当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0190973

漏洞标题:全友家私某系统漏洞(涉及上千万订单信息/涉及大量的个人详细身份证件地址订单信息/涉及十几库Sa权限)

相关厂商:全友家私

漏洞作者: 路人甲

提交时间:2016-03-31 12:00

修复时间:2016-05-19 22:40

公开时间:2016-05-19 22:40

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-31: 细节已通知厂商并且等待厂商处理中
2016-04-04: 厂商已经确认,细节仅向厂商公开
2016-04-14: 细节向核心白帽子及相关领域专家公开
2016-04-24: 细节向普通白帽子公开
2016-05-04: 细节向实习白帽子公开
2016-05-19: 细节向公众公开

简要描述:

详细说明:

http://**.**.**.** 存在jboss反序列命令执行,只能用jspx或者写shell 到jmx-console里,策略禁止在default下执行jsp脚本。
通过查找配置数据库发现大量数据,
近千万的订单详情,以及几百万的个人详细的身份证信息以及收货地址信息,危害极大
数据库涉及内网多台主机。
截取部分数据已证明危害,

漏洞证明:

shell.png

db.png

tables.png

user.png

xinxi.png

xinxi1.png

xinxi2.png

xinxi3.png

xinxi4.png

xinxi5.png

xinxi6.png

xinxi7.png

xinxi8.png

xinxi9.png

xinxi10.png

xinxi11.png

xinxi12.png

xinxi13.png

<local-tx-datasource>
		<jndi-name>TBMPKDataSource</jndi-name>
		<connection-url>jdbc:sqlserver**.**.**.**:1433;DatabaseName=cop_tbm;SelectMethod=Cursor</connection-url>
		<driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
		<connection-property name="user">tbmsql</connection-property>
		<connection-property name="password">tbm123</connection-property>
		<min-pool-size>1</min-pool-size>
		<max-pool-size>10</max-pool-size>
	</local-tx-datasource>
</datasources>
	<local-tx-datasource>
		<jndi-name>TOSADDataSource</jndi-name>
		<connection-url>jdbc:sqlserver**.**.**.**:1433;DatabaseName=QuanYou-DB;SelectMethod=Cursor</connection-url>
		<driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
		<connection-property name="user">sa</connection-property>
		<connection-property name="password">P@ssw0rd!123</connection-property>
		<min-pool-size>5</min-pool-size>
		<max-pool-size>100</max-pool-size>
	</local-tx-datasource>

