM_PART_3R	4892
TT_PART_ORDER	4383
TM_REPAIR_ITEM_MAIN	4365
TT_ASC_STAGNANT_INVENTORY	4065
TT_DS_ASC_SCANNERLOG	4012
TT_GWM_RESULT_3R	3981
TT_TRACING_DAY	3894
TT_USER_FUNCTION	3861
TT_NO_REPORT_ORDER	3614
TM_WR_CAMPAIGN_VINRULE	3602
TT_REMIND_PLAN	3551
TT_PART_SUGGEST_PART_DETAIL	3426
TM_CLAIM_NO_RETURN	3183
TT_SGM_RETURN_3R	3052
TA_SMAP_INCOME_ANALYSIS	2950
TA_SMAP_MONTH_RPT_SERIES	2904
TA_SMAP_CUST_INSTORE_ANALYSIS	2904
TM_CLAP_MEMBER_CONTACTOR	2900
TA_SMAP_STAT_SERIES	2882
TM_CLAP_MEMBER_VEHICLE	2862
TM_CLAP_MEMBER_CARD	2855
TM_CLAP_VEHICLE_OWNER	2855
TM_CLAP_MEMBER	2855
DE_MESSAGE_LOG	2753
TT_SGM_WR_CLAIMCORRECT	2732
TT_PART_ALLOCATE_IN	2606
TT_REJECT_HISTORY	2440
TT_BILL_NO	2363
TT_SGM_WR_WITHOUTREF	2337
TT_ESTIMATE_ADD_ITEM	2204
TT_PART_AB_TYPE	2010
TT_PART_TRACE_FLOW_ITEM	1962
TT_SGM_WR_WCCREFRECORD	1951
TM_MAIN_PART_INTERFACE	1938
TM_OTHER_LABOUR_HOUR	1935
TT_PART_PROFIT_ITEM	1843
TT_PART_TRACE_FLOW	1831
TT_BALANCE_SALE_PART	1752
TT_PART_MOVE_ITEM	1639
TT_WAITORDER_PART_DRAFT	1549
TM_PART_MONITOR	1443
TT_BALANCE_ADD_ITEM_3R	1435
TT_RO_REPAIR_PARTS	1380
TT_SGM_WR_3R_BASE	1271
TM_COMMON_DATA	1233
TM_GWM_3C_RELATION	1232
TM_PART_TIME	1196
TT_PART_BILL_NO	1180
TT_PART_LOSS_ITEM	1173
TM_ORDERDATE_SET	1153
TM_TOOL_STOCK	1152
TT_REPORT_ORDER_COUNT	1150
TT_TOOL_BUY_ITEM	1135
TT_CLAIM_PART_RTN_ITEM_3R	1078
DE_TASKSCHEDULERULETARGET	1016
TT_CLAIM_OTHER_CHARGE_3R	861
TT_SGM_WR_UNWARRANTYPART	838
TM_PART_PAINT	830
TT_PART_ORDER_CONDITION	813
TA_SMAP_MONTH_RPT_VHCLAGE	792
TT_SGM_WR_CASELABOUR	744
DE_ASCSENDLOGCOUNT	723
TT_PART_SUGGEST_PART	694
TM_SYSTEM_STATUS	677
TT_RO_LABOUR	636
TT_PO_DELAY_CANCEL_ITEM	622
TT_ROLE_FUNCTION_MAPPING	618
TT_USER_OPTION_MAPPING	584
TT_CHARGE_DERATE_3R	570
TT_SGM_WR_REPAIRLOCATION	568
TT_TRACING_WEEK	563
TT_USER_HISTORY	535
TT_PT_BONUS_USED	531
TA_SMAP_MONTH_RPT_REPAIR	528
TA_SMAP_TASK_HISTORY	512
TT_CLAIM_MONTH_REPORT_3R	490
TM_ATTACHMENT_PART	459
WORKITEM	440
TT_DS_ASC_TABLELIST	425
TT_PO_DELAY_CANCEL	400
TT_ORDINARY_CLAIM_COLLECT	399
TT_CAMPAIGN	391
TT_PRE_DEDUCT	380
TM_SPECIAL_SQL	373
TM_SPECIAL_PARTS	367
TM_GWM_PRE_WRT_RULE	353
TM_WR_CAMPAIGN_PART	349
TM_FUNCTION	348
TM_WR_CAMPAIGN	339
TT_PART_FAST_FLOW	332
TL_DA_OPER_LOG	321
TM_PAINT_SUPPLIER_MAPPING	312
TT_BOOKING_ORDER_PARTS	309
TT_RO_PRE_CLAIM	303
TM_PACKAGE_PART	300
TM_SPECIAL_LABORCODE	300
TT_PART_MOVE	290
TT_CLAIM_PART_URGENT_RTN	279
TT_PART_CLAIM_ITEM	276
TT_VEHICLE_ALARM_REMIND	273
TT_PART_CLAIM	272
TA_SMAP_MONTH_RPT_VHCLTYPE	264
TM_CMG_MY_MAPPING	248
TT_PART_COST_ADJUST	243
TM_EMPLOYEE	234
TM_PART_CUSTOMER	233
TT_PART_CLAIM_REPARATIONS	228
TT_PART_CLAIM_RETURN_ITEM	225
TT_PART_RETURN_INFORM	223
TT_PRE_CLAIM_ORDER	220
TM_SPECIAL_TABLES	217
COPY_TM_EMPLOYEE	216
TT_PART_CLAIM_BILLING_ITEM	214
TT_PART_CLAIM_BILLING	211
TM_WR_CAMPAIGN_REPLACE_PART	208
TM_ASC_INFO	204
TT_CLAIM_ADD_LABOUR	202
TT_BILLING_SUB_ITEM	201
TT_ESTIMATE_SALE_PARTS	200
TA_ASC_MONTHLY_FINANCE	192
TT_REPAIR_ORDER	191
TT_CAMPAIGN_ITEM	190
TT_RO_PRE_CLAIM_STATUS	188
TT_ASC_DATASTORE_ERRLOG	176
TM_GWM_AD_REASON_CODES	170
DE_APPTYPE	168
TT_SGM_WR_BACKREFERENCE	150
TT_PART_LEND_RETURN_ITEM	137
TM_ACCOUNTING_CYCLE	136
TT_CAMPAIGN_RECALLCODE	136
TT_PART_LEND_ITEM	136
TM_MODEL	135
TA_SMAP_CUST_INSURANCE_STAT	132
TA_SMAP_BUICK_MONTH_RPT_STAT	132
TA_SMAP_BOOKING_STAT	132
TM_GWM_CAUSE	131
TT_MONTH_CYCLE	131
TM_GWM_PRE_WRT_VINRULE	126
TT_TOOL_BUY	125
TT_SO_PROJECT	123
TT_GWM_RESULT_ADJ_REASON	121
TM_CLAIM_MODEL_SMC	120
TT_SO_PRE_CLAIM_NEW	120
TM_ASC_MONTHLY_REPORT	112
TT_PART_CLAIM_DISCOUNT	112
TA_ASC_NEW_MONTHLY_REPORT	110
TT_PART_WAITORDER_LIST	106
TT_ORDINARY_CLAIM_INVOICE	105

**.**.**.**:9080/DMSFrameworkWeb/jsp/123.jsp carry

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-26 08:27

厂商回复:

维修站管理的服务器漏洞,已通知并制定修复计划

最新状态:

暂无

漏洞评价:

评价