当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165972

漏洞标题:通联支付某系统发现Shell可威胁内网泄漏大量用户信息

相关厂商:allinpay.com

漏洞作者: 路人甲

提交时间:2015-12-30 12:02

修复时间:2016-02-04 16:23

公开时间:2016-02-04 16:23

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-30: 细节已通知厂商并且等待厂商处理中
2015-12-30: 厂商已经确认,细节仅向厂商公开
2016-01-09: 细节向核心白帽子及相关领域专家公开
2016-01-19: 细节向普通白帽子公开
2016-01-29: 细节向实习白帽子公开
2016-02-04: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

发现shell可威胁内网泄漏大量用户信息

详细说明:

地址:https://180.169.5.227/ipp-payment-app/index.do?id=com.allinpay.cpg.IPaymentSaleService
系统使用了jboss作为中间件,发现已经成为马场
shell地址:https://180.169.5.227/wooyun/wpp1.jsp
密码:test.
访问的时候、登录的时候可能会跳转到http,需要手动加个s

QQ截图20151230103629.png


QQ截图20151230103811.png

漏洞证明:

QQ截图20151230103850.png


载了个日志路径在/ipplog

QQ截图20151230103941.png


看起来又像是银联的系统

QQ截图20151230104055.png


2015-12-13 16:21:27,882 INFO http-0.0.0.0-8080-36 [com.allinpay.ets.tp.og.allinpay.its.AllinpayItsTP] - @@@ITS PlainReqMsg: <REQUEST><ENVELOPE><HEAD><VERSION>v1.0</VERSION><BUSINESS_TYPE>0001</BUSINESS_TYPE><PAY_TYPE>05</PAY_TYPE><TRANS_CODE>1001</TRANS_CODE><ACCESS_ID>IPP000000000001</ACCESS_ID><TRACE_NUM>51213637470</TRACE_NUM><TRANS_DATE>20151213</TRANS_DATE><TRANS_TIME>162127</TRANS_TIME></HEAD><TX_INFO><BANK_CODE>03050000</BANK_CODE><CNL_ID>9071</CNL_ID><ACCT_NAME>毛志强</ACCT_NAME><ACCT_CAT>01</ACCT_CAT><ACCT_NO>6226220912215828</ACCT_NO><ID_TYPE>01</ID_TYPE><ID_NO>140503197201027816</ID_NO><PHONE_NO>13191051639</PHONE_NO><EXTEND_INFO><SUB_MCHT><SUB_MCHT_ID>100000000000013</SUB_MCHT_ID><CNL_MCHT_ID>100000000000013</CNL_MCHT_ID><CNL_MCHT_NAME>上海天天基金销售有限公司</CNL_MCHT_NAME><CNL_MCHT_TYPE>1001</CNL_MCHT_TYPE></SUB_MCHT></EXTEND_INFO><REMARK>通联金融事业部签约申请</REMARK></TX_INFO></ENVELOPE><SIGNATURE><SIGN_TYPE>0</SIGN_TYPE><SIGN_MSG>A6BF4F9BAD462D6D8FE5D9ACB32B284B</SIGN_MSG></SIGNATURE></REQUEST>
2015-12-13 16:21:27,883 INFO http-0.0.0.0-8080-36 [com.allinpay.rcf.RemotingCallUtil] - Hessian service call:http://188.0.61.100:80/imessage/index.do?id=com.allinpay.ets.cmf.IMessageSendService
2015-12-13 16:21:27,924 INFO http-0.0.0.0-8080-36 [com.allinpay.ets.tp.impl.AbstractCommunicationService] - Receiver[ITS-实名认证,00001011,http://188.0.50.118:8080/its-pg-app/request,5要素实名认证 ]
Send Parameters:
{SignApplicationTxInfo.ExtendInfo=, Head.AccessID=IPP000000000001, SMSHead.TransCode=1002, RequestSMSTxInfo.PhoneNo=13191051639, SignApplicationTxInfo.AcctValidDate=, SignApplicationTxInfoSubMcht.CnlMchtType=1001, SignApplicationTxInfoSubMcht.CnlMchtName=上海天天基金销售有限公司, SignApplicationTxInfo.CnkID=03050000, SignApplicationTxInfo.QuotaTrans=, SignApplicationTxInfo.QuotaDay=, SignApplicationTxInfo.AcctCat=01, IMS.AgreementType=02, SignApplicationTxInfo.SmsAmount=, SignApplicationTxInfo.BankCode=03050000, SignApplicationTxInfo.PhoneNo=13191051639, SignConfirmTxInfo.ExtendInfo=通联金融事业部签约确认, SignApplicationTxInfoExtendInfo.SubMcht=, IPP.SMSField2=, SignApplicationTxInfo.Remark=通联金融事业部签约申请, SignApplicationTxInfo.IdNo=140503197201027816, SignApplicationTxInfoSubMcht.SubMchtId=100000000000013, Head.Version=v1.0, IPP.SMSField1=天天基金, SignApplicationTxInfo.AcctNo=6226220912215828, SignConfirmTxInfo.OriTransDate=20151213, Head.TransDate=20151213, RequestSMSTxInfo.ExtendInfo=通联金融事业部签约短信验证码发送, Signature.SignType=0, IMS.UserID=000000000000088, Head.BusinessType=0001, reqMsg=PFJFUVVFU1Q+PEVOVkVMT1BFPjxIRUFEPjxWRVJTSU9OPnYxLjA8L1ZFUlNJT04+PEJVU0lORVNTX1RZUEU+MDAwMTwvQlVTSU5FU1NfVFlQRT48UEFZX1RZUEU+MDU8L1BBWV9UWVBFPjxUUkFOU19DT0RFPjEwMDE8L1RSQU5TX0NPREU+PEFDQ0VTU19JRD5JUFAwMDAwMDAwMDAwMDE8L0FDQ0VTU19JRD48VFJBQ0VfTlVNPjUxMjEzNjM3NDcwPC9UUkFDRV9OVU0+PFRSQU5TX0RBVEU+MjAxNTEyMTM8L1RSQU5TX0RBVEU+PFRSQU5TX1RJTUU+MTYyMTI3PC9UUkFOU19USU1FPjwvSEVBRD48VFhfSU5GTz48QkFOS19DT0RFPjAzMDUwMDAwPC9CQU5LX0NPREU+PENOTF9JRD45MDcxPC9DTkxfSUQ+PEFDQ1RfTkFNRT7mr5vlv5flvLo8L0FDQ1RfTkFNRT48QUNDVF9DQVQ+MDE8L0FDQ1RfQ0FUPjxBQ0NUX05PPjYyMjYyMjA5MTIyMTU4Mjg8L0FDQ1RfTk8+PElEX1RZUEU+MDE8L0lEX1RZUEU+PElEX05PPjE0MDUwMzE5NzIwMTAyNzgxNjwvSURfTk8+PFBIT05FX05PPjEzMTkxMDUxNjM5PC9QSE9ORV9OTz48RVhURU5EX0lORk8+PFNVQl9NQ0hUPjxTVUJfTUNIVF9JRD4xMDAwMDAwMDAwMDAwMTM8L1NVQl9NQ0hUX0lEPjxDTkxfTUNIVF9JRD4xMDAwMDAwMDAwMDAwMTM8L0NOTF9NQ0hUX0lEPjxDTkxfTUNIVF9OQU1FPuS4iua1t+WkqeWkqeWfuumHkemUgOWUruaciemZkOWFrOWPuDwvQ05MX01DSFRfTkFNRT48Q05MX01DSFRfVFlQRT4xMDAxPC9DTkxfTUNIVF9UWVBFPjwvU1VCX01DSFQ+PC9FWFRFTkRfSU5GTz48UkVNQVJLPumAmuiBlOmHkeiejeS6i+S4mumDqOetvue6pueUs+ivtzwvUkVNQVJLPjwvVFhfSU5GTz48L0VOVkVMT1BFPjxTSUdOQVRVUkU+PFNJR05fVFlQRT4wPC9TSUdOX1RZUEU+PFNJR05fTVNHPkE2QkY0RjlCQUQ0NjJENkQ4RkU1RDlBQ0IzMkIyODRCPC9TSUdOX01TRz48L1NJR05BVFVSRT48L1JFUVVFU1Q+, RequestSMSTxInfo.OriTransDate=20151213, SignConfirmTxInfo.OriTraceNum=51213637470, ItsStep.Key=1, SignApplicationTxInfoSubMcht.CnkMchtID=100000000000013, Head.TransTime=162127, SignApplicationTxInfo.DayTimes=, Head.PayType=05, SignApplicationTxInfo.ValidDate=, IPP.SMSContent=您本次在{SMS_FIELD1}申请验证服务的动态码为:{VERIFY_CODE}。请勿将动态码告知他人并确认该申请是由您本人操作!, RequestSMSTxInfo.OriTraceNum=51213637470, Signature.SignMsg=1, SignApplicationTxInfo.IdType=01, Head.NotifyURL=, Head.TransCode=1001, SignApplicationTxInfo.Cvv2=, Head.TraceNum=51213637470, IMS.BusinessType=88, SignConfirmHead.TransCode=1003, SignApplicationTxInfo.AcctName=毛志强, IPP.SendSMS=1}