数据库配置

Query#0 : select rows,OBJECT_NAME(id) as TABLENAME from sysindexes where indid=0
rows
int	TABLENAME
nvarchar
2	sysfiles1
90	T_TBM_SALE_TASK
553033	T_TBM_CHECK_DETAIL_A201506
0	F_STOCK_APPLY
12	temp_1
559465	T_MDM_CHAN_DIS_SERIES_INFO
17894	T_TBM_SIGN_IN_A201506
0	T_TBM_PRICE_PROGRAM
356	T_TBM_STOCK_ADJUST_DETAIL_PRICE_20160122
38208	T_TBM_STAFF
173	T_TBM_SALE_TASK_DETAIL
877126	T_TBM_SIGN_IN_DETAIL_A201506
4	CAP_USER_20150611
5889333	T_TBM_SHOP_PRICE_SAD
7592	T_MDM_CHAN_DIS_STORE
1504117	T_TBM_STOCK_TERM_STATISTICS_A201506
0	T_TBM_PRICE_PROGRAM_DETAIL
1	T_TEMP_ACCOUNT_IMP
3244130	T_MDM_PRO_REL_PRO_SALE_ORG
5530807	T_TBM_MY_PRODUCT_SAD
10592442	T_TBM_STOCK_OUTIN_DETAIL
29	T_MDM_CHAN_OFFICE_INFO
1070627	T_TBM_STOCK_TERM_STATISTICS_A201505
0	T_TBM_STOCK_BATCH_A201505
418	tmp_dis_info
3868975	T_TBM_PURBILL_DETAIL
7301	T_TBM_PATCH_PIC_20150808_BAK
0	T_MDM_CHAN_SHOP_DECORATION
97	tmp_shop_info
1891850	T_TBM_STOCK_BATCH_A201506
9827	T_TBM_SP_REDACT_20150724_BAK
421	T_TBM_STOCK_ADJUST_DETAIL_CAL_IN_20160122
1327	tmp_store_info
825824	T_TBM_STOCK_OUTIN
3617	T_MDM_CHAN_SHOP_INFO
1509690	T_TBM_STOCK_TERM_STATISTICS_B201506
167115	T_TBM_CHECK_DETAIL_PRICE_OUT_20160122
66390	T_TBM_SAMPLE_UP_DETAIL
102682	T_TBM_PATCH_PLATE_20150807_bak
0	FV_INFO_STRUCT
919749	T_TBM_STOCK_TERM_STATISTICS_B201505
532	T_TBM_CHECK_DETAIL_PRICE_CAL_OUT_20160122
1160	T_TBM_CHECK_DETAIL_CAL_OUT_20160122
356	T_TBM_STOCK_ADJUST_DETAIL_PRICE_CAL_OUT_20160122
1600497	T_TBM_PICK_DETAIL
11279	CAP_USER_20150815_BAK
47557	T_MDM_ORG_ADMIN_REGION
2127	T_TBM_SIGN_IN_DETAIL_CAL_IN_20160122
45438	T_TBM_PATCH_SIGN_DETAIL_20150810_BAK
5	T_MDM_ORG_CHANNEL_DISTR
1160	TEMP_2016
37395	cust_bak
1160	T_TBM_CHECK_DETAIL_CAL_IN_20160122
17	T_MDM_ORG_SALE_DEPT
42021	T_TBM_SP_REDACT_CUSTOM
0	T_TBM_SALE_BILL_DETAIL_PACK_PRICE_20160122
559710	T_TBM_PICK
10996018	T_TBM_STOCK_HIS
308	T_MDM_ORG_SALE_GROUP
131	T_TBM_STOCK_BATCH_TOTAL_FEE_OFFICE_1001
5831456	T_TBM_STOCK_BATCH_HIS
560	T_TBM_SP_REDACT_NUM
44046	T_TBM_SALE_BILL_DETAIL_QUANTITY_OUT_20160123
96409	T_TBM_STOCK_OUTIN_RECORD_HIS
33	T_MDM_ORG_SALE_ORG
44046	T_TBM_SALE_BILL_DETAIL_RETURN_20160123
45	T_TBM_FEEDBACK
557332	T_TBM_STOCK_OUTIN_HIS
41289	T_TBM_SP_REDACT_OLD_PRODUCT
74	T_TBM_STOCK_ALLOT
1648476	T_TBM_STOCK_OUTIN_DETAIL_HIS
