华夏基金某站命令执行可Getshell涉及多台内网主机/敏感信息泄露

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0167036

漏洞标题：华夏基金某站命令执行可Getshell涉及多台内网主机/敏感信息泄露

漏洞作者： k0_pwn

提交时间：2016-01-03 19:40

修复时间：2016-02-12 18:49

公开时间：2016-02-12 18:49

漏洞类型：命令执行

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-03：细节已通知厂商并且等待厂商处理中
2016-01-03：厂商已经确认，细节仅向厂商公开
2016-01-13：细节向核心白帽子及相关领域专家公开
2016-01-23：细节向普通白帽子公开
2016-02-02：细节向实习白帽子公开
2016-02-12：细节向公众公开

简要描述：

rt，听说有小礼物：）

详细说明：

虽然81端口无法访问内容了，但weblogic中间件还在，导致weblogic的java反序列化仍然存在
地址

http://218.247.188.69:81

查看ipconfig

涉及多台内网主机，看名字，有app的，有服务器，有ftp的

可以上传文件，添加用户，3389已开，添加了一个test用户（已删除）

3389已开

各种敏感文件任意读取，这里用config.xml举例，其中涉及到和内网的数据库连接，地址192.168.2.202 1521端口

<?xml version="1.0" encoding="UTF-8"?>
<Domain AdministrationPortEnabled="true" ConfigurationVersion="8.1.6.0" Name="chinaamcdomain">
    <Server ListenAddress="" ListenPort="8001" Name="myserver"
        NativeIOEnabled="true" ReliableDeliveryPolicy="RMDefaultPolicy" ServerVersion="8.1.6.0">
        <SSL Enabled="false" HostnameVerificationIgnored="false"
            IdentityAndTrustLocations="KeyStores" Name="myserver"/>
        <Log FileName=".\logs\myserver.log" Name="myserver" NumberOfFilesLimited="true"/>
        <WebServer LogFileLimitEnabled="true"
            LogFileName=".\logs\access.log" Name="myserver"/>
        <ExecuteQueue Name="NewQueue" ThreadCount="40"/>
        <ExecuteQueue Name="weblogic.kernel.Default" ThreadCount="70"/>
    </Server>
    <JMSFileStore Directory="rmfilestore" Name="FileStore"/>
    <WSReliableDeliveryPolicy DefaultRetryCount="10"
        DefaultTimeToLive="60000" Name="RMDefaultPolicy" Store="FileStore"/>
    <Security Name="chinaamcdomain"
        PasswordPolicy="wl_default_password_policy"
        Realm="wl_default_realm" RealmSetup="true"/>
    <EmbeddedLDAP
        CredentialEncrypted="{3DES}s6Z983eQ3F/tXrf7XLkC6NTfwiVesL8YlAT01mOHudA=" Name="chinaamcdomain"/>
    <SecurityConfiguration
        CredentialEncrypted="{3DES}THOnOB8v5r+PbRU6JH6shyoEaOFhknNcWyJApcf+EyjsdsKQDIAelwxWtfwk26HzfulR4Ten+xiGTUiFCZ/kvapRo0jVRSe4"
        Name="chinaamcdomain" RealmBootStrapVersion="1"/>
    <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
    <FileRealm Name="wl_default_file_realm"/>
    <PasswordPolicy Name="wl_default_password_policy"/>
    <JMSServer Name="WSStoreForwardInternalJMSServermyserver"
        Store="FileStore" Targets="myserver">
        <JMSQueue CreationTime="1212056018062"
            JNDIName="jms.internal.queue.WSStoreForwardQueue"
            JNDINameReplicated="false" Name="WSInternaljms.internal.queue.WSStoreForwardQueuemyserver"/>
        <JMSQueue CreationTime="1212056018281"
            JNDIName="jms.internal.queue.WSDupsEliminationHistoryQueue"
            JNDINameReplicated="false" Name="WSInternaljms.internal.queue.WSDupsEliminationHistoryQueuemyserver"/>
    </JMSServer>
    <Application Name="portal"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="portal" Targets="myserver" URI="portal.war"/>
    </Application>
    <Log FileName=".\logs\chinaamcdomain.log" Name="chinaamcdomain" NumberOfFilesLimited="true"/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        DriverName="oracle.jdbc.OracleDriver" Name="chatodspool"
        PasswordEncrypted="{3DES}QihGOCtObwI="
        Properties="user=weblinkods"
        RemoveInfectedConnectionsEnabled="false" Targets="myserver"
        TestConnectionsOnRelease="true" TestConnectionsOnReserve="true"
        TestTableName="SQL SELECT 1 FROM DUAL" URL="jdbc:oracle:thin:@(DESCRIPTION =(LOAD_BALANCE = yes)(ADDRESS = (PROTOCOL = TCP)(HOST = 180.1.2.198)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = 180.1.2.199)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = RAC)(FAILOVER_MODE =(TYPE = SELECT)(METHOD = BASIC)(RETRIES = 180)(DELAY = 5))))"/>
    <JDBCTxDataSource JNDIName="jdbc/chatods" Name="chatodsDS"
        PoolName="chatodspool" Targets="myserver"/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        ConnectionReserveTimeoutSeconds="60"
        DriverName="oracle.jdbc.OracleDriver" InitialCapacity="5"
        Name="dev/sa" PasswordEncrypted="{3DES}pzzwAKAfT4K4SrbQebRpFg=="
        Properties="user=dev" RemoveInfectedConnectionsEnabled="false"
        Targets="myserver" TestConnectionsOnCreate="true"
        TestConnectionsOnRelease="true" TestConnectionsOnReserve="true"
        TestFrequencySeconds="60" TestTableName="SQL SELECT 1 FROM DUAL"
        URL="jdbc:oracle:thin:@192.168.1.202:1521:astprd" XAPasswordEncrypted=""/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        ConnectionReserveTimeoutSeconds="60"
        DriverName="oracle.jdbc.OracleDriver" InitialCapacity="5"
        Name="hxuser/sa"
        PasswordEncrypted="{3DES}ZTpWRQY77RFZG11lETScvw=="
        Properties="user=chinaamc"
        RemoveInfectedConnectionsEnabled="false" Targets="myserver"
        TestConnectionsOnCreate="true" TestConnectionsOnRelease="true"
        TestConnectionsOnReserve="true" TestFrequencySeconds="60"
        TestTableName="SQL SELECT 1 FROM DUAL"
        URL="jdbc:oracle:thin:@(DESCRIPTION=(FAILOVER = on)(LOAD_BALANCE = off)(ADDRESS=(PROTOCOL = TCP)(HOST = webdb1_vip)(PORT = 1521)) (ADDRESS=(PROTOCOL = TCP)(HOST = webdb2_vip)(PORT = 1521))(CONNECT_DATA=(SERVER = DEDICATED)(SERVICE_NAME = webdb_TAF)))" XAPasswordEncrypted=""/>
    <JDBCTxDataSource JNDIName="hxuser/sa" Name="hxuser/sa"
        PoolName="hxuser/sa" Targets="myserver"/>
    <JDBCTxDataSource JNDIName="dev/sa" Name="dev/sa" PoolName="dev/sa" Targets="myserver"/>
    <Application Name="hxjj"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="hxjj" Targets="myserver" URI="hxjj"/>
    </Application>
    <Application Name="etrading"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="etrading" Targets="myserver" URI="etrading"/>
    </Application>
    <Application Name="product"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="product" Targets="myserver" URI="product"/>
    </Application>
</Domain>

