当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137714

漏洞标题: 3G门户统一登陆后台命令执行(涉及N多重要业务系统)

相关厂商:3g.cn

漏洞作者: 路人甲

提交时间:2015-08-29 09:21

修复时间:2015-10-16 11:48

公开时间:2015-10-16 11:48

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-29: 细节已通知厂商并且等待厂商处理中
2015-09-01: 厂商已经确认,细节仅向厂商公开
2015-09-11: 细节向核心白帽子及相关领域专家公开
2015-09-21: 细节向普通白帽子公开
2015-10-01: 细节向实习白帽子公开
2015-10-16: 细节向公众公开

简要描述:

3g统一登陆后台命令执行,可查看大量敏感信息

详细说明:

2.jpg


http://gouser.3g.net.cn//userManage/userjson/searchUserbySystemid.action
存在命令执行

2.jpg

漏洞证明:

w7.jpg


可从此处获得用户名进行爆破

w3.jpg


用123456的人还是不少的
可访问到很多重要的后台,如果进了内网甚至可以直接推送信息,外网访问不到push
eye.spinmenuitem("支付平台查询后台","http://payserver.3g.net.cn/PayServiceAdmin/login");
eye.spinmenuitem("GO桌面主题商城后台","http://192.168.215.53:8080/appstore");
eye.spinmenuitem("云服务开关","http://cloud.3g.net.cn/g3CloudService");
eye.spinmenuitem("next浏览器后台","http://nextbrowser.3g.net.cn/gobrowserManage/ ");
eye.spinmenuitem("用户管理系统","http://gouser.3g.net.cn/userManage/login.action");
eye.spinmenuitem("自动部署系统","http://deploy.3g.net.cn:8088/ServerManager/sso");
eye.spinmenuitem("天气MagicWidget","http://goweather.3g.net.cn/goweatherServerManager/login.action");
eye.spinmenuitem("应用库管理","http://goappman.3g.net.cn/applibSplider/admin/app/listApp.action");
eye.spinmenuitem("应用游戏中心后台","http://goapp.3g.net.cn/appcenter/webcontent/index.jsp");
eye.spinmenuitem("业务统计后台","http://datastat.3g.net.cn/3ggo/login.action");
eye.spinmenuitem("文件服务器ftp管理后台","http://godfs_manager.3g.net.cn/FileManagerSystem/");
eye.spinmenuitem("GO短信团队&admob广告后台","http://gosms.3g.net.cn/gobackstage");
eye.spinmenuitem("GO短信国内DIY审核主题后台","http://gosmstheme.3g.net.cn/SmsBackServer/webcontent/Review/Reviewindex.jsp");
eye.spinmenuitem("GO短信团队资料编辑","http://gosmsteam.3g.net.cn/SmsFileServer/webcontent/sms_dev/profileManager.jsp");
eye.spinmenuitem("GO短信主题配置文件后台","http://gosmsconfig.3g.net.cn/themexmlgenerator/");
eye.spinmenuitem("nextLauncher激活码查询后台","http://nextlauncher.3g.net.cn/golauncher/");
eye.spinmenuitem("消息中心后台","http://gomsg.3g.net.cn/gomsgmanage/webcontent/public/single_login.jsp");
eye.spinmenuitem("统计后台","http://acrm.3g.net.cn/stat/admin/login.jsp");
eye.spinmenuitem("版本控制系统","http://goversion.3g.net.cn/versions/main.html");
eye.spinmenuitem("第三方对帐后台","http://gostat1.3g.net.cn/WebBackStage/user/index.php");
eye.spinmenuitem("GO精品后台","http://gojp.3g.net.cn/gostoremanage/sso.cgi");
eye.spinmenuitem("天网","http://gotw.3g.net.cn/monitor/");
eye.spinmenuitem("开发模板","http://test.3g.net.cn:8080/g3DevelopmentTemplate");
eye.spinmenuitem("用户反馈系统测试","http://gotest.3g.net.cn/userfeedback/");
eye.spinmenuitem("用户反馈系统","http://fb.3g.net.cn/userfeedback");
eye.spinmenuitem("next浏览器资源管理","http://browser.3g.net.cn:8057/RssResourcesManage/");
eye.spinmenuitem("Hi World 后台管理","http://gohi.3g.net.cn/theme/login.action");
eye.spinmenuitem("goapk管理系统","http://goapk.3g.net.cn/apkmanager/");
eye.spinmenuitem("支付平台监控报警系统","http://paymonitor.3g.net.cn/PayServerMonitor/");
eye.spinmenuitem("302跳转","http://gordman.3g.net.cn/302Url/processurl.jsp");
eye.spinmenuitem("聚合平台广告后台","http://goadv.3g.net.cn/AdCenterManage");
eye.spinmenuitem("Go帐号管理系统","http://gouserman.3g.net.cn/manager");
eye.spinmenuitem("app应用推广后台","http://stat.3g.net.cn/appPromoStat/");
