当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0183359

漏洞标题:中银保险某重要系统命令执行可Getshell

相关厂商:中银保险有限公司

漏洞作者: 暴走

提交时间:2016-03-11 16:48

修复时间:2016-03-16 11:25

公开时间:2016-03-16 11:25

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-11: 细节已通知厂商并且等待厂商处理中
2016-03-11: 厂商已经确认,细节仅向厂商公开
2016-03-16: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

给个高分可否,小礼物真的会送吗。

详细说明:

中银保险参数管理平台(http://111.205.37.193:7001/BOCIParamManager/)
之前有白帽子提交过webloigc后台弱口令导致getshell,这个漏洞是修补了,可是反序列化没修补。

2.png

漏洞证明:

测试结果:

3.png


内网IP地址

4.png


开放了3389、21等N多端口

活动连接
协议 本地地址 外部地址 状态
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6100 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6200 0.0.0.0:0 LISTENING
TCP 0.0.0.0:30005 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49174 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49175 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49184 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49198 0.0.0.0:0 LISTENING
TCP 21.8.143.113:139 0.0.0.0:0 LISTENING
TCP 21.8.143.113:445 21.8.143.114:50996 ESTABLISHED
TCP 21.8.143.113:7001 0.0.0.0:0 LISTENING
TCP 21.8.143.113:7001 21.8.143.24:30349 TIME_WAIT
TCP 21.8.143.113:7001 21.8.143.24:33745 TIME_WAIT
TCP 21.8.143.113:7001 21.8.143.24:39151 TIME_WAIT
TCP 21.8.143.113:7001 21.8.143.24:51216 TIME_WAIT
TCP 21.8.143.113:7001 21.8.143.24:52160 TIME_WAIT
TCP 21.8.143.113:7001 21.8.143.24:63610 TIME_WAIT
TCP 21.8.143.113:7001 21.8.143.50:3961 ESTABLISHED
TCP 21.8.143.113:7001 21.8.143.50:24606 ESTABLISHED
TCP 21.8.143.113:7001 21.8.143.50:58333 TIME_WAIT
TCP 21.8.143.113:7001 22.8.142.51:52412 ESTABLISHED
TCP 21.8.143.113:7001 22.8.142.53:47623 ESTABLISHED
TCP 21.8.143.113:7001 22.8.142.53:49399 TIME_WAIT
TCP 21.8.143.113:7001 22.8.142.53:60535 TIME_WAIT
TCP 21.8.143.113:9005 0.0.0.0:0 LISTENING
TCP 21.8.143.113:49963 21.8.143.202:1521 ESTABLISHED
TCP 21.8.143.113:53403 21.8.143.202:1521 ESTABLISHED
TCP 21.8.143.113:53694 21.8.143.202:1521 ESTABLISHED
TCP 21.8.143.113:53790 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53793 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53794 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53796 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53798 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53799 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53802 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53803 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53804 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53807 21.8.143.113:30005 TIME_WAIT
TCP 21.8.143.113:53808 21.8.143.113:30005 TIME_WAIT
TCP 127.0.0.1:6100 127.0.0.1:53791 TIME_WAIT
TCP 127.0.0.1:6100 127.0.0.1:53795 TIME_WAIT
TCP 127.0.0.1:6100 127.0.0.1:53800 TIME_WAIT
TCP 127.0.0.1:6100 127.0.0.1:53805 TIME_WAIT
TCP 127.0.0.1:6200 127.0.0.1:53792 TIME_WAIT
TCP 127.0.0.1:6200 127.0.0.1:53797 TIME_WAIT
TCP 127.0.0.1:6200 127.0.0.1:53801 TIME_WAIT
TCP 127.0.0.1:6200 127.0.0.1:53806 TIME_WAIT
TCP 127.0.0.1:7001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:9005 0.0.0.0:0 LISTENING
TCP 127.0.0.1:49969 127.0.0.1:49970 ESTABLISHED
TCP 127.0.0.1:49970 127.0.0.1:49969 ESTABLISHED
TCP 127.0.0.1:49971 127.0.0.1:49972 ESTABLISHED
TCP 127.0.0.1:49972 127.0.0.1:49971 ESTABLISHED
TCP 127.0.0.1:49973 127.0.0.1:49974 ESTABLISHED
TCP 127.0.0.1:49974 127.0.0.1:49973 ESTABLISHED
TCP 127.0.0.1:49975 127.0.0.1:49976 ESTABLISHED
TCP 127.0.0.1:49976 127.0.0.1:49975 ESTABLISHED
TCP 127.0.0.1:49977 127.0.0.1:49978 ESTABLISHED
TCP 127.0.0.1:49978 127.0.0.1:49977 ESTABLISHED
TCP 127.0.0.1:49979 127.0.0.1:49980 ESTABLISHED
TCP 127.0.0.1:49980 127.0.0.1:49979 ESTABLISHED
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:3389 [::]:0 LISTENING
TCP [::]:47001 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49174 [::]:0 LISTENING
TCP [::]:49175 [::]:0 LISTENING
TCP [::]:49184 [::]:0 LISTENING
TCP [::]:49198 [::]:0 LISTENING
TCP [::1]:7001 [::]:0 LISTENING
TCP [::1]:9005 [::]:0 LISTENING
TCP [2002:1508:8f71::1508:8f71]:445 [2002:1508:8f71::1508:8f71]:53449 ESTABLISHED
TCP [2002:1508:8f71::1508:8f71]:7001 [::]:0 LISTENING
TCP [2002:1508:8f71::1508:8f71]:9005 [::]:0 LISTENING
TCP [2002:1508:8f71::1508:8f71]:53449 [2002:1508:8f71::1508:8f71]:445 ESTABLISHED
TCP [fe80::200:5efe:21.8.143.113%12]:7001 [::]:0 LISTENING
TCP [fe80::200:5efe:21.8.143.113%12]:9005 [::]:0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
UDP 21.8.143.113:137 *:*
UDP 21.8.143.113:138 *:*
UDP 127.0.0.1:53302 *:*
UDP 127.0.0.1:53870 *:*
UDP 127.0.0.1:54748 *:*
UDP 127.0.0.1:60396 *:*
UDP 127.0.0.1:63134 *:*
UDP [::]:123 *:*
UDP [::]:500 *:*
UDP [::]:4500 *:*


