当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0187038

漏洞标题:安盛天平另一系统可Getshell导致涉及大量用户敏感信息(车主姓名/身份证号/电话/地址/车牌号/发动机号/品牌型号/保单号等)

相关厂商:安盛天平财产保险股份有限公司

漏洞作者: 路人甲

提交时间:2016-03-21 07:51

修复时间:2016-03-26 08:00

公开时间:2016-03-26 08:00

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-21: 细节已通知厂商并且等待厂商处理中
2016-03-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

不小心又发现一个。

详细说明:

之前提交了一个 WooYun: 安盛天平汽车保险系统Getshell可泄露大量车主用户信息(车主姓名/电话/车牌号/发动机号/品牌型号/车架号/保单号...) ,接着上次的继续再来一个。
http://180.168.192.19:80/
同一个网段的系统180.168.192.19也存在JBoss反序列化漏洞。上个系统可以查看2014~2016年的保单信息。180.168.192.19系统可以查看2012~2013年的所有用户保单信息。

漏洞证明:

系统IP地址是:180.168.192.19

20.png


又是反序列化漏洞:

21.png


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
jboss:x:500:500::/home/jboss:/bin/bash
zhuxuehua:x:539:500::/home/zhuxuehua:/bin/bash
fengpeng:x:540:502::/home/fengpeng:/bin/bash
chengxm:x:541:502::/home/chengxm:/bin/bash
chenshijing:x:542:502::/home/chenshijing:/bin/bash
shijh:x:543:500::/home/shijh:/bin/bash
juan1.jiang:x:544:500::/home/juan1.jiang:/bin/bash
oujun:x:545:502::/home/oujun:/bin/bash
meiping.wu:x:546:500::/home/meiping.wu:/bin/bash
jinqiu.xu:x:547:502::/home/jinqiu.xu:/bin/bash
pengyk:x:548:502::/home/pengyk:/bin/bash
hui.teng:x:549:500::/home/hui.teng:/bin/bash
kunyan.ye:x:550:500::/home/kunyan.ye:/bin/bash


接下来就是上传shell,但是根据上个系统的漏洞,知道保单信息在reportFile目录下(绝对路径在/opt/tpapp/ecsale/server/ecsale/reportFile)
就直接找到该目录

22.png


随便打开一个文件看看,里面的XML文件全是用户的车险保单详细信息

23.png


下面详细看一个示意下:
保单号、车主姓名、保单期限

24.png


车牌号、车型信息

25.png


车主身份证号、电话、邮箱、详细地址..