68410	T_TBM_SIGN_IN_20150904
1748	T_TBM_STOCK_TERM_STATISTICS_HIS
1353	T_TBM_STOCK_ALLOT_DETAIL
11284	cap_user_20150811_bak
80341	customer_bak_6_19
809	T_TBM_OPTION_INFO
771735	T_TBM_SALE_BILL_DETAIL_SEND_PACK_20160123
18	TMP005
3518245	T_TBM_STOCK
28531	T_TBM_ECBILL_DETAIL_BAK
1	T_ACCOUNT_IMP
336	T_TBM_QUESTION_INFO
0	T_ACCOUNT_IMP_BAK
4780	T_TBM_SALE_BILL_DETAIL_SEND_20160123
11	T_TBM_QUESTION_BANK
291288	T_TBM_STOCK_ADJUST_DETAIL
81	T_MDM_PRO_CATEGORY
27317	T_TBM_SALE_BILL_DETAIL_ERROR_PACK_20160123
219590	T_TBM_SIGN_IN                                     20W+车辆信息
10816	CAP_USER_20150714_BAK
34360	T_TBM_SALE_BILL_M1_20160123
1	ANHUIBAN
734	T_MDM_PRO_COLOR_NUM
34360	T_TBM_SALE_BILL_OUT_M1_20160123
0	F_HANDSET_GET_PACK
86559	customer_bak_6_22
62097	T_MDM_PRO_PRODUCT_MODEL
0	T_TBM_HANDLE_LOG
464	tmp3
1698	T_MDM_PRO_REL_MATERIAL_MATCH
197513	T_TBM_STOCK_OCCUPY
208	T_MDM_PRO_PRODUCT_SERIES
247	tmp31
0	T_TBM_SYS_LOGIN_LOG
18	tmp32
157274	T_TBM_SALE_BILL_BAK_20150727
11752326	T_TBM_SIGN_IN_DETAIL
95	T_TBM_SALE_BILL_DETAIL_20160104
357666	T_MDM_PRO_PRODUCT_INFO_20150814_BAK
9	T_MDM_PRO_PRODUCT_STYLE
4	T_TBM_EC_LOGISTIC20160106
0	T_MDM_PRI_NO_SALES_PRICE_TOTAL_BAK
295	T_TBM_PURBILL_1000695
853527	T_TBM_POLICY_PUR
2206	T_MDM_PRI_SALES_PRICE_TOTAL_BAK
13082943	T_TBM_STOCK_OUTIN_RECORD
9547	T_TBM_SAMPLE_DOWN
0	T_MDM_PRO_REL_PRO_GROUP_SALE_ORG
4534	T_TBM_PURBILL_DETAIL_1000695
446	T_TBM_SIGN_IN_20150707
441429	T_TBM_SYNC_NO_SALES_PRICE_TOTAL
23	T_TBM_SP_REDACT_1000695
0	T_TBM_SURVEY
7123	T_TBM_PATCH_PIC_20150814_BAK
102	T_MDM_PRO_SALE_SERIES
2457	T_TBM_STOCK_1000695
775	T_TBM_STOCK_OUTIN_1000695
46651	tmp2
20	T_MDM_ZONE_SALE_COMM
8378	T_TBM_STOCK_OUTIN_DETAIL_1000695
1508071	T_MDM_PRI_NO_SALES_PRICE_TOTAL_151012
63	T_TBM_SIGN_IN_20150613
174	T_TBM_PATCH_RESTRICT_BAK
731	T_TBM_DELIVERY_1000695
487	T_TBM_STORE_PACKAGE
36	T_MDM_ZONE_SALE_AREA
19729	T_TBM_SEQUENCE_bak20150728
15182	T_TBM_SIGN_IN_20150613_ALL
695	T_TBM_PICK_1000695
1	T_TBM_PURBILL20160112
710	T_TBM_PICK_DETAIL_1000695
149	TMP_SIGN
38399	T_TBM_IMP_EXCEL
1652537	tmp1                                 160W+ 家私订单
1329	T_TBM_STORE_PACKAGE_DETAIL
1055	T_TBM_STOCK_WARN
36	T_MDM_ZONE_SALE_MARKET
41224	T_TBM_SP_REDACT
2	T_TBM_CHECK_1000695
40269	T_TBM_STOCK_ADJUST