日志里敏感信息很多

<TX><REQUEST_SN>5121367294</REQUEST_SN><CUST_ID>SHP680985471#201</CUST_ID><USER_ID>WLPT04</USER_ID><PASSWORD>tlzf1234</PASSWORD><TX_CODE>6W1303</TX_CODE><LANGUAGE>CN</LANGUAGE><TX_INFO><ACC_NO1>31001536888050029835</ACC_NO1><BILL_CODE>310724400888049</BILL_CODE><ACC_NO2>6210810650002405133</ACC_NO2><OTHER_NAME>王殿英</OTHER_NAME><AMOUNT>1.00</AMOUNT><USEOF_CODE>31000022</USEOF_CODE><REM1>31000022</REM1><REM2>通联支付平台</REM2></TX_INFO></TX>
Receive:
<?xml version="1.0" encoding="GB18030"?><TX> <REQUEST_SN>5121367294</REQUEST_SN> <CUST_ID>SHP680985471#201</CUST_ID> <TX_CODE>6W1303</TX_CODE> <RETURN_CODE>000000</RETURN_CODE> <RETURN_MSG>SUCCESS</RETURN_MSG> <LANGUAGE>CN</LANGUAGE> <TX_INFO> <CREDIT_NO>023795575168</CREDIT_NO> <INDIVIDUAL_NAME1></INDIVIDUAL_NAME1> <INDIVIDUAL1></INDIVIDUAL1> <INDIVIDUAL_NAME2></INDIVIDUAL_NAME2> <INDIVIDUAL2></INDIVIDUAL2> <REM1>31000022</REM1> <REM2>通联支付平台</REM2> </TX_INFO></TX>


这些全都是压缩文件,加个后缀zip就可以解压查看了

QQ截图20151230104421.png


QQ截图20151230104540.png


明文密码记录日志也是醉了

QQ截图20151230104803.png

修复方案:

删除shell,删除invoker,删除web-console

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-30 12:58

厂商回复:

感谢您的关注,已提交研发进行整改.

最新状态:

2016-02-04:已修复