香飘飘多个系统漏洞(获取到DB/DC/MAIL/FILE 等大量配置信息/可内网探测)

admin
admin
admin
139701
文章
114
评论
2017年4月8日21:48:31评论821 views字数 228阅读0分45秒阅读模式
摘要

2016-03-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-13: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(2) 关注此漏洞

缺陷编号: WooYun-2016-190359

漏洞标题: 香飘飘多个系统漏洞(获取到DB/DC/MAIL/FILE 等大量配置信息/可内网探测)

相关厂商: 香飘飘

漏洞作者: 路人甲

提交时间: 2016-03-29 13:37

公开时间: 2016-05-13 13:40

漏洞类型: 命令执行

危害等级: 高

自评Rank: 20

漏洞状态: 未联系到厂商或者厂商积极忽略

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 无

0人收藏

漏洞详情

披露状态:

2016-03-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

code 区域 
http://exp.zjxpp.com:8186/basisPlatform/loginAction!login.jspa
code 区域 
http://hr.zjxpp.com:8186/basisPlatform/

存在st2命令执行,但是静默以jspa的方式运行,脚本是Vm,这就很尴尬了....尝试上传无果。在

code 区域 
http://exp.zjxpp.com:8186/examples/jsp

目录中上传成功,但是不是不解析就是不兼容。这就非常尴尬了。

code 区域 
http://exp.zjxpp.com:8186/examples/jsp/abc.jsp

拿到一个文件管理的shell,还是老外的东西靠谱。翻了下配置文件,发现了oracle数据库配置,企业邮箱配置,域控DC,

就到这吧,最近写python要炸,红老师也不适当放宽下政策~!!!

漏洞证明:

香飘飘多个系统漏洞(获取到DB/DC/MAIL/FILE 等大量配置信息/可内网探测)

香飘飘多个系统漏洞(获取到DB/DC/MAIL/FILE 等大量配置信息/可内网探测)

香飘飘多个系统漏洞(获取到DB/DC/MAIL/FILE 等大量配置信息/可内网探测)

香飘飘多个系统漏洞(获取到DB/DC/MAIL/FILE 等大量配置信息/可内网探测)

code 区域 
tcp        0      0 0.0.0.0:65252           0.0.0.0:*               LISTEN      off (0.00/0/0)
 tcp        0      0 0.0.0.0:9575            0.0.0.0:*               LISTEN      off (0.00/0/0)
 tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      off (0.00/0/0)
 tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
 tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      off (0.00/0/0)
 tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      off (0.00/0/0)
 tcp      252      0 10.0.3.23:40891         192.168.0.12:3300       ESTABLISHED off (0.00/0/0)
 tcp        0      0 10.0.3.23:956           10.0.3.25:2049          ESTABLISHED off (0.00/0/0)
 tcp       84      0 10.0.3.23:41002         192.168.0.12:3300       ESTABLISHED off (0.00/0/0)
 tcp        0      0 10.0.3.23:22            192.168.0.79:9681       ESTABLISHED keepalive (540.12/0/0)
 tcp        0      0 :::47710                :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 127.0.0.1:8705          :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 127.0.0.1:8005          :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 127.0.0.1:8805          :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 :::8709                 :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 :::8809                 :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 :::8009                 :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 :::64812                :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 :::8301                 :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 :::111                  :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 :::8307                 :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 :::8308                 :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 ::1:631                 :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 ::1:25                  :::*                    LISTEN      off (0.00/0/0)
 tcp        0      0 10.0.3.23:16789         10.0.3.25:1521          TIME_WAIT   timewait (21.84/0/0)
 tcp        0      0 10.0.3.23:31883         10.0.3.70:49605         ESTABLISHED off (0.00/0/0)
 tcp        0      0 10.0.3.23:8301          10.0.4.1:51351          TIME_WAIT   timewait (47.82/0/0)
 tcp        0      0 10.0.3.23:16889         10.0.3.25:1521          TIME_WAIT   timewait (54.28/0/0)
 tcp        0      0 10.0.3.23:16763         10.0.3.25:1521          TIME_WAIT   timewait (13.33/0/0)
 tcp        0      0 10.0.3.23:8307          112.232.21.238:28593    ESTABLISHED off (0.00/0/0)
 tcp        0      0 10.0.3.23:16859         10.0.3.25:1521          TIME_WAIT   timewait (44.05/0/0)
 tcp        0      0 10.0.3.23:16892         10.0.3.25:1521          TIME_WAIT   timewait (57.01/0/0)
 tcp        0      0 10.0.3.23:16845         10.0.3.25:1521          TIME_WAIT   timewait (41.63/0/0)
 tcp        0      0 10.0.3.23:16783         10.0.3.25:1521          TIME_WAIT   timewait (21.14/0/0)
 tcp        0      0 10.0.3.23:16757         10.0.3.25:1521          TIME_WAIT   timewait (11.62/0/0)
 tcp        0      0 10.0.3.23:16811         10.0.3.25:1521          TIME_WAIT   timewait (31.41/0/0)
 tcp        0      0 10.0.3.23:65105         10.0.3.25:1521          ESTABLISHED off (0.00/0/0)
 tcp        0      0 10.0.3.23:16851         10.0.3.25:1521          TIME_WAIT   timewait (42.31/0/0)
 tcp        0      0 10.0.3.23:8307          10.0.4.1:40629          TIME_WAIT   timewait (59.72/0/0)
 tcp        0      0 10.0.3.23:8301          10.0.4.1:51003          TIME_WAI
code 区域 
cookie.domain=zjxpp.com
 jdbc.driverClassName=oracle.jdbc.driver.OracleDriver
 jdbc.url=jdbc:oracle:thin::1521:expora
 jdbc.username=exp
 jdbc.password=exp123
 