4313	T_TBM_PATCH_BILL_20150729_BAK
106	T_MDM_PRO_FACTORY_INFO
2	T_MDM_ZONE_SALE_RANGE
0	T_TBM_IMP_RESULT
0	T_TBM_ECBILL20160113
5	T_MDM_ZONE_SALE_REGION
11	T_TBM_SIGN_IN_TMP
0	T_TBM_SIGN_IN_DETAIL_20150707
0	T_TBM_ECBILL_DETAIL20160113
2063	ypr_test_01
0	T_TBM_CHECK_DETAIL_TEMP
20	T_MDM_ZONE_SALE_ZONE
260310	T_TBM_PATCH_PLATE_STRUCT_20150816_BAK
2748363	tmp_sale_price
2950	T_TBM_PATCH_BILL_20160114_BAK
2569187	tmp_sale_price_bak
277327	T_TBM_PATCH_PLATE_STRUCT_20160115_BAK
36	T_SAP_OFFICE_TO_CUSCODE
260	T_TBM_CARPOOL
150	T_TBM_SIGN_IN_20151014
7607	T_TBM_PATCH_PIC_20160115_BAK
53638	tmp_sale_price_no
108006	T_TBM_PATCH_PLATE_20160115_BAK
530	T_TBM_CARPOOL_DETAIL
5889333	T_TBM_SHOP_PRICE_SAD_BAK
10742	CAP_USER_20150707
0	T_IMP_PLATE
10832	cap_user_bak_20150717
2633	T_IMP_PLATE_STR
2	t_notice
0	T_IMP_PIC
21122	T_TBM_PATCH_BILL_20150819_BAK
2896752	T_TBM_CHECK_DETAIL
28	CAP_ROLE_20150707_BAK
0	F_STOCK_SALE_HEAD
7123732	T_MDM_PRI_NO_SALES_PRICE_TOTAL_tmp
49	T_TBM_COMPLAINT
294335	tmp_zlfl
7659508	T_MDM_PRI_SALES_PRICE_TOTAL_tmp                 700W家私订单
0	T_TBM_STOCK_OUTIN_RECORD_201505
47	T_TBM_CUSCHEST_DEMAND_BAK
967366	T_TBM_STOCK_OUTIN_RECORD_B201505
6856	T_MDM_PRI_SALES_PRICE_TOTAL_tmp01
1005	T_TBM_CUSCHEST_DEMAND
0	F_STOCK_INSEND
24742	T_TBM_STOCK_OUTIN_B201505
0	T_TBM_PUR_CHECK
910619	T_TBM_STOCK_OUTIN_DETAIL_B201505
0	T_TBM_CHECK_PACK_DETAIL_REPEAT
0	F_STOCK_INWAY
12150	T_TBM_PICK_B201505
0	T_TBM_CHECK_PACK_DETAIL
1241310	tmp_STOCK_BATCH
33709	T_TBM_PICK_DETAIL_B201505
7	T_TBM_PURBILL_20150908
6859	T_MDM_PRI_SALES_PRICE_TOTAL_tmp02
853790	T_TBM_DELIVERY
311	T_TBM_SAMPLE_UP_B201505
7	T_TBM_PURBILL_DETAIL_20150908
1267	T_TBM_SAMPLE_UP_DETAIL_B201505
120	app_menu20160117
0	T_TBM_DISTRIBUTOR_ACCOUNT
259	T_TBM_SAMPLE_DOWN_B201505
622	CAP_RESAUTH_20160117_BAK
1939	T_TBM_SAMPLE_DOWN_DETAIL_B201505
3	T_TBM_STOCK_ALLOT_B201505
1228	CAP_USER20160223
33	T_TBM_INFO
19912	T_TBM_STAFF_BAK
2187	T_TBM_CUSCHEST_DEMAND_DETAIL
45570	T_TEMP_DIS_SERIES_IMP
6724	T_MDM_CHAN_DIS_STORE_151126
591	tmp001
11	T_TBM_STOCK_ALLOT_DETAIL_B201505
2	app_menu_bak
167	tmp_mgr_error
9965	T_TBM_CHECK_B201505
39262	T_TBM_PUR_DRAFT_TMP
770777	T_TBM_CUSTOMER
937780	T_TBM_CHECK_DETAIL_B201505
150	tmp_mgr_error_2
39262	T_TBM_PUR_DRAFT_TMP2
