2015-12-30: 细节已通知厂商并且等待厂商处理中 2015-12-30: 厂商已经确认,细节仅向厂商公开 2016-01-09: 细节向核心白帽子及相关领域专家公开 2016-01-19: 细节向普通白帽子公开 2016-01-29: 细节向实习白帽子公开 2016-02-04: 厂商已经修复漏洞并主动公开,细节向公众公开
发现shell可威胁内网泄漏大量用户信息
地址:https://180.169.5.227/ipp-payment-app/index.do?id=com.allinpay.cpg.IPaymentSaleService系统使用了jboss作为中间件,发现已经成为马场shell地址:https://180.169.5.227/wooyun/wpp1.jsp密码:test.访问的时候、登录的时候可能会跳转到http,需要手动加个s
载了个日志路径在/ipplog
看起来又像是银联的系统
2015-12-13 16:21:27,882 INFO http-0.0.0.0-8080-36 [com.allinpay.ets.tp.og.allinpay.its.AllinpayItsTP] - @@@ITS PlainReqMsg: <REQUEST><ENVELOPE><HEAD><VERSION>v1.0</VERSION><BUSINESS_TYPE>0001</BUSINESS_TYPE><PAY_TYPE>05</PAY_TYPE><TRANS_CODE>1001</TRANS_CODE><ACCESS_ID>IPP000000000001</ACCESS_ID><TRACE_NUM>51213637470</TRACE_NUM><TRANS_DATE>20151213</TRANS_DATE><TRANS_TIME>162127</TRANS_TIME></HEAD><TX_INFO><BANK_CODE>03050000</BANK_CODE><CNL_ID>9071</CNL_ID><ACCT_NAME>毛志强</ACCT_NAME><ACCT_CAT>01</ACCT_CAT><ACCT_NO>6226220912215828</ACCT_NO><ID_TYPE>01</ID_TYPE><ID_NO>140503197201027816</ID_NO><PHONE_NO>13191051639</PHONE_NO><EXTEND_INFO><SUB_MCHT><SUB_MCHT_ID>100000000000013</SUB_MCHT_ID><CNL_MCHT_ID>100000000000013</CNL_MCHT_ID><CNL_MCHT_NAME>上海天天基金销售有限公司</CNL_MCHT_NAME><CNL_MCHT_TYPE>1001</CNL_MCHT_TYPE></SUB_MCHT></EXTEND_INFO><REMARK>通联金融事业部签约申请</REMARK></TX_INFO></ENVELOPE><SIGNATURE><SIGN_TYPE>0</SIGN_TYPE><SIGN_MSG>A6BF4F9BAD462D6D8FE5D9ACB32B284B</SIGN_MSG></SIGNATURE></REQUEST>2015-12-13 16:21:27,883 INFO http-0.0.0.0-8080-36 [com.allinpay.rcf.RemotingCallUtil] - Hessian service call:http://188.0.61.100:80/imessage/index.do?id=com.allinpay.ets.cmf.IMessageSendService2015-12-13 16:21:27,924 INFO http-0.0.0.0-8080-36 [com.allinpay.ets.tp.impl.AbstractCommunicationService] - Receiver[ITS-实名认证,00001011,http://188.0.50.118:8080/its-pg-app/request,5要素实名认证 ] Send Parameters: {SignApplicationTxInfo.ExtendInfo=, Head.AccessID=IPP000000000001, SMSHead.TransCode=1002, RequestSMSTxInfo.PhoneNo=13191051639, SignApplicationTxInfo.AcctValidDate=, SignApplicationTxInfoSubMcht.CnlMchtType=1001, SignApplicationTxInfoSubMcht.CnlMchtName=上海天天基金销售有限公司, SignApplicationTxInfo.CnkID=03050000, SignApplicationTxInfo.QuotaTrans=, SignApplicationTxInfo.QuotaDay=, SignApplicationTxInfo.AcctCat=01, IMS.AgreementType=02, SignApplicationTxInfo.SmsAmount=, SignApplicationTxInfo.BankCode=03050000, SignApplicationTxInfo.PhoneNo=13191051639, SignConfirmTxInfo.ExtendInfo=通联金融事业部签约确认, SignApplicationTxInfoExtendInfo.SubMcht=, IPP.SMSField2=, SignApplicationTxInfo.Remark=通联金融事业部签约申请, SignApplicationTxInfo.IdNo=140503197201027816, SignApplicationTxInfoSubMcht.SubMchtId=100000000000013, Head.Version=v1.0, IPP.SMSField1=天天基金, SignApplicationTxInfo.AcctNo=6226220912215828, SignConfirmTxInfo.OriTransDate=20151213, Head.TransDate=20151213, RequestSMSTxInfo.ExtendInfo=通联金融事业部签约短信验证码发送, Signature.SignType=0, IMS.UserID=000000000000088, Head.BusinessType=0001, reqMsg=PFJFUVVFU1Q+PEVOVkVMT1BFPjxIRUFEPjxWRVJTSU9OPnYxLjA8L1ZFUlNJT04+PEJVU0lORVNTX1RZUEU+MDAwMTwvQlVTSU5FU1NfVFlQRT48UEFZX1RZUEU+MDU8L1BBWV9UWVBFPjxUUkFOU19DT0RFPjEwMDE8L1RSQU5TX0NPREU+PEFDQ0VTU19JRD5JUFAwMDAwMDAwMDAwMDE8L0FDQ0VTU19JRD48VFJBQ0VfTlVNPjUxMjEzNjM3NDcwPC9UUkFDRV9OVU0+PFRSQU5TX0RBVEU+MjAxNTEyMTM8L1RSQU5TX0RBVEU+PFRSQU5TX1RJTUU+MTYyMTI3PC9UUkFOU19USU1FPjwvSEVBRD48VFhfSU5GTz48QkFOS19DT0RFPjAzMDUwMDAwPC9CQU5LX0NPREU+PENOTF9JRD45MDcxPC9DTkxfSUQ+PEFDQ1RfTkFNRT7mr5vlv5flvLo8L0FDQ1RfTkFNRT48QUNDVF9DQVQ+MDE8L0FDQ1RfQ0FUPjxBQ0NUX05PPjYyMjYyMjA5MTIyMTU4Mjg8L0FDQ1RfTk8+PElEX1RZUEU+MDE8L0lEX1RZUEU+PElEX05PPjE0MDUwMzE5NzIwMTAyNzgxNjwvSURfTk8+PFBIT05FX05PPjEzMTkxMDUxNjM5PC9QSE9ORV9OTz48RVhURU5EX0lORk8+PFNVQl9NQ0hUPjxTVUJfTUNIVF9JRD4xMDAwMDAwMDAwMDAwMTM8L1NVQl9NQ0hUX0lEPjxDTkxfTUNIVF9JRD4xMDAwMDAwMDAwMDAwMTM8L0NOTF9NQ0hUX0lEPjxDTkxfTUNIVF9OQU1FPuS4iua1t+WkqeWkqeWfuumHkemUgOWUruaciemZkOWFrOWPuDwvQ05MX01DSFRfTkFNRT48Q05MX01DSFRfVFlQRT4xMDAxPC9DTkxfTUNIVF9UWVBFPjwvU1VCX01DSFQ+PC9FWFRFTkRfSU5GTz48UkVNQVJLPumAmuiBlOmHkeiejeS6i+S4mumDqOetvue6pueUs+ivtzwvUkVNQVJLPjwvVFhfSU5GTz48L0VOVkVMT1BFPjxTSUdOQVRVUkU+PFNJR05fVFlQRT4wPC9TSUdOX1RZUEU+PFNJR05fTVNHPkE2QkY0RjlCQUQ0NjJENkQ4RkU1RDlBQ0IzMkIyODRCPC9TSUdOX01TRz48L1NJR05BVFVSRT48L1JFUVVFU1Q+, RequestSMSTxInfo.OriTransDate=20151213, SignConfirmTxInfo.OriTraceNum=51213637470, ItsStep.Key=1, SignApplicationTxInfoSubMcht.CnkMchtID=100000000000013, Head.TransTime=162127, SignApplicationTxInfo.DayTimes=, Head.PayType=05, SignApplicationTxInfo.ValidDate=, IPP.SMSContent=您本次在{SMS_FIELD1}申请验证服务的动态码为:{VERIFY_CODE}。请勿将动态码告知他人并确认该申请是由您本人操作!, RequestSMSTxInfo.OriTraceNum=51213637470, Signature.SignMsg=1, SignApplicationTxInfo.IdType=01, Head.NotifyURL=, Head.TransCode=1001, SignApplicationTxInfo.Cvv2=, Head.TraceNum=51213637470, IMS.BusinessType=88, SignConfirmHead.TransCode=1003, SignApplicationTxInfo.AcctName=毛志强, IPP.SendSMS=1}
日志里敏感信息很多
<TX><REQUEST_SN>5121367294</REQUEST_SN><CUST_ID>SHP680985471#201</CUST_ID><USER_ID>WLPT04</USER_ID><PASSWORD>tlzf1234</PASSWORD><TX_CODE>6W1303</TX_CODE><LANGUAGE>CN</LANGUAGE><TX_INFO><ACC_NO1>31001536888050029835</ACC_NO1><BILL_CODE>310724400888049</BILL_CODE><ACC_NO2>6210810650002405133</ACC_NO2><OTHER_NAME>王殿英</OTHER_NAME><AMOUNT>1.00</AMOUNT><USEOF_CODE>31000022</USEOF_CODE><REM1>31000022</REM1><REM2>通联支付平台</REM2></TX_INFO></TX>Receive: <?xml version="1.0" encoding="GB18030"?><TX> <REQUEST_SN>5121367294</REQUEST_SN> <CUST_ID>SHP680985471#201</CUST_ID> <TX_CODE>6W1303</TX_CODE> <RETURN_CODE>000000</RETURN_CODE> <RETURN_MSG>SUCCESS</RETURN_MSG> <LANGUAGE>CN</LANGUAGE> <TX_INFO> <CREDIT_NO>023795575168</CREDIT_NO> <INDIVIDUAL_NAME1></INDIVIDUAL_NAME1> <INDIVIDUAL1></INDIVIDUAL1> <INDIVIDUAL_NAME2></INDIVIDUAL_NAME2> <INDIVIDUAL2></INDIVIDUAL2> <REM1>31000022</REM1> <REM2>通联支付平台</REM2> </TX_INFO></TX>
这些全都是压缩文件,加个后缀zip就可以解压查看了
明文密码记录日志也是醉了
删除shell,删除invoker,删除web-console
危害等级:高
漏洞Rank:15
确认时间:2015-12-30 12:58
感谢您的关注,已提交研发进行整改.
2016-02-04:已修复