当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167872

漏洞标题:运营商安全之中国电信189邮箱系统可Getshell(内含多库可致大量内网敏感信息泄漏)

相关厂商:中国电信

漏洞作者: 李旭敏

提交时间:2016-01-07 12:56

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-07: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开

简要描述:

可泄漏近大量用户姓名,联系方式,地址。
大量内网敏感信息。

详细说明:

http://**.**.**.**:4180/login/login.do 存在sturts2命令执行漏洞
web路径为: /opt/hermes/billManager/resin_billmanager/webapps/bill/

3.png


4.png


内附大量用户信息。

5.jpg


数据库太多了,就不仔细一一连接了。可以肯定的是,这绝对绝对不是测试系统!

漏洞证明:

<!-- 数据库的引用名称 -->
		<hermes>
			<user>{IDEA}raC3qKC2</user>
			<password>{IDEA}raC3qKC2</password>
			<database>HERMES</database>
			<server>ORADB</server>
			<driver>oracle</driver>
		</hermes>
		<aimc-test-229>
			<user>{IDEA}pKywsKg=</user>
			<password>{IDEA}W1Gm6xJC3Fer</password>
			<database>AIMC-TEST-229</database>
			<server>AIMC-TEST-229</server>
			<driver>oracle</driver>
		</aimc-test-229>
		<hermes-db-240>
			<user>{IDEA}raC3qKC2</user>
			<password>{IDEA}raC3qKC2</password>
			<database>HERMES</database>
			<server>HERMES</server>
			<driver>oracle</driver>
		</hermes-db-240>
		<integ-db-240>
			<user>{IDEA}jIuRgII=</user>
			<password>{IDEA}jIuRgII=</password>
			<database>INTEG</database>
			<server>INTEG</server>
			<driver>oracle</driver>
		</integ-db-240>
		<ms1-index-db>
		    <user>{IDEA}t6qqsQ==</user>
            <password>{IDEA}9PT09PT0</password>
			<database>test</database>
			<server>**.**.**.**</server>
			<driver>mysql</driver>


com.mysql.jdbc.Driver
jdbc:mysql**.**.**.**:3306/Bill189DB?user=root&password=bI11i89db

1.png


某表段包含过亿数据,无奈mysql查询时直接卡死,管理员也没有进行索引

2.png


<project basedir="." default="mysql189bill" name="189bill">
	<path id="mySqlDriver.classpath">
                <pathelement location="../lib/mysql-connector-java-5.1.18-bin.jar"/>
        </path>
        <path id="oracleDriver.classpath">
                <pathelement location="../lib/classes12.jar"/>
        </path>
        <target name="db_189bill" description="sql for 189bill">
                <sql driver="oracle.jdbc.driver.OracleDriver"
                url="jdbc:oracle:thin:ehome_bill/ehomebill090512@**.**.**.**:1521:prtdb"
                        userid="ehome_bill" password="ehomebill090512"
                        onerror="continue" print="yes"
                src="oracle.sql"
                        classpathref="oracleDriver.classpath"
                />
        </target>
	<target description="Executes an SQL Script" name="mysql189bill">  
         <sql classpathref="mySqlDriver.classpath"   
            driver="com.mysql.jdbc.Driver"  
            src="${sqlfile}"  print="yes"
            url="jdbc:mysql://localhost:3306/Bill189DB?autoReconnect=true&amp;useUnicode=true&amp;characterEncoding=gbk"
            userid="root"  
            password="123456"/>  
	</target>
	
		<!-- ?????欢  -->
		<property name="serv.user" value="hermes" />
		<property name="serv.password-scp" value="!@#$&amp;*()@" />
		<property name="serv.port" value="22" />
		<property name="serv.knownhosts" value="/opt/hermes/.ssh/known_hosts" />
		<!-- scp ?版??″?;  -->
		<target  name="scp2server">


<forward_alias_domain>**.**.**.**</forward_alias_domain>
		<ldap_url>ldap**.**.**.**:8889</ldap_url>
		<ldap_authtype>simple</ldap_authtype>
		<ldap_username>admin</ldap_username>