27.png


其他我在列举几个:
车主:童文华

<?xml version="1.0" encoding="UTF-8"?>
<TXTpaic>
<TXTpaicRequest>
<userId />
<password />
<rCode />
<statusCode />
<message />
</TXTpaicRequest>
<body>
<tempBase>
<cityCode>310100</cityCode>
<planDefine>3</planDefine>
<ecInsureId>10800513041001440988</ecInsureId>
<departmentCode>5</departmentCode>
<insuranceBeginTime>2013-04-30</insuranceBeginTime>
<insuranceEndTime>2014-04-29</insuranceEndTime>
<insuranceBeginTime_105>2013-04-30</insuranceBeginTime_105>
<insuranceEndTime_105>2014-04-29</insuranceEndTime_105>
<checkInsuranceTime>1</checkInsuranceTime>
<currencyCode>01</currencyCode>
<businessPremium>3833.61</businessPremium>
<forcePremium>665</forcePremium>
<premium>5218.61</premium>
<registeredName>童文华</registeredName>
<applyPolicyNo>1000108000079792484,1000105000079792485</applyPolicyNo>
<policyNo />
<applyPolicyStatus>5</applyPolicyStatus>
<orderNo />
<tpf>1</tpf>
<lateFeeAmount>0</lateFeeAmount>
<vehicleTaxAmount>720</vehicleTaxAmount>
<vehicleTax>02</vehicleTax>
<personCert>111111197101011111</personCert>
<payNo>纳税</payNo>
<certDepartmentCode />
<certDepartmentName />
<boroughAndCounty />
<steerCardVehicleType>K04</steerCardVehicleType>
<vehicleLossInsuredValue>232100</vehicleLossInsuredValue>
<rbCode>FTABKD0025</rbCode>
<vehicle>
<licenceTypeCode>2</licenceTypeCode>
<transferDate />
<checkRuncardCertificateDate>0</checkRuncardCertificateDate>
<autoModelCode>40288099111fb32601112a105c94037a</autoModelCode>
<engineNo>C159818</engineNo>
<firstRegisterDate>2007-04-12</firstRegisterDate>
<newVehicleFlag>0</newVehicleFlag>
<fuelType>0</fuelType>
<remark>轿车,手自一体 2.5S 特别天窗版</remark>
<vehicleFrameNo>LFMBE22D070072104</vehicleFrameNo>
<vehicleLicenceCode>浙JFJ723</vehicleLicenceCode>
<licenseNo1>浙J</licenseNo1>
<licenseNo>FJ723</licenseNo>
<power>1</power>
<vehicleDBFlag>1</vehicleDBFlag>
<brandChnName>天津一汽丰田</brandChnName>
<exhaustCapability>2.497</exhaustCapability>
<vehicleBrand>丰田TV7250S3SP轿车 - 手自一体 2.5S 特别天窗版(2006)</vehicleBrand>
<vehicleInsuredValue>232100</vehicleInsuredValue>
<vehicleLossInsuredValue>232100</vehicleLossInsuredValue>
<vehicleSeats>5</vehicleSeats>
<vehicleStyle>K33</vehicleStyle>
<vehicleType>1</vehicleType>
<weigth>1.54</weigth>
<tonnages>0</tonnages>
<companyName>天津一汽丰田</companyName>
<gearBoxType>手自一体</gearBoxType>
<autoModelChnName>丰田TV7250S3SP轿车</autoModelChnName>
</vehicle>
<insured>
<personnelName>童文华</personnelName>
<insuredEmail>zhangzq@95550.cn</insuredEmail>
<insuredMobilePhone>13916031890</insuredMobilePhone>
<certificateNo>332623196412011658</certificateNo>
<payType>3</payType>
</insured>
<tempDistribution>
<receiveName>童文华</receiveName>
<invoice>童文华</invoice>
<receiveMobile>13916031890</receiveMobile>
<receivePhone />
<receiveAddress>上海市嘉定区宝安公路4435号国际机电五金城方德路200弄 56号店面</receiveAddress>
<receivePostcode>200000</receivePostcode>
<provinceCode />
<cityCode />
<townCode />
<provinceName />
<cityName />
<townName />
<sendDate>Thu Apr 11 00:00:00 CST 2013</sendDate>
<sendTime />
</tempDistribution>
<amountTHEFT />
<allAmount>232100</allAmount>
<insuredAmount105>122000</insuredAmount105>
<coverageList>
<coverage>
<dutyCode>FEDPC</dutyCode>
<dutyName />
<amout>0</amout>
<totalActualPremium>-79.56</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>GLASS</dutyCode>
<dutyName />
<amout>0</amout>
<totalActualPremium>199.14</totalActualPremium>
<seats>1</seats>
</coverage>
<coverage>
<dutyCode>NDNE</dutyCode>
<dutyName />
<amout>0</amout>
<totalActualPremium>-307.76</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>OD</dutyCode>
<dutyName />
<amout>232100</amout>
<totalActualPremium>2865.05</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>TP</dutyCode>
<dutyName />
<amout>500000</amout>
<totalActualPremium>1156.74</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>TPF</dutyCode>
<dutyName />
<amout>122000</amout>
<totalActualPremium>665</totalActualPremium>
<seats>0</seats>
</coverage>
</coverageList>
<tempPring>
<useType />
<vehicleCode>FTABKD0025</vehicleCode>