这里我们可以获得serializedsystemini.dat，通过java解密3des加密，这种加密相对老一些，比aes要弱一些

漏洞证明：

<?xml version="1.0" encoding="UTF-8"?>
<Domain AdministrationPortEnabled="true" ConfigurationVersion="8.1.6.0" Name="chinaamcdomain">
    <Server ListenAddress="" ListenPort="8001" Name="myserver"
        NativeIOEnabled="true" ReliableDeliveryPolicy="RMDefaultPolicy" ServerVersion="8.1.6.0">
        <SSL Enabled="false" HostnameVerificationIgnored="false"
            IdentityAndTrustLocations="KeyStores" Name="myserver"/>
        <Log FileName=".\logs\myserver.log" Name="myserver" NumberOfFilesLimited="true"/>
        <WebServer LogFileLimitEnabled="true"
            LogFileName=".\logs\access.log" Name="myserver"/>
        <ExecuteQueue Name="NewQueue" ThreadCount="40"/>
        <ExecuteQueue Name="weblogic.kernel.Default" ThreadCount="70"/>
    </Server>
    <JMSFileStore Directory="rmfilestore" Name="FileStore"/>
    <WSReliableDeliveryPolicy DefaultRetryCount="10"
        DefaultTimeToLive="60000" Name="RMDefaultPolicy" Store="FileStore"/>
    <Security Name="chinaamcdomain"
        PasswordPolicy="wl_default_password_policy"
        Realm="wl_default_realm" RealmSetup="true"/>
    <EmbeddedLDAP
        CredentialEncrypted="{3DES}s6Z983eQ3F/tXrf7XLkC6NTfwiVesL8YlAT01mOHudA=" Name="chinaamcdomain"/>
    <SecurityConfiguration
        CredentialEncrypted="{3DES}THOnOB8v5r+PbRU6JH6shyoEaOFhknNcWyJApcf+EyjsdsKQDIAelwxWtfwk26HzfulR4Ten+xiGTUiFCZ/kvapRo0jVRSe4"
        Name="chinaamcdomain" RealmBootStrapVersion="1"/>
    <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
    <FileRealm Name="wl_default_file_realm"/>
    <PasswordPolicy Name="wl_default_password_policy"/>
    <JMSServer Name="WSStoreForwardInternalJMSServermyserver"
        Store="FileStore" Targets="myserver">
        <JMSQueue CreationTime="1212056018062"
            JNDIName="jms.internal.queue.WSStoreForwardQueue"
            JNDINameReplicated="false" Name="WSInternaljms.internal.queue.WSStoreForwardQueuemyserver"/>
        <JMSQueue CreationTime="1212056018281"
            JNDIName="jms.internal.queue.WSDupsEliminationHistoryQueue"
            JNDINameReplicated="false" Name="WSInternaljms.internal.queue.WSDupsEliminationHistoryQueuemyserver"/>
    </JMSServer>
    <Application Name="portal"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="portal" Targets="myserver" URI="portal.war"/>
    </Application>
    <Log FileName=".\logs\chinaamcdomain.log" Name="chinaamcdomain" NumberOfFilesLimited="true"/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        DriverName="oracle.jdbc.OracleDriver" Name="chatodspool"
        PasswordEncrypted="{3DES}QihGOCtObwI="
        Properties="user=weblinkods"
        RemoveInfectedConnectionsEnabled="false" Targets="myserver"
        TestConnectionsOnRelease="true" TestConnectionsOnReserve="true"
        TestTableName="SQL SELECT 1 FROM DUAL" URL="jdbc:oracle:thin:@(DESCRIPTION =(LOAD_BALANCE = yes)(ADDRESS = (PROTOCOL = TCP)(HOST = 180.1.2.198)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = 180.1.2.199)(PORT = 1521))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = RAC)(FAILOVER_MODE =(TYPE = SELECT)(METHOD = BASIC)(RETRIES = 180)(DELAY = 5))))"/>