<V_NEW_USER_URL>http://**.**.**.**/webmail/activeUser.jsp?action=0#toUserID=%s#ip=%s</V_NEW_USER_URL>
                <V_COMMEND_USER_URL>http://**.**.**.**/webmail/activeUser.jsp?action=1#toUserID=%s#recommendUserID=%s#ip=%s</V_COMMEND_USER_URL>
                <MT_URL>**.**.**.**:8082/uwpp/request/mt.jsp?sp_code=21CN#cp_code=21CNEMAIL#cp_id=21cnemail#cp_pwd=myemail137#service_id=DXZCYJ#fee=%s#des=%s#src=2100#content=%s#fmt=GBK#msg_type=3#link_id=%s#region=%s</MT_URL>
                <CORP_MT_URL>**.**.**.**:8082/uwpp/request/corp.jsp?cp_code=21CNEMAIL#cp_id=21cnemail#cp_pwd=myemail137#des=%s#content=%s#sp_code=21CN</CORP_MT_URL>


<server_ip> hermes_appdog_host</server_ip>
                    <server_port>110</server_port>
                    <server_conn_timeout>5</server_conn_timeout>
                    <server_transport_timeout>5</server_transport_timeout>
                    <test_account>hermesmon@1</test_account>
                    <test_account_pwd>hermesmon</test_account_pwd>
                    <smon_server_ip>**.**.**.**</smon_server_ip>
                    <smon_server_port>8000</smon_server_port>


<server_name>guid-svr1</server_name>
                    <sap_name>guid-svc-sock-sap</sap_name>
                    <test_account>hermesmon@**.**.**.**</test_account>
                    <test_account_pwd>hermesmon</test_account_pwd>
                    <client_group_name>guid</client_group_name>
                    <server_group_id>0</server_group_id>
                    <check_interval>2</check_interval>
                </watch_object>
                <watch_object id="2">
                    <name>UD</name>
                    <enable>yes</enable>
                    <!--modify by liyang-->
                    <server_name>ud-svr1</server_name>
                    <sap_name>ud-svc-sock-sap</sap_name>
                    <server_conn_timeout>5</server_conn_timeout>
                    <server_transport_timeout>5</server_transport_timeout>
                    <test_account>hermesmon@1</test_account>
                    <test_account_pwd>hermesmon</test_account_pwd>
                    <client_group_name>lmtp</client_group_name>
                    <server_group_id>1</server_group_id>
                    <check_interval>2</check_interval>
                    <restart_retry_times>3</restart_retry_times>
                </watch_object>
                <watch_object id="3">
                    <name>ms</name>
                    <enable>yes</enable>
                    <!--modify by liyang-->
                    <server_name>ms-svr1</server_name>
                    <sap_name>ms-svc-sock-sap</sap_name>
                    <test_account>zas@testmail.**.**.**.**</test_account>
                    <test_account_pwd>111111</test_account_pwd>
                    <client_group_name>lmtp</client_group_name>
                    <server_group_id>1</server_group_id>
                    <check_interval>2</check_interval>
                    <restart_retry_times>3</restart_retry_times>
                </watch_object>
                <watch_object id="4">
                    <name>session</name>
                    <enable>yes</enable>
                    <!--modify by liyang-->
                    <server_name>session-svr1</server_name>
                    <sap_name>session-svc-sock-sap</sap_name>
                    <server_conn_timeout>5</server_conn_timeout>
                    <server_transport_timeout>5</server_transport_timeout>
                    <test_account>hermesmon@1</test_account>
                    <test_account_pwd>hermesmon</test_account_pwd>
                    <client_group_name>session</client_group_name>
                    <server_group_id>1</server_group_id>
                    <check_interval>2</check_interval>
                </watch_object>
                <watch_object id="5">
                    <name>pop3</name>
                    <enable>yes</enable>
                    <!--modify by liyang-->
                    <server_name>pop3-svr1</server_name>
                    <sap_name>pop3-svc-sock-sap</sap_name>
                    <server_conn_timeout>5</server_conn_timeout>
                    <server_transport_timeout>5</server_transport_timeout>
                    <test_account>hermesmon@1</test_account>
                    <test_account_pwd>hermesmon</test_account_pwd>
                    <client_group_name>lmtp</client_group_name>
                    <server_group_id>1</server_group_id>
                    <check_interval>2</check_interval>
                </watch_object>
                <watch_object id="6">
                    <name>lmtp</name>
                    <enable>yes</enable>
                    <!--modify by liyang-->
                    <server_name>lmtp-svr1</server_name>
                    <sap_name>lmtp-svc-sock-sap</sap_name>
                    <server_conn_timeout>5</server_conn_timeout>
                    <server_transport_timeout>5</server_transport_timeout>
                    <test_account>hermesmon@1</test_account>
                    <test_account_pwd>hermesmon</test_account_pwd>
                    <client_group_name>lmtp</client_group_name>
                    <server_group_id>1</server_group_id>
                    <check_interval>2</check_interval>
                </watch_object>
                <watch_object id="7">
                    <name>imap</name>
                    <enable>yes</enable>
                    <!--modify by liyang-->
                    <server_name>imap-svr1</server_name>
                    <sap_name>imap-svc-sock-sap</sap_name>
                    <server_conn_timeout>5</server_conn_timeout>
                    <server_transport_timeout>5</server_transport_timeout>
                    <test_account>hermesmon@1</test_account>
                    <test_account_pwd>hermesmon</test_account_pwd>
                    <client_group_name>lmtp</client_group_name>
                    <server_group_id>1</server_group_id>
                    <check_interval>2</check_interval>
                </watch_object>
               <watch_object id="8">
                     <name>eop</name>
                    <enable>yes</enable>
                    <!--modify by liyang-->
                    <server_name>eop-svr1</server_name>
                    <sap_name>eop-svc-sock-sap</sap_name>
                    <server_conn_timeout>5</server_conn_timeout>
                    <server_transport_timeout>5</server_transport_timeout>
                    <test_account>zas@1</test_account>
                    <test_account_pwd>111111</test_account_pwd>
                    <client_group_name>eop</client_group_name>
                    <server_group_id>1</server_group_id>
                    <check_interval>2</check_interval>
              </watch_object>
            </app_client_conf>
            <ip_allow_list>
                <ip1>**.**.**.**</ip1>
                <ip2>**.**.**.**</ip2>
                <ip2>**.**.**.**</ip2>