config.xml

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
<name>base_domain</name>
<domain-version>10.3.6.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}35uscvHlIcGYxHP8/cYYvz/HBNTXRuyMdTWJxMviEROzQg71NmNyJnbZWZPSf8vT83QmQ7p4Lw+oi8HFgmNmIC766Qv1IrXtcMFyYgBo5EdD/yq2ltrqUXOL1DWIMH17</credential-encrypted>
<node-manager-username>aNpdpFYxhR</node-manager-username>
<node-manager-password-encrypted>{AES}jVtYKs0BcCaIcIONh9GnkJjfaLex7Ai8USCfJzQeJIQ=</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer01</name>
<listen-address></listen-address>
</server>
<production-mode-enabled>true</production-mode-enabled>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}FcHxi+7xjZj3VICingEIe/0JViC6wu2jI8URmDK5i0O/U0tCzjWYC+2jsoxx9sXQ</credential-encrypted>
</embedded-ldap>
<administration-port-enabled>true</administration-port-enabled>
<administration-port>9005</administration-port>
<configuration-version>10.3.6.0</configuration-version>
<app-deployment>
<name>BOCIParamManager</name>
<target>AdminServer01</target>
<module-type>war</module-type>
<source-path>D:\鍙傛暟绠$悊杞欢\BOCIParamManager.war</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>BOCIDispatchService</name>
<target>AdminServer01</target>
<module-type>war</module-type>
<source-path>D:\褰卞儚澶勭悊杞欢\BOCIDispatchService.war</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<admin-server-name>AdminServer01</admin-server-name>
<jdbc-system-resource>
<name>PARA_MANG_DS</name>
<target>AdminServer01</target>
<descriptor-file-name>jdbc/PARA_MANG_DS-2338-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>DispatchServiceDS</name>
<target>AdminServer01</target>
<descriptor-file-name>jdbc/DispatchServiceDS-4602-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain>


数据库配置文件在 D:\Oracle\Middleware\user_projects\domains\base_domain\config\jdbc\PARA_MANG_DS-2338-jdbc.xml

<?xml version='1.0' encoding='UTF-8'?>
<jdbc-data-source xmlns="http://xmlns.oracle.com/weblogic/jdbc-data-source" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/jdbc-data-source http://xmlns.oracle.com/weblogic/jdbc-data-source/1.2/jdbc-data-source.xsd">
<name>PARA_MANG_DS</name>
<jdbc-driver-params>
<url>jdbc:oracle:thin:@(description=(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCP)(HOST = DBServer1)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = DBServer2)(PORT = 1521))(load_balance=yes)(failover=yes))(connect_data=(service_name=bocicm)(instance_name=bocicm1)(instance_name=bocicm2)))</url>
<driver-name>oracle.jdbc.xa.client.OracleXADataSource</driver-name>
<properties>
<property>
<name>user</name>
<value>appadmin</value>
</property>
</properties>
<password-encrypted>{AES}qEnPROhlP75yK60Zu46b8ekijQCUWsoI5KSLOsoDdK0=</password-encrypted>
</jdbc-driver-params>
<jdbc-connection-pool-params>
<test-table-name>SQL SELECT 1 FROM DUAL</test-table-name>
</jdbc-connection-pool-params>
<jdbc-data-source-params>
<jndi-name>PARA_MANG_DS</jndi-name>
<global-transactions-protocol>TwoPhaseCommit</global-transactions-protocol>
</jdbc-data-source-params>
</jdbc-data-source>


就不上传shell深入了,不是不会哦...

修复方案:

小礼物小礼物.

版权声明:转载请注明来源 暴走@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-03-11 17:09

厂商回复:

非常感谢,小礼物准备中......

最新状态:

2016-03-16:已修复


漏洞评价:

评价

  1. 2016-03-11 17:13 | 中银保险有限公司(乌云厂商)

    非常感谢,真的会送。

  2. 2016-03-11 17:16 | 暴走 ( 普通白帽子 | Rank:546 漏洞数:98 | Wooyun的Rank获取如同Dota冲天梯有过之而无...)

    @中银保险有限公司 这么快就确认了,效率真高。