<usageAttributeCode>1</usageAttributeCode>
</tempPring>
</tempBase>
</body>
</TXTpaic>
<code>
车主:阮梦婕
<code><?xml version="1.0" encoding="UTF-8"?>
<TXTpaic>
<TXTpaicRequest>
<userId />
<password />
<rCode />
<statusCode />
<message />
</TXTpaicRequest>
<body>
<tempBase>
<cityCode>310100</cityCode>
<planDefine>3</planDefine>
<ecInsureId>10800513041001439895</ecInsureId>
<departmentCode>5</departmentCode>
<insuranceBeginTime>2013-05-07</insuranceBeginTime>
<insuranceEndTime>2014-05-06</insuranceEndTime>
<insuranceBeginTime_105>2013-05-07</insuranceBeginTime_105>
<insuranceEndTime_105>2014-05-06</insuranceEndTime_105>
<checkInsuranceTime>1</checkInsuranceTime>
<currencyCode>01</currencyCode>
<businessPremium>2715.16</businessPremium>
<forcePremium>665</forcePremium>
<premium>3830.16</premium>
<registeredName>阮梦婕</registeredName>
<applyPolicyNo>1000108000079789171,1000105000079789172</applyPolicyNo>
<policyNo />
<applyPolicyStatus>5</applyPolicyStatus>
<orderNo />
<tpf>1</tpf>
<lateFeeAmount>0</lateFeeAmount>
<vehicleTaxAmount>450</vehicleTaxAmount>
<vehicleTax>02</vehicleTax>
<personCert>111111197101011111</personCert>
<payNo>纳税</payNo>
<certDepartmentCode />
<certDepartmentName />
<boroughAndCounty />
<steerCardVehicleType>K03</steerCardVehicleType>
<vehicleLossInsuredValue>169200</vehicleLossInsuredValue>
<rbCode>SKAAFD0005</rbCode>
<vehicle>
<licenceTypeCode>2</licenceTypeCode>
<transferDate />
<checkRuncardCertificateDate>0</checkRuncardCertificateDate>
<autoModelCode>40288099111fb32601112bbd187f058f</autoModelCode>
<engineNo>026643</engineNo>
<firstRegisterDate>2009-05-07</firstRegisterDate>
<newVehicleFlag>0</newVehicleFlag>
<fuelType>0</fuelType>
<remark>轿车,手自一体 逸仕版 增压 国Ⅲ不带OBD(原非国Ⅲ 200712)</remark>
<vehicleFrameNo>LSVAG21Z772340928</vehicleFrameNo>
<vehicleLicenceCode>沪H92237</vehicleLicenceCode>
<licenseNo1>沪H</licenseNo1>
<licenseNo>92237</licenseNo>
<power>1</power>
<vehicleDBFlag>1</vehicleDBFlag>
<brandChnName>上海大众斯柯达</brandChnName>
<exhaustCapability>1.798</exhaustCapability>
<vehicleBrand>明锐SVW7186AJi轿车 - 手自一体 逸仕版 增压 国Ⅲ不带OBD(原非国Ⅲ 200712)(200706)</vehicleBrand>
<vehicleInsuredValue>169200</vehicleInsuredValue>
<vehicleLossInsuredValue>169200</vehicleLossInsuredValue>
<vehicleSeats>5</vehicleSeats>
<vehicleStyle>K33</vehicleStyle>
<vehicleType>1</vehicleType>
<weigth>1.42</weigth>
<tonnages>0</tonnages>
<companyName>上海大众斯柯达</companyName>
<gearBoxType>手自一体</gearBoxType>
<autoModelChnName>明锐SVW7186AJI轿车</autoModelChnName>
</vehicle>
<insured>
<personnelName>阮梦婕</personnelName>
<insuredEmail>1003171387@qq.com</insuredEmail>
<insuredMobilePhone>13671540346</insuredMobilePhone>
<certificateNo>310109198011031622</certificateNo>
<payType>3</payType>
</insured>
<tempDistribution>
<receiveName>阮梦婕</receiveName>
<invoice>阮梦婕</invoice>
<receiveMobile>13671540346</receiveMobile>
<receivePhone />
<receiveAddress>上海市徐汇区常熟路239号</receiveAddress>
<receivePostcode>200000</receivePostcode>
<provinceCode />
<cityCode />
<townCode />
<provinceName />
<cityName />
<townName />
<sendDate>Thu Apr 11 00:00:00 CST 2013</sendDate>
<sendTime />
</tempDistribution>
<amountTHEFT />
<allAmount>169200</allAmount>
<insuredAmount105>122000</insuredAmount105>
<coverageList>
<coverage>
<dutyCode>FEDPC</dutyCode>
<dutyName />
<amout>0</amout>
<totalActualPremium>-71.4</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>NDNE</dutyCode>
<dutyName />
<amout>0</amout>
<totalActualPremium>-201.35</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>OD</dutyCode>
<dutyName />
<amout>169200</amout>
<totalActualPremium>1949.81</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>TP</dutyCode>
<dutyName />
<amout>500000</amout>
<totalActualPremium>1038.1</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>TPF</dutyCode>
<dutyName />
<amout>122000</amout>
<totalActualPremium>665</totalActualPremium>
<seats>0</seats>
</coverage>
</coverageList>
<tempPring>
<useType />
<vehicleCode>SKAAFD0005</vehicleCode>
<usageAttributeCode>1</usageAttributeCode>
</tempPring>
</tempBase>
</body>
</TXTpaic>