 appUrl = http://exp.zjxpp.com:8186/basisPlatform
 imgUrl = http://exp.zjxpp.com:8186/basisPlatform/statics
 wfeUrl =http://10.0.3.21:8102/expWorkFlow
 hrUrl = http://hr.zjxpp.com:8186/hrPlatform
 
 #ad
 ldap.validate = false
 ldap.ldapHost =ldap://10.0.3.26:389
 ldap.ldapHost2 =ldap://10.0.3.26:636
 ldap.base =DC=xpp,DC=com
 ldap.userDn =cn=Administrator,cn=Users,DC=xpp,DC=com
 ldap.password 
 ldap.domain 
 
 #email
 allUser.smtpServer=smtp.exmail.qq.com
 
 
 !
 allUser.displayName=chinaxpp
 
 #bo4
 bo4.use = bo_viewer
 bo4.pwd = Sap123456
 bo4.dev = xppboprd:6400
 bo4.enterp = secEnterprise
 bo4.reip = http://bo.zjxpp.com:8176/BOE/OpenDocument/opendoc/openDocument.jsp
 
 #QQ E-mail key
 access_token = a027de5103e39101e886dd5411fc1d01
 
 #sap
 sap.jdbc.poolName = xpp
 sap.jdbc.maximumConnectionCount = 100
 sap.jdbc.clientName = 800
 sap.jdbc.user = abaprfc
 sap.jdbc.password = 
 sap.jdbc.language = 1
 sap.jdbc.hostName = 192.168.0.12
 sap.jdbc.sysnr = 00
 sap.jdbc.group = Public
 sap.jdbc.repositoryName = osapRepository
 sap.jdbc.byGroup = 0
 sap.portal.host = http://ides.kintiger.com:8000
 sap.portal.service = /sap/bc/gui/sap/its/webgui
 sap.portal.client = 800
 
 # file
 news.filePath =/upload_file/news
 news.AllfilePath=http://exp.zjxpp.com:8186/upload_file/news/
 wfe.xml.filePath = /upload_file/basis/xml
 wfe.upload.filePath = /upload_file/basis/slave
 irepot.upload.filePath= /upload_file/basis/ireport
 template.excel.filePath = /upload_file/basis/excel
 open.office.home = /opt/openoffice4
 pdf2swf.home = pdf2swf
 read.online.path = /upload_file/readonline
 office.contract.path = /upload_file/hr/attments/photos

多处信息配置文件

code 区域 
http://exp.zjxpp.com:8186/examples/jsp/abc.jsp?

shell

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin