当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168271

漏洞标题:华润燃气某系统漏洞(涉及近百万工单/涉及大量维修记录以及内部信息/涉及三个数据库/探测内网)

相关厂商:华润燃气(集团)有限公司

漏洞作者: 路人甲

提交时间:2016-01-08 09:44

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-08: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

详细说明:

http://27.17.7.236 存在命令执行,通过读取配置文件发现是华润燃气郑州市,存在多个APP下载界面,通过对数据库配置,发现三个库,大量数据外泄,可入综合内网
具体情况看截图,
数据过多,只截取部分作为证明,

漏洞证明:

app.png

app1.png

111.png

out1.png

port.png

xinxi.png

xinxi1.png

xinxi2.png

xinxi3.png

xinxi4.png

xinxi5.png

xinxi6.png

xinxi7.png

xinxi8.png

xinxi9.png

xinxi10.png

<url>jdbc:oracle:thin:@172.22.3.10:1521:cisalpha</url>
<driver-name>oracle.jdbc.OracleDriver</driver-name>
<properties>
<property>
<name>user</name>
<value>gas_ia</value>
</property>
</properties>
<password-encrypted>{AES}EPm+fsxb8xLBgm4wLhIRlgHt0s5RVhdVafcizyuMnnA=</password-encrypted>
<url>jdbc:oracle:thin:@172.22.3.10:1521:cisalpha</url>
<driver-name>oracle.jdbc.OracleDriver</driver-name>
<properties>
<property>
<name>user</name>
<value>lspf_bpm</value>
</property>
</properties>
<password-encrypted>{AES}hjOiF7aUu3IhfGyVoSfkuu9+kg+lBeMQZSBoCADmGmM=</password-encrypted> nkuB_VJ9P-KG2D
<url>jdbc:oracle:thin:@172.22.3.10:1521:cisalpha</url>
<driver-name>oracle.jdbc.OracleDriver</driver-name>
<properties>
<property>
<name>user</name>
<value>lspf_support</value>
</property>
</properties>
<password-encrypted>{AES}rTG4WHhLu2aUHQ/bedLAy3Q/qqhzr++gafiJ1C9CpmI=</password-encrypted> rkJX_8TYW-8AIJ
<jdbc-driver-params>
<url>jdbc:oracle:thin:@172.22.3.10:1521:cisalpha</url>
<driver-name>oracle.jdbc.OracleDriver</driver-name>
<properties>
<property>
<name>user</name>
<value>bsp</value>
</property>
</properties>
<password-encrypted>{AES}OnCaoqHGtt9ReKP2HQGKf8PPYGyxde8N42dX6g1JeX0=</password-encrypted> ZUkI_T59N-RW0K

数据库配置以及解密的密码

Query#0 : select t.TABLE_NAME,t.NUM_ROWS from user_tables t order by NUM_ROWS desc
TABLE_NAME
VARCHAR2 NUM_ROWS
NUMBER
T_CS_AREA_SEARCH
PF_LANG
PF_LANG_TYPE
TAB_PF_DUTY_OBJECT_RELA 682000
PF_DUTY_OBJECT_RELA 318950
PF_TD_EXT_LOG 89968
PF_DUTY_OBJECT_RELA_0518 83270
PF_TD_FIRED_TRIGGERS_HIS 81765
PF_ONLINE_USER 52860
PF_OBJECT_EXTEND 52615
PF_DUTY_FUNCTION_GROUP_RELA 35630
PF_DUTY_OBJECT_RELA_ZS0325 26120
PF_FUNCTION_GROUP_OBJECT_RELA 26058
TMP_FUNCTION_GROUP_OBJECT_0516 24548
TMP_PF_DUTY_OBJECT_R 8714
PF_STAFF_ZS0505 6533
PF_ACCOUNT_0330 6195
PF_ACCOUNT_DUTY_RELA_0413 5859
PF_FUNCTION_GROUP_OBJ_RELA_ZS 5354
PF_OBJECT 4447
PF_CODE 3987
PF_DUTY_ORG_RELA 3531
PF_ACCOUNT_DUTY_RELA 3433
PF_DUTY 3425
TAB_PF_ACCOUNT_DUTY_RELA 3264
PF_ACCOUNT_DUTY_RELA_ZS0505 3258
PF_ACCOUNT_DUTY_RELA_GHF 2926
SP_LOG 2214
PF_ACCOUNT_ZS0325 2201
TAB_PF_DUTY_ORG_RELA 2188
PF_DUTY_ORG_RELA_ZS0505 2181
PF_STAFF_ORG_ORGRELATYPE_RELA 1483
PF_ORG_RELA_ZS0505 1445
PF_DUTY_0505 1344
TAB_GHF0521 1295
DUTY_GROUP_TMP 1295
TMP_DUTY_IMP 1172
TMP_PF_DUTY_FUNCTION_GROUP_R 1132
PF_ACCOUNT_INNER_ROLE_RELA 1076
PF_STAFF_ORG_ORGRELATYPE_ZS 981
PF_DUTY_ORG_RELA_GHF 960
PF_DUTY_ORG_RELA_TMP 960
TAB_DD 960
PF_ORG_ZS0505 920
PF_ORG_RELA 899
SP_QUERY_CONT_DEF_REQ_LOG 892
SP_GRID_MODEL_LOG 730
PF_FUNCTION_GROUP 716
PF_STAFF 702
TAB_PF_DUTY 674
PF_DUTY_GHF 664
PF_MENU 654
PF_ACCOUNT 634
DATAPUSH_DATA_USERS 629
PF_CODE_SORT 572
PF_MENU_BAK_20150122 525
PF_PARAM_ACCESS_LEVEL_CONTROL 522
PF_USER_PROFILE 491
PF_ORG_GHF 459
TAB_ORGTMP 457
PF_ORG_RELA_GHF 457
PF_ORG 436
SP_GRID_COL_CFG 350
SP_QUERY_PARA_DEF_REQ_LOG 325
SP_QUERY_CONT_DEF 319
PF_MSG_SEND_HISTROY 300
PF_REPORT_TYPE 249
TMP_FUNCTION_GROUP_0516 215
PF_PARAM 164
TAB_DUTY_TMP 161
TMP_PF_DUTY_ORG_R 144
TMP_PF_DUTY 144
SP_QUERY_PARA_DEF 132
PF_HOLIDAY_CODE 132
SP_QUERY_USELOG 130
PF_REPORT_SORT 129
PF_MSG_RCV 104
PF_MSG_RCV_HISTORY 90
REPORT_TEST1 89
SP_QUERY_DEF_REQ_LOG 88
PF_TD_EXT_JOB_EXHDL 82
SP_GRID_TEMPLET 81
PF_DUTY_FUNCTION_GROUP_RELA_ZS 73
PF_MSG_USERINFO 67
SP_GRID_MODEL 58
PF_TD_EXT_EXEC_CPNT 46
PF_TD_EXT_GROUP 45
PF_TD_JOB_DETAILS 44
PF_WORKDEST_SHORTCUT 44
PF_TD_EXT_JOB_DTL 44
PF_PARAM_SORT 42
PF_PASSWORD_HISTORY 42
PF_DUTY_OBJECT_EXCEPT_ZS0325 41
PF_TD_EXT_JOB_EXEC 39
PF_TD_EXT_JOB_DTL_HIS 38
PF_TD_JOB_DETAILS_HIS 38
PF_PARAM_VALUE 35
SP_QUERY_DEF 34
PF_TD_TRIGGERS 33
PF_INNER_ROLE 32
SP_QUERY_CONT_CONFIG 32
PF_TD_CRON_TRIGGERS 30
SP_QUERY_CONT_CONFIG_REQ_LOG 28
DATAPUSH_DATA 28
PF_TD_EXT_JOB_EXEC_HIS 25
PF_TD_EXT_DATA_DICT 23
PF_FUNCTION_GROUP_ZS0325 22
PF_MSG_SEND 21
PF_MSG_RCV_EXTENDGG 20
PF_TD_EXT_LISTENER 20
PF_OBJECT_EXTENDATTR 19
PF_STAFF_ERR150327 18
PF_SAFECONFIG 17
PF_DROOLS_TYPE 14
QUERY_MORE_TEST 12
PF_APPLICTION 11
PF_MSG_TYPE 11
PF_DROOLS_FORMDRL 11
PF_TD_EXT_EXEC_CPNT_HIS 10
PF_MSG_USERGROUP 10
PF_DEMO_LEAVE 10
SP_SCHEDULE 9
PF_PLATFORM 7
TAB_PF_DUTY_OBJECT_EXCEPT 7
REPORT_TEST2 6
PF_TD_CPNT_AUTH 6
PF_MSG_CONSTANT 5
PF_MSG_SORT 4
WL_SERVLET_SESSIONS 4
PF_TD_SIMPLE_TRIGGERS 3
PF_WORKDESK 3
SP_HOLIDAY 2
PF_TD_LOCKS 2
PF_MSG_USER_CONFIG 1
PF_SAFECONFIGS 1
PF_TD_EXT_LISTENER_TYPE 1
PF_DROOLS_DRLFUNC 1
PF_DROOLS_FORMVALIDATE 1
PF_TD_SCHEDULER_STATE 1
SP_QUERY_CONT_DEF_REQ 0
PF_TD_BLOB_TRIGGERS 0
SP_QUERY_DEF_ATTR 0
SP_QUERY_DEF_ATTR_REQ 0
SP_QUERY_DEF_ATTR_REQ_LOG 0
SP_QUERY_DEF_REQ 0
SP_QUERY_PARA_DEF_REQ 0
SP_QUERY_PRO 0
SP_QUERY_PRO_REQ 0
SP_QUERY_PRO_REQ_LOG 0
PF_SERVICEMANAGER_INFO 0
PF_DUTY_OBJECT_EXCEPT 0
PF_FILE_RECORD 0
PF_MSG_ATTR 0
PF_TD_FIRED_TRIGGERS 0
PF_TD_PAUSED_TRIGGER_GRPS 0
PF_TD_SIMPROP_TRIGGERS 0
PF_WORKDESK_ATTR 0
PF_OBJECT_BAK050411 0
PF_TD_CALENDARS 0
SP_QUERY_CONT_CONFIG_REQ 0

数据库表结构

http://27.17.7.236/static/2.jsp carry

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2016-01-11 11:15

厂商回复:

感谢提交

最新状态:

暂无