当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151419

漏洞标题:旅游通某系统漏洞可影响内网服务器(已getshell)

相关厂商:旅游通

漏洞作者: 路人甲

提交时间:2015-11-03 18:38

修复时间:2015-12-18 18:40

公开时间:2015-12-18 18:40

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:13

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

who is Joker?

详细说明:

http://www.lyt.cn/online/online!showProduct.action


Useage: S2-019
Whoami: nt authority\system
WebPath: D:\Tomcat6\webapps\lvyoutong\

<?xml version="1.0" encoding="UTF-8"?>
<something-else-entirely>
	<proxool>
		<alias>mySpringPool</alias>
		<driver-url>jdbc:mysql://localhost:3306/qyc_lvyoutong?useUnicode=true&amp;characterEncoding=UTF-8
		</driver-url>
		<driver-class>com.mysql.jdbc.Driver</driver-class>
		<driver-properties>
			<property name="user" value="root" />
			<property name="password" value="lvyoutong" />
		</driver-properties>
		<prototype-count>5</prototype-count>
		<simultaneous-build-throttle>10</simultaneous-build-throttle>
		<maximum-connection-count>200</maximum-connection-count>
		<minimum-connection-count>20</minimum-connection-count>
		<house-keeping-sleep-time>15000</house-keeping-sleep-time>
		<house-keeping-test-sql>select CURRENT_DATE</house-keeping-test-sql>
	</proxool>
</something-else-entirely>

漏洞证明:

QQ截图20151103002932.jpg


AppUrl =http://www.lyt.cn/
AppPath = D\:\\Tomcat6\\webapps\\lvyoutong
#Backup database
DataPath =C\:\\Program Files\\MySQL\\MySQL Server 5.1\\
BackupPath = D\:\\backup_data\\
data_user=root
data_pwd=lvyoutong
data_base=qyc_lvyoutong
data_charset=UTF8
#alipay
alipay_seller_email =sxsst@sina.cn
alipay_partner =2088601200373653
alipay_key =56ngx0r8nrez382n13dryphnm1ec1zmc
alipay_log_path =D:/alipay
alipay_input_charset =utf-8
alipay_sign_type =MD5
alipay_notify_url =
alipay_return_url =#AppUrl#pay/aliReturn.action
alipay_show_url =#AppUrl#userCenter/order/show.jsp?key=
alipay_exter_invoke_ip =1.85.36.101
#freemarker
encoding =UTF-8
templateRootPath =#AppPath#WEB-INF/template/
outPutRootPath =#AppPath#html/
templateUpdateDelay =3600
templateCacheMaxStrongSize =20
templateCacheMaxSoftSize =200
#mail
emailTempLatePath =email/
mailServerHost = smtp.qiye.163.com
mailServerPort =25
fromAddress = lyt@lyt.cn
userName = lyt@lyt.cn
password = sjlyt18602998888
#sina weibo login
client_ID =2311747872
client_SERCRET =5da86e278c2ae065172abe6b86f1b95c
redirect_URI =#AppUrl#member!sinaRedirect.action
baseURL =https://api.weibo.com/2/
accessTokenURL =https://api.weibo.com/oauth2/access_token
authorizeURL =https://api.weibo.com/oauth2/authorize
rmURL =https\://rm.api.weibo.com/2/
#qq login
qq_client_ID =100416922
qq_client_SERCRET =b8f318a48c223019031a8df2a125b7ec
qq_redirect_URI =#AppUrl#member!qqRedirect.action
qq_baseURL =https://graph.qq.com/
qq_accessTokenURL =https://graph.qq.com/oauth2.0/token
qq_authorizeURL =https://graph.qq.com/oauth2.0/authorize
#SMSconfig
SMS_USERNAME =zhengxy
SMS_PASSWORD =zheng123
SMS_SEND_URL =http://60.191.144.226:8080/webapi/sendsms3net.aspx
SMS_GET_BALANCE_URL =http://60.191.144.226:8080/webapi/getbalance.aspx
SMS_ENCODE =GBK
#Expressageconfig
Expressage_ID =73f3a09e164cbc22
Expressage_URL =http://api.kuaidi100.com/api
#Comment state 0:UnPublish 1:Publish
CommentState =1
#tagsFilePath
TagsFilePath =#AppPath#page/resources/ui/spin/tagcloud.xml
#ExtensionPoints
ExtensionPoints =1
#ItemContentColumnKey
ItemContentColumnKey =34509fcaa9ac49938cfee68c9025e7cc
#shelfContentColumnKey
shelfContentColumnKey =3d0b3381435646679185f4d76b50ee68
#groupPurchaseContentColumnKey
groupPurchaseContentColumnKey =95d3cb5367d541fdb56220001c89686e
#promotionContentColumnKey
promotionContentColumnKey =7e3f282f83534828a9adba021eb76953
#trialContentColumnKey
trialContentColumnKey =d15c1d4a721c45bca36056359078462f
#sys_mobile
sys_mobile=18602933999

威胁站长各种接口

QQ图片20151103005859.png


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