    <JDBCTxDataSource JNDIName="jdbc/chatods" Name="chatodsDS"
        PoolName="chatodspool" Targets="myserver"/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        ConnectionReserveTimeoutSeconds="60"
        DriverName="oracle.jdbc.OracleDriver" InitialCapacity="5"
        Name="dev/sa" PasswordEncrypted="{3DES}pzzwAKAfT4K4SrbQebRpFg=="
        Properties="user=dev" RemoveInfectedConnectionsEnabled="false"
        Targets="myserver" TestConnectionsOnCreate="true"
        TestConnectionsOnRelease="true" TestConnectionsOnReserve="true"
        TestFrequencySeconds="60" TestTableName="SQL SELECT 1 FROM DUAL"
        URL="jdbc:oracle:thin:@192.168.1.202:1521:astprd" XAPasswordEncrypted=""/>
    <JDBCConnectionPool ConnProfilingEnabled="true"
        ConnectionReserveTimeoutSeconds="60"
        DriverName="oracle.jdbc.OracleDriver" InitialCapacity="5"
        Name="hxuser/sa"
        PasswordEncrypted="{3DES}ZTpWRQY77RFZG11lETScvw=="
        Properties="user=chinaamc"
        RemoveInfectedConnectionsEnabled="false" Targets="myserver"
        TestConnectionsOnCreate="true" TestConnectionsOnRelease="true"
        TestConnectionsOnReserve="true" TestFrequencySeconds="60"
        TestTableName="SQL SELECT 1 FROM DUAL"
        URL="jdbc:oracle:thin:@(DESCRIPTION=(FAILOVER = on)(LOAD_BALANCE = off)(ADDRESS=(PROTOCOL = TCP)(HOST = webdb1_vip)(PORT = 1521)) (ADDRESS=(PROTOCOL = TCP)(HOST = webdb2_vip)(PORT = 1521))(CONNECT_DATA=(SERVER = DEDICATED)(SERVICE_NAME = webdb_TAF)))" XAPasswordEncrypted=""/>
    <JDBCTxDataSource JNDIName="hxuser/sa" Name="hxuser/sa"
        PoolName="hxuser/sa" Targets="myserver"/>
    <JDBCTxDataSource JNDIName="dev/sa" Name="dev/sa" PoolName="dev/sa" Targets="myserver"/>
    <Application Name="hxjj"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="hxjj" Targets="myserver" URI="hxjj"/>
    </Application>
    <Application Name="etrading"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="etrading" Targets="myserver" URI="etrading"/>
    </Application>
    <Application Name="product"
        Path="D:\bea813\chinaamcdomain\applications"
        StagingMode="nostage" TwoPhase="true">
        <WebAppComponent Name="product" Targets="myserver" URI="product"/>
    </Application>
</Domain>

修复方案：

升级weblogic或彻底关闭访问权限，加固

版权声明：转载请注明来源 k0_pwn@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2016-01-03 20:38

厂商回复：

非常感谢您对我们网站安全的大力支持。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0167036

漏洞标题：华夏基金某站命令执行可Getshell涉及多台内网主机/敏感信息泄露

相关厂商：华夏基金

漏洞作者： k0_pwn

提交时间：2016-01-03 19:40

修复时间：2016-02-12 18:49

公开时间：2016-02-12 18:49

漏洞类型：命令执行

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 k0_pwn@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0167036

漏洞标题：华夏基金某站命令执行可Getshell涉及多台内网主机/敏感信息泄露

相关厂商：华夏基金

漏洞作者： k0_pwn

提交时间：2016-01-03 19:40

修复时间：2016-02-12 18:49

公开时间：2016-02-12 18:49

漏洞类型：命令执行

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0167036"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 k0_pwn@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：