eye.spinmenuitem("推广管理系统","http://gopromotionnew.3g.net.cn/gopromotionmanage_new/");
eye.spinmenuitem("邮件自动化后台","http://gosengmail.3g.net.cn/mailManage");
eye.spinmenuitem("数据运营平台","http://acrm.3g.net.cn/autosql/login");
eye.spinmenuitem("go开关","http://goswitch.3g.net.cn/goswitch/login");
eye.spinmenuitem("内置服务配置跳转后台","http://gonzdhman.3g.net.cn/gobrowserManager/login.action");
eye.spinmenuitem("主题图标更新后台","http://iconUpdate.3g.net.cn/iconUpdate/admin/main.jsp");
eye.spinmenuitem("内置轻应用","http://gonzqyyman.3g.net.cn/airstoreManager/login");
eye.spinmenuitem("lightapp_cn","http://golappcn.3g.net.cn/lightapp/index.jsp ");
eye.spinmenuitem("锁屏图片信息流后台","http://lockerpaper.3g.net.cn/golockerManager/main.jsp");
eye.spinmenuitem("新版统计后台","http://acrm.3g.net.cn/stat/admin/login.jsp");
eye.spinmenuitem("lightapp","http://golapp.3g.net.cn/lightappus/");
eye.spinmenuitem("个性化中心管理后台","http://indcentermanager.3g.net.cn/indcentermanager/webcontent/index.jsp");
eye.spinmenuitem("广告portal","http://goadvportal.3g.net.cn/advPortal/");
eye.spinmenuitem("国内图标下发后台","http://goimg.3g.net.cn/iconUpdate_cn/admin/main.jsp");
eye.spinmenuitem("NextGame管理后台","http://nextgame.3g.net.cn:8465/NextGameManage/");
eye.spinmenuitem("壁纸专区服务","http://gotest.3g.net.cn/guiWallpaper");
eye.spinmenuitem("应用资源管理后台","http://goappresmanager.3g.net.cn/appresourcemanager/index.jsp");
eye.spinmenuitem("新版统计后台-国内","http://gostatcn.3g.net.cn/goStatCN/");
eye.spinmenuitem("资源管理中心","http://rc.3g.net.cn/ResourceCenter/");
eye.spinmenuitem("GO桌面后台管理测试机","http://launcherportal.3g.net.cn:8085/launcherauthorization");
eye.spinmenuitem("GO桌面后台管理","http://launchermanager.3g.net.cn:8085/launcherauthorization");
eye.spinmenuitem("短信侧边栏管理后台","http://smslightapp.3g.net.cn:8548/smslightapp/");
eye.spinmenuitem("Go短信主题商城后台","http://smsmarket.3g.net.cn/gosmsmarketmanage");
eye.spinmenuitem("go输入法商店后台管理","http://gokeyboardmarketmanage.3g.net.cn:8088/gokeyboard_marketManage/pages/common/main.jsp");
eye.spinmenuitem("极桌面高清图标(国外)","http://jiimg.3g.net.cn:8088/iconUpdate_fr/admin/main.jsp");
eye.spinmenuitem("错误日志-国内"," http://gocrashcn.3g.net.cn/CrashLog/");
eye.spinmenuitem("国内SDK控制后台","http://gostatsctrl.3g.net.cn/goStatsCtrl/");
eye.spinmenuitem("LL Launcher DIY主题后台","http://llau.3g.net.cn/LLAU/index.jsp");
eye.spinmenuitem("推送管理protal","http://push.3g.net.cn/wecloudmanager/");
eye.spinmenuitem("go账号管理系统(new-test)","http://gotestaccmanager.3g.net.cn:9198/manager/index.jsp");
eye.spinmenuitem("游戏商店","http://gamecentermanage.3g.net.cn/gamecentermanage/pages/common/main.jsp");
eye.spinmenuitem("海外支付平台查询后台","http://abroad.paygateway.3g.net.cn/PayServiceAdmin/login");
eye.spinmenuitem("聚宝锁屏管理后台","http://jubaomanage.3g.net.cn/gohuamanager/");
eye.spinmenuitem("基础服务","http://i18n-admin.3g.net.cn/");
eye.spinmenuitem("新版资源库管理后台","http://repository-admin.3g.net.cn");
eye.spinmenuitem("极桌面推送protal","http://push.3g.net.cn/zeropush/");
eye.spinmenuitem("输入法推送protal","http://push.3g.net.cn/kbpush/");
eye.spinmenuitem("交易管理后台","http://deal-admin.3g.net.cn/");
挑一两个做证明

w4.jpg


w5.jpg


登陆处盲注

w6.jpg

修复方案:

我母鸡啊

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-01 11:47

厂商回复:

感谢提交该漏洞,作为内部系统,现已经屏蔽了外网,并交由研发团队进行后续的代码优化。

最新状态:

暂无