当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098759

漏洞标题:皮书数据库Getshell+多处数据库信息+服务器已成马场

相关厂商:ssap.com.cn

漏洞作者: 路人甲

提交时间:2015-03-02 10:24

修复时间:2015-03-07 10:26

公开时间:2015-03-07 10:26

漏洞类型:命令执行

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-02: 细节已通知厂商并且等待厂商处理中
2015-03-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

皮书数据库Getshell+多处数据库信息

详细说明:

http://202.201.7.35/web/template/web-index.action
命令测试入口


1.png

漏洞证明:

包含数据库信息:
url = jdbc:sqlserver://localhost:1433; DatabaseName=test
username = sa
password = sqlserver@312
driverClassName = com.microsoft.sqlserver.jdbc.SQLServerDriver


#sqlserver version database settings
jdbc.driver=com.microsoft.sqlserver.jdbc.SQLServerDriver
jdbc.url=jdbc:sqlserver://localhost:1433;DatabaseName=pishu_db
jdbc.username=sa
jdbc.password=sqlserver@312
#hibernate.dialect=org.hibernate.dialect.SQLServerDialect
hibernate.dialect=cn.vsp.ssap.common.dialect.VspSQLServerDialect
hibernate.show_sql=false
hibernate.format_sql=true
#dbcp settings
dbcp.initialSize=5
dbcp.maxActive=20
dbcp.maxIdle=10


# system time zone 8: East Eight Zone  -8: West Eight Zone
wc_sys_timezone=8
# system default language
wc_sys_default_lang=zh_CN
# password minimum length
wc_sys_passwd_minlen=6
# password maximum length
wc_sys_passwd_maxlen=20
# client list size
wc_list_size_client=10
# client page diff
wc_page_diff_client=3
# the same folder relative doc size
wc_page_relative_doc=5
# admin list size
wc_list_size_admin=10
# admin page diff
wc_page_diff_admin=3
# initial folder tree show level
wc_folder_tree_showlevel=1
# folder tree max level
wc_folder_tree_maxlevel=5
# source document name maximum length
wc_src_docname_maxlen=100
# source folder name maximum length
wc_src_foldername_maxlen=30
# allow source extension
wc_src_allow_exts=pdf|epub
# allow water-mark image extension
wc_wmimg_allow_exts=jpg|gif|jpeg|tiff|tif|bmp|png
# system base path
wc_sys_base_path=http://192.168.1.27:8087/foxit-drm-test
# system ftp server base path
wc_sys_ftp_path=D\:/Test/
# server RSA private key
wc_sys_rsa_prv_key=AAAAQMgVp6FfrFPmYLR0a/sEavD7UGZrBtJ0ldU8jKLZzCNYsWpad0aeQzTs6uflo5unwxjs/TdCcf6hbAb7ng3nQ1kAAABA1LzJ7UttvPwvM0cTwzrYCaOLA+UEQwpxn8xYISF6I/RDAJRsKYJd3/bFQZcC2JCaeqPnQgYDTpDZ30wuJ3AA+QAAAEAjTx2U8sQOzk1NBXx3l14qhrPV1qbZ2FatKM2GJm9RiB9PAOffSRrrON4o7EoMaOYxkzu+dSMs709MhsGJ+6J5AAAAQGQcm0J92UngFjY/kNRX7TG2X4lctrYjCEsy/EvThMWgH4fNYBOIpKWhTcSDTKIl7lfUqRAC1GE1GzvnnT+8PLEAAABAIcZqVQdULNEsaEYtPM+Vam6QlQWZqUfANBdwCG4O6hMmtsH12yXntYQ2abCtLzkklvKGGC3cJO7jUJguiTTeAQ\=\=XRlx0jgDprz7Fd4EJ0yN0ol9mmgvAU8C0v3/tUQFaCiDzLjZDFjqJ0AaQedV5I18D8Pe38+Dbrd++e++iVnMUH+kIF7NBwKtWJpFhepFUD7Di4AcNw9FDF+bE4kxfssKbzZkXpG8vMpvey+g8Y5P7tJVU1NEXhtF9Me5o95C4fc\=
# server RSA public key
wc_sys_rsa_pub_key=AAAAgKZFfIs1WvmV7brO2Y22wkl79mA/n2ZL3znTrJt+1jihWsdHh3y3yHqhsNyjK6kcbkR21O2lUCI81pEcsEk2rJqj4fEsRMvIVzxOX9qfbnuj5MlJKYrVq0EcrObBCTiJ6O0rT8O55DIVQgDGsAgZka/35l87bAZFhn8ikymL4IGRAAAAARE\=
# system administrator account
wc_sys_admin_account=admin
# system administrator password
wc_sys_admin_password=admin
## enduser path configuration block
# end user root path
wc_eu_path_root=d\:/z_drm_base/end-user/
# use default child folder structure 1(yes|true) 0(no|false)
wc_eu_path_child_default=yes
# if use default child folder, the folder configuration below about end-user not required.
# end user certificate folder
wc_eu_folder_cert=/cert/
# end user cloud reading root folder
wc_eu_folder_cloud=/free/
# end user cloud reading pdf folder
wc_eu_folder_cloud_pdf=/free/pdf/
# end user cloud reading index folder
wc_eu_folder_cloud_index=/free/index/
# end user cloud reading notation folder
wc_eu_folder_cloud_note=/free/note/
# end user online reading root folder
wc_eu_folder_online=/drm/
# end user online reading pdf folder
wc_eu_folder_online_pdf=/drm/pdf/
# end user online reading index folder
wc_eu_folder_online_index=/drm/index/
# end user online reading bookmark folder
wc_eu_folder_online_bookmark=/drm/bookmark/
# end user online reading notation folder
wc_eu_folder_online_note=/drm/note/
# end user order reading root folder
wc_eu_folder_order=/order/
# end user envelop root folder
wc_eu_folder_envelop=/envelop/
# end user temp folder
wc_eu_folder_temp=/temp/
## Source file path configuration block
# root folder path
wc_src_path_root=d\:/z_drm_base/foxit/
# use default child folder structure 1(yes|true) 0(no|false)
wc_src_path_child_default=true
# if use default child folder, the folder configuration below about source not required.
# source file folder
wc_src_folder_source=/source/
# pretreat root folder
wc_src_folder_pretreat=/pretreat/
# pretreat pdf folder
wc_src_folder_pretreat_pdf=/pretreat/pdf/
# pretreat index folder
wc_src_folder_pretreat_index=/pretreat/index/
# pretreat notation folder
wc_src_folder_pretreat_note=/pretreat/note/
# pretreat pre-encrypt folder
wc_src_folder_encrypt=/preencrypt/
# temp fodler
wc_src_folder_temp=/temp/
# water-mark (image|PDF) folder
wc_src_folder_wmfile=/wmfile/

修复方案:

你懂得!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-07 10:26

厂商回复:

最新状态:

暂无