当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110138

漏洞标题:中国电信某短信业务存在命令执行可getshell

相关厂商:中国电信

漏洞作者: JiuShao

提交时间:2015-04-24 16:27

修复时间:2015-06-12 09:58

公开时间:2015-06-12 09:58

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-24: 细节已通知厂商并且等待厂商处理中
2015-04-28: 厂商已经确认,细节仅向厂商公开
2015-05-08: 细节向核心白帽子及相关领域专家公开
2015-05-18: 细节向普通白帽子公开
2015-05-28: 细节向实习白帽子公开
2015-06-12: 细节向公众公开

简要描述:

中国电信挂机短信业务存在命令执行可getshell

详细说明:

中国电信挂机短信业务存在命令执行可getshell
站点:http://116.228.55.149:8082/helpdesk/privilege/loginAction!login2.action
st2 就不多说 写了个shell
shell地址:http://116.228.55.149:8082/helpdesk/jiushao.jsp jiushao 菜刀
敏感信息:

<database>
<jndi-name>jdbc/hd_main_db</jndi-name>
<driver type="com.mysql.jdbc.Driver">
<url>jdbc:mysql://192.168.139.220:3306/helpdesk_g3</url>
<user>root</user>
<password>123456</password>
</driver>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<max-connections>350</max-connections>
<max-idle-time>15s</max-idle-time>
</database>

<database>
<jndi-name>jdbc/hd_ext_db</jndi-name>
<driver type="com.mysql.jdbc.Driver">
<url>jdbc:mysql://192.168.139.220:3306/helpdesk_g3</url>
<user>root</user>
<password>123456</password>
</driver>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<max-connections>350</max-connections>
<max-idle-time>15s</max-idle-time>
</database>

<database>
<jndi-name>jdbc/hd_qrtz_db</jndi-name>
<driver type="com.mysql.jdbc.Driver">
<url>jdbc:mysql://192.168.139.220:3306/helpdesk_g3_quartz</url>
<user>root</user>
<password>123456</password>
</driver>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<max-connections>20</max-connections>
<max-idle-time>15s</max-idle-time>
</database>
<!--
- Default host configuration applied to all virtual hosts.
-->
<host-default>
<!--
- With another web server, like Apache, this can be commented out
- because the web server will log this information.
-->
<access-log path="log/access.log"
format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"'
rollover-period="1W"/>
<!-- creates the webapps directory for .war expansion -->
<web-app-deploy path="webapps"/>
</host-default>
<!-- configures a deployment directory for virtual hosts -->
<host-deploy path="hosts">
<host-default>
<resin:import path="host.xml" optional="true"/>
</host-default>
</host-deploy>
<!-- configures the default host, matching any host name -->
<host id="" root-directory=".">
<!--
- configures an explicit root web-app matching the
- webapp's ROOT
-->

<web-app id="/helpdesk" root-directory="/home/zcb/resin-4.0.10/apps/helpdesk_g3">
<error-page>
<error-code>404</error-code>
<location>/appframe/error404Page.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/appframe/error500Page.jsp</location>
</error-page>
<error-page>
<error-code>503</error-code>
<location>/appframe/error503Page.jsp</location>
</error-page>
<error-page>
<error-code>504</error-code>
<location>/appframe/error504Page.jsp</location>
</error-page>
</web-app>
</host>
</cluster>


</resin>


11.png

22.png


肯定有人问我为啥知道这是电信的业务 我只能说 从这来进去的 公司有账号 所以登陆就到st2地址了 。http://card.118114.net:8080/sdm/

漏洞证明:

中国电信挂机短信业务存在命令执行可getshell
站点:http://116.228.55.149:8082/helpdesk/privilege/loginAction!login2.action
st2 就不多说 写了个shell
shell地址:http://116.228.55.149:8082/helpdesk/jiushao.jsp jiushao 菜刀
敏感信息:

<database>
<jndi-name>jdbc/hd_main_db</jndi-name>
<driver type="com.mysql.jdbc.Driver">
<url>jdbc:mysql://192.168.139.220:3306/helpdesk_g3</url>
<user>root</user>
<password>123456</password>
</driver>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<max-connections>350</max-connections>
<max-idle-time>15s</max-idle-time>
</database>

<database>
<jndi-name>jdbc/hd_ext_db</jndi-name>
<driver type="com.mysql.jdbc.Driver">
<url>jdbc:mysql://192.168.139.220:3306/helpdesk_g3</url>
<user>root</user>
<password>123456</password>
</driver>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<max-connections>350</max-connections>
<max-idle-time>15s</max-idle-time>
</database>

<database>
<jndi-name>jdbc/hd_qrtz_db</jndi-name>
<driver type="com.mysql.jdbc.Driver">
<url>jdbc:mysql://192.168.139.220:3306/helpdesk_g3_quartz</url>
<user>root</user>
<password>123456</password>
</driver>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<max-connections>20</max-connections>
<max-idle-time>15s</max-idle-time>
</database>
<!--
- Default host configuration applied to all virtual hosts.
-->
<host-default>
<!--
- With another web server, like Apache, this can be commented out
- because the web server will log this information.
-->
<access-log path="log/access.log"
format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"'
rollover-period="1W"/>
<!-- creates the webapps directory for .war expansion -->
<web-app-deploy path="webapps"/>
</host-default>
<!-- configures a deployment directory for virtual hosts -->
<host-deploy path="hosts">
<host-default>
<resin:import path="host.xml" optional="true"/>
</host-default>
</host-deploy>
<!-- configures the default host, matching any host name -->
<host id="" root-directory=".">
<!--
- configures an explicit root web-app matching the
- webapp's ROOT
-->

<web-app id="/helpdesk" root-directory="/home/zcb/resin-4.0.10/apps/helpdesk_g3">
<error-page>
<error-code>404</error-code>
<location>/appframe/error404Page.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/appframe/error500Page.jsp</location>
</error-page>
<error-page>
<error-code>503</error-code>
<location>/appframe/error503Page.jsp</location>
</error-page>
<error-page>
<error-code>504</error-code>
<location>/appframe/error504Page.jsp</location>
</error-page>
</web-app>
</host>
</cluster>


</resin>


11.png

22.png


肯定有人问我为啥知道这是电信的业务 我只能说 从这来进去的 公司有账号 所以登陆就到st2地址了 。http://card.118114.net:8080/sdm/

修复方案:

修复吧

版权声明:转载请注明来源 JiuShao@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-04-28 09:57

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无