车主:李国勇

<?xml version="1.0" encoding="UTF-8"?>
<TXTpaic>
<TXTpaicRequest>
<userId />
<password />
<rCode />
<statusCode />
<message />
</TXTpaicRequest>
<body>
<tempBase>
<cityCode>330100</cityCode>
<planDefine>3</planDefine>
<ecInsureId>10801013041001439593</ecInsureId>
<departmentCode>10</departmentCode>
<insuranceBeginTime>2013-04-30</insuranceBeginTime>
<insuranceEndTime>2014-04-29</insuranceEndTime>
<insuranceBeginTime_105>2013-04-30</insuranceBeginTime_105>
<insuranceEndTime_105>2014-04-29</insuranceEndTime_105>
<checkInsuranceTime>1</checkInsuranceTime>
<currencyCode>01</currencyCode>
<businessPremium>3439.42</businessPremium>
<forcePremium>1045</forcePremium>
<premium>5144.42</premium>
<registeredName>李国勇</registeredName>
<applyPolicyNo>1000108000079787909,1000105000079787910</applyPolicyNo>
<policyNo />
<applyPolicyStatus>5</applyPolicyStatus>
<orderNo />
<tpf>1</tpf>
<lateFeeAmount>0</lateFeeAmount>
<vehicleTaxAmount>660</vehicleTaxAmount>
<vehicleTax />
<personCert>330106196409043813</personCert>
<payNo />
<certDepartmentCode />
<certDepartmentName />
<boroughAndCounty />
<steerCardVehicleType>300</steerCardVehicleType>
<vehicleLossInsuredValue>215800</vehicleLossInsuredValue>
<rbCode>BTAALD0010</rbCode>
<vehicle>
<licenceTypeCode>2</licenceTypeCode>
<transferDate />
<checkRuncardCertificateDate>0</checkRuncardCertificateDate>
<autoModelCode>I0000000000000000240000000000737</autoModelCode>
<engineNo>K24A42501996</engineNo>
<firstRegisterDate>2005-04-01</firstRegisterDate>
<newVehicleFlag>0</newVehicleFlag>
<fuelType>0</fuelType>
<remark>类比价,轿车,自动档 标准型</remark>
<vehicleFrameNo>LHGCM566452002006</vehicleFrameNo>
<vehicleLicenceCode>浙A9Y869</vehicleLicenceCode>
<licenseNo1>浙A</licenseNo1>
<licenseNo>9Y869</licenseNo>
<power>1</power>
<vehicleDBFlag>1</vehicleDBFlag>
<brandChnName>广汽本田</brandChnName>
<exhaustCapability>2.354</exhaustCapability>
<vehicleBrand>雅阁HG7240轿车 - 自动档 标准型(2005)</vehicleBrand>
<vehicleInsuredValue>215800</vehicleInsuredValue>
<vehicleLossInsuredValue>215800</vehicleLossInsuredValue>
<vehicleSeats>5</vehicleSeats>
<vehicleStyle>K33</vehicleStyle>
<vehicleType>1</vehicleType>
<weigth>1.465</weigth>
<tonnages>0</tonnages>
<companyName>广汽本田</companyName>
<gearBoxType>自动档</gearBoxType>
<autoModelChnName>雅阁HG7240</autoModelChnName>
</vehicle>
<insured>
<personnelName>李国勇</personnelName>
<insuredEmail>676567346@qq.com</insuredEmail>
<insuredMobilePhone>18058816175</insuredMobilePhone>
<certificateNo>330106196409043813</certificateNo>
<payType>1</payType>
</insured>
<tempDistribution>
<receiveName>李国勇</receiveName>
<invoice>李国勇</invoice>
<receiveMobile>18058816175</receiveMobile>
<receivePhone />
<receiveAddress>杭州市嘉泰馨庭2-2-1302</receiveAddress>
<receivePostcode>310000</receivePostcode>
<provinceCode />
<cityCode />
<townCode />
<provinceName />
<cityName />
<townName />
<sendDate>Sat Apr 13 00:00:00 CST 2013</sendDate>
<sendTime>1</sendTime>
</tempDistribution>
<amountTHEFT />
<allAmount>215800</allAmount>
<insuredAmount105>122000</insuredAmount105>
<coverageList>
<coverage>
<dutyCode>DL</dutyCode>
<dutyName />
<amout>10000</amout>
<totalActualPremium>19.71</totalActualPremium>
<seats>1</seats>
</coverage>
<coverage>
<dutyCode>NDNE</dutyCode>
<dutyName />
<amout>0</amout>
<totalActualPremium>-267.81</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>OD</dutyCode>
<dutyName />
<amout>215800</amout>
<totalActualPremium>2444.33</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>PL</dutyCode>
<dutyName />
<amout>10000</amout>
<totalActualPremium>78.84</totalActualPremium>
<seats>4</seats>
</coverage>
<coverage>
<dutyCode>TP</dutyCode>
<dutyName />
<amout>500000</amout>
<totalActualPremium>1164.35</totalActualPremium>
<seats>0</seats>
</coverage>
<coverage>
<dutyCode>TPF</dutyCode>
<dutyName />
<amout>122000</amout>
<totalActualPremium>1045</totalActualPremium>
<seats>0</seats>
</coverage>
</coverageList>
<tempPring>
<useType />
<vehicleCode>BTAALD0010</vehicleCode>
<usageAttributeCode>1</usageAttributeCode>
</tempPring>
</tempBase>
</body>
</TXTpaic>


差不多了,其他就不看了!

修复方案:

给个20rank,谢谢!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-03-26 08:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价

  1. 2016-03-21 20:04 | 暴走 ( 普通白帽子 | Rank:567 漏洞数:101 | Wooyun的Rank获取如同Dota冲天梯有过之而无...)

    @安盛天平,就不能给洞主个高分,让他高兴!