704	T_TBM_SIGN_IN_B201505
150	tmp_mgr_error_3
39262	T_TBM_PUR_DRAFT_TMP3
57268	T_TBM_SIGN_IN_DETAIL_B201505
10577	CAP_USER_BAK_20150601
243	TEMP1
967366	T_TBM_STOCK_OUTIN_RECORD_A201505
586034	T_TBM_REFUND
1574982	tmp_STOCK_BATCH_TYPE1
25933	T_TBM_STOCK_OUTIN_A201505
129513	tmp_STOCK_BATCH_TYPE2
919955	T_TBM_STOCK_OUTIN_DETAIL_A201505
17114	T_TBM_CACHE_PUR_PRO
277326	T_TBM_PATCH_PLATE_STRUCT_151130
622	tmp002
13255249	T_TBM_STOCK_TERM_STATISTICS
1249	T_TBM_INFO_HISTORY
13156	T_TBM_PICK_A201505
255	STOCK_SAMPLE_DOWN_TEMP
46577	T_TBM_PATCH_PLATE_STRUCT_BAK_151130
37523	T_TBM_PICK_DETAIL_A201505
10	T_MDM_CHAN_DISTRIBUTOR_INFO_20150602
622	签收单物料编码异常信息表
323518	tmp_STOCK_BATCH_TYPE3
421	T_TBM_SAMPLE_UP_A201505
786553	T_TBM_SALE_BILL
51049	T_TBM_RETURN
648	tmp003
85	tmp_STOCK_PROBLEM
1604	T_TBM_SAMPLE_UP_DETAIL_A201505
1	T_TBM_ECBILL_DETAIL20160118
11	tmp004
1574982	T_TBM_STOCK_BATCH_bak
74991	T_TBM_MESSAGE_DETAIL_20150731_BAK
338	T_TBM_SAMPLE_DOWN_A201505
1	T_TBM_ECBILL20160118
169763	T_TBM_SALE_BILL_BAK_20150730
2128	T_TBM_SAMPLE_DOWN_DETAIL_A201505
8752264	T_TBM_MY_PRODUCT
75449	T_TBM_MESSAGE_DETAIL_150731_1530_bak
4	T_TBM_STOCK_ALLOT_A201505
44	T_TBM_ASSIGN_BAK
14	T_TBM_STOCK_ALLOT_DETAIL_A201505
4	T_TBM_PATCH_PLATE_STRUCT_20150825_BAK
10852	T_TBM_CHECK_A201505
1033569	TMP_TBM_SIGN_IN_COPY
1199105	T_TBM_CHECK_DETAIL_A201505
0	F_STOCK_SALE_UNSEND
181727	T_TBM_SYNC_SHOP_PRICE
165380	TMP_TBM_SIGN_IN_COPY_1
7380	T_TBM_SIGN_IN_A201505
11550	T_TBM_CHECK_DETAIL20160302
332198	T_TBM_PURBILL
1354	T_TBM_COMMUNITY_SAD
0	F_PUR_PACK_CHOICE
75320	t_tbm_customer_bak
350387	T_TBM_SIGN_IN_DETAIL_A201505
80	T_TBM_PUR_DRAFT_BAK_001
55	T_TBM_PUR_DRAFT_BAK_002
1428794	T_TBM_STOCK_OUTIN_RECORD_B201506
1	T_TBM_SIGN_IN_20151208
73061	T_TBM_STOCK_OUTIN_B201506
2	T_TBM_SIGN_IN_DETAIL20151208
801882	TMP_TBM_SIGN_IN_COPY_2
1216594	T_TBM_STOCK_OUTIN_DETAIL_B201506
618	TEMP_STOCK2
387973	T_TBM_MESSAGE
825411	T_TBM_PATCH_RECORD_151027
43668	T_TBM_PICK_B201506
0	F_STOCK_NEED
1657	T_TBM_SAMPLE_UP_B201506
15181	T_TBM_SAMPLE_UP
419864	T_TBM_MESSAGE_DETAIL
6479	T_TBM_SAMPLE_UP_DETAIL_B201506
162553	T_TBM_EC_LOGISTIC
13	T_MDM_PRO_PRODUCT_GROUP
532	T_TBM_STOCK_PROBLEM
25215	T_MDM_CHAN_SHOP_DEC_DETAIL
966	T_TBM_SAMPLE_DOWN_B201506
313806	T_TBM_ECBILL
2	CAP_RESAUTH20160119
2840	T_TBM_SAMPLE_DOWN_DETAIL_B201506
745046	T_TBM_ECBILL_DETAIL
1084	T_MDM_PRO_MATERIAL_GROUP
7975	T_TBM_SALE_BILL_20151214
165380	TMP_TBM_SIGN_IN_COPY_3
5	T_TBM_STOCK_ALLOT_B201506
720	T_TBM_SALE_BILL_20151215
2868	T_MDM_CHAN_SHOP_DEC_MAIN
49	T_TBM_STOCK_ALLOT_DETAIL_B201506
40804	T_TBM_WARCARD_bak
5	T_MDM_PRO_SPACE_INFO
0	F_SBILL_SALEORG
1996	T_TBM_PUR_DRAFT
81134	T_TBM_MESSAGE_DETAIL_20150803_bak
9613	T_TBM_CHECK_B201506
9480145	T_TBM_STOCK_BATCH
555014	T_TBM_CHECK_DETAIL_B201506
139900	BASE_PRODUCTINFO_BAK
42200	T_TBM_PUR_DRAFT_DETAIL
11451	T_TBM_SIGN_IN_B201506
35817	T_MDM_PRO_PRODUCT_INFO_chayi
579873	T_TBM_SIGN_IN_DETAIL_B201506
0	T_TBM_CUSTOMER_FILE
1428794	T_TBM_STOCK_OUTIN_RECORD_A201506
2983	T_TBM_DIS_STORE_TEMP
75485	T_TBM_STOCK_OUTIN_A201506
422	T_TBM_DIS_STORE_TEMP1
1222711	T_TBM_STOCK_OUTIN_DETAIL_A201506
45682	T_TBM_PICK_A201506
284	T_TEMP_1
54849	T_TBM_CHECK
96840	T_TBM_RETURN_DETAIL
130733	T_TBM_PICK_DETAIL_A201506
1046	T_TBM_COMMUNITY
52	T_TEMP_IMP_2
117931	T_TBM_PURBILL_20150911
1727	T_TBM_SAMPLE_UP_A201506
1390504	T_TBM_PURBILL_DETAIL_20150911
0	T_TBM_SALES_RICE
6468	T_TBM_SAMPLE_UP_DETAIL_A201506
201	T_TEMP_2
691322	T_TBM_WARCARD
579	T_MDM_CHAN_CUSTOMER_MGR_INFO
1052	T_TBM_SAMPLE_DOWN_A201506
417	T_TBM_STAFF_SAD
1099798	T_TBM_SALE_BILL_DETAIL20160122
2906	T_TBM_SAMPLE_DOWN_DETAIL_A201506
2747	T_MDM_CHAN_DISTRIBUTOR_INFO_20150723_BAK
1526570	T_TBM_SALE_BILL_DETAIL_SUIT20160122
3029	T_MDM_CHAN_DISTRIBUTOR_INFO
6	T_TBM_STOCK_ALLOT_A201506
4045718	T_TBM_SALE_BILL_DETAIL_PACK20160122
0	F_STOCK_HIS_SALES
2559330	T_TBM_SALE_BILL_DETAIL
25659	CAP_PARTYAUTH_BAK
23136	T_TBM_SAMPLE_DOWN_DETAIL
50	T_TBM_STOCK_ALLOT_DETAIL_A201506
4045718	T_TBM_SALE_BILL_DETAIL_PACK_MATYPE_20160122
4812	T_MDM_CHAN_DIS_SALEORG_INFO
9622	T_TBM_CHECK_A201506

数据库结构

http://**.**.**.**/default/1.jspx 9635789

shell

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2016-04-04 22:39

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无

漏洞评价:

评价

  1. 2016-03-31 12:08 | 带头大哥 ( 普通白帽子 | Rank:786 漏洞数:230 | |任意邮件伪造| |目录遍历| |任意文件读取|...)

    http://butian.360.cn/vul/info/qid/QTVA-2016-397889

  2. 2016-03-31 12:43 | 田老板 ( 路人 | Rank:24 漏洞数:11 | 学校杀手)

    http://butian.360.cn/vul/info/qid/QTVA-2016-397889