<user>{IDEA}raC3qKC2</user>
			<password>{IDEA}raC3qKC2</password>
			<database>189TEST</database>
			<server>189TEST</server>
			<driver>oracle</driver>
			<charset>AMERICAN_AMERICA.WE8ISO8859P1</charset>
		</hermes>
		<aimc>
			<user>{IDEA}qay8pKui</user>
		        <password>{IDEA}e2CSP5MYy+Kropr09/bx</password>
		        <database>AIMC-LIYANG</database>
		        <server>AIMC-LIYANG</server>
		        <driver>oracle</driver>
		        <charset>AMERICAN_AMERICA.US7ASCII</charset>
		</aimc>
		<hermes_test>
			<user>{IDEA}QJmV9bejPbU=</user>
			<password>{IDEA}QJmV9bejPbU=</password>
			<database>mailads</database>
			<server>MAILADS</server>
			<driver>oracle</driver>
		</hermes_test>
		<ms-index-db>
			<user>{IDEA}raC3qKC2</user>
			<password>{IDEA}UjWzQr6BCwu8jQ==</password>
			<database>hermes</database>
			<server>ms_index_host</server>
			<driver>mysql</driver>
		</ms-index-db>
                <pub-temp-db>
			<user>{IDEA}t6qqsQ==</user>
			<password>{IDEA}9Pf28fDz</password>
			<database>public</database>
			<server>localhost</server>
			<driver>mysql</driver>
                </pub-temp-db>
                <public-db>
 			<user>{IDEA}t6qjqrexrw==</user>
			<password>{IDEA}t6qjqrexrw==</password>
			<database>DB3</database>
			<server>PUBLIC_DB</server>
			<driver>oracle</driver>


修复方案:

6.png

8.png


你们是当社工库一样使用了么?
数据库太多了,就不仔细一一连接了。可以肯定的是,这绝对绝对不是测试系统!
数据库太多了,就不仔细一一连接了。可以肯定的是,这绝对绝对不是测试系统!

版权声明:转载请注明来源 李旭敏@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-11 15:42

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无