破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

光大证券某平台存在漏洞(已Getshell/可泄漏大量的内部数据)

编号218958
Urlhttp://www.wooyun.org/bug.php?action=view&id=218958
漏洞状态厂商已经修复
漏洞标题光大证券某平台存在漏洞(已Getshell/可泄漏大量的内部数据)
漏洞类型后台弱口令
厂商光大证券
白帽子路人甲
提交日期2016-06-13 21:44:00
公开日期2016-06-19 09:28:00
修复时间2016-06-19 09:28:00
确认时间2016-06-19 00:00:00
Confirm Spend6
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank10
漏洞简介
已被Getshell
漏洞细节

漏洞地址:
http://218.17.205.91:7003/page/frame/login.jsp
存在tomcat弱口令漏洞
http://218.17.205.91:7003/manager/html
密码为:manager/manager
已Getshell
http://218.17.205.91:7003/is/index.jsp
密码:futuresec


jsp的被删掉了还是没有成功?发现是可以列目录的
http://218.17.205.91:7003/is
幸好工具上传还有jspx的存在
http://218.17.205.91:7003/is/index.jspx
密码:futuresec
用菜刀连接
然后利用菜刀上传一个大马
http://218.17.205.91:7003/is/test.jsp?o=vLogin
还是jsp的被杀了!~~~
只好用菜刀看看文件了!~~~


给出一些看到翻到的一些敏感数据

C:\GZHK_SENDSMS\webapps\autoSendSms\WEB-INF\classes\db.properties
jdbc.driverClassName=net.sourceforge.jtds.jdbc.Driver
jdbc.url=jdbc\:jtds\:sqlserver\://10.1.5.24\:1433;instanceName\=10.1.5.24//GZGJ;databaseName\=kdcc30data
jdbc.username=sa
jdbc.password=sa
head.ip=10.1.5.24
head.mac=000C29B14A86
head.operatorName=zsbcws
head.operatorPwd=E10ADC3949BA59ABBE56E057F20F883E
head.fundId=245
C:\gzgj\KDGUIEngine-jmail\JJ_Config.ini
[数据库连接参数]
DBtype=0
Hostname = 10.1.5.24
dbname = kdcc30data
User =sa
Passwd =sa
C:/gzgj/kccs/WEB-INF/config/ftp.properties
ftp.ip=192.168.202.40
ftp.port=21
ftp.username = gzgjcz
ftp.password = gzgj123
ftp.dir= \
C:\gzgj\项目过程文件\接口测试\InterFaceTest_国君.ini
[连接参数]
;外围版本0是CC20,1是CC30
外围版本 =1
IPAddress = 192.168.50.35
IPPort = 21000
Protocol = TCP
员工编号 = 1
员工密码 = 888888
操作站点 = 127.0.0.1
模块编号 = 10
菜单编号 = 10
参数个数 = 40
[业务处理]
修改密码 = 20104900;khbslx:K,khbs:005144,jymm:111111,xjymm:111111,wldz:
验证客户 = 20102905;khbslx:K,khbs:005144,jymm:111111,mode:,wldz:
查询客户资金 = 20102906;khbslx:CUST,khbs:012540
资金股份查询 = 20102907;khbslx:CUST,khbs:012540,zqbslx:,zqbs:,gdms:,cxlx:
当日委托查询 = 20102913;khbslx:K,khbs:012540,zqbslx:,zqbs:,htxh:,gdms:1,cdms:1
当日成交查询 = 20102914;khbslx:K,khbs:012540,zqbslx:,zqbs:,htxh:4315265,gdms:
银证转帐查询 = 20102917;khbslx:K,khbs:005144,htxh:,cxms:
转帐银行查询 = 20107909;zjzh:005144
根据客户帐户查询客户资料 = 13330006;ywxtbh:,zhlxbh:,khzh:
新股配号查询 = 20102924;khbslx:K,khbs:018324,gdms:2,zqbslx:,zqbs:,qsrq:2001-01-01,zzrq:2008-09-01,cxts:0
历史委托查询 = 20102921;khbslx:K,khbs:012540,gdms:2,zqbslx:,zqbs:,htxh:1,qsrq:2008-01-01,zzrq:2008-09-01,cxts:0
历史成交查询 = 20102922;khbslx:K,khbs:012540,gdms:2,zqbslx:,zqbs:,htxh:1,qsrq:2008-01-01,zzrq:2008-09-01,cxts:0
客户注销 = 20102908;khbslx:K,khbs:005144,gdms:,jysdm:
问卷模板 = 28104201;p_gybh:1,p_gnbh:28104201,p_czzd:1,p_kzcs:,p_gymm:AEIFCAJEOIACHCGCCGLI,wjbh:-
1,wjmc:,sfmb:1,dwbh:-1,qsjzrq:19900101,zzjzrq:20201231,wjzt:,wjlx:-1,sfxypf:,zxwts:-1,zdwts:-1,zxwjzf:-1,zdwjzf:-
1,ksrq:19900101,jsrq:20201231,sfgl:-1
28004002 = 28004002;oper_type:1,lsh:1696,desip:127.0.0.1,file_name:filename
28004003 = 28004003;oper_type:1,lsh:1696,file_name:filename
14290040 = 14290040;p_gybh:1,p_gnbh:14290040,p_czzd:,p_kzcs:,p_gymm:,bzbh:-1,fzzt:-1
40418510 =
40418510;p_gybh:1,p_gnbh:40418510,p_czzd:127.0.0.1,bh:8,p_gymm:AEIFCAJEOIACHCGCCGLI,p_kzcs:,istmp:1,lsh:101,tsl
x:1,
field_int01:1,field_int02:1,field_int03:1,field_int04:1,field_int05:1,field_int06:1,field_int07:1,field_int08:1,field_int09:1,field_i
nt10:1,
field_str01:,field_str02:,field_str03:,field_str04:,field_str05:,field_str06:,field_str07:,field_str08:,field_str09:,field_str10:,field_s
tr11:,
field_str12:,field_str13:,field_str14:,field_str15:,field_str16:,field_str17:,field_str18:,field_str19:,field_str20:
14250010 =
14250010;qsrq:20100910,tjlx:3,p_czzd:127.0.0.1,zzrq:20100910,PageCount:25,p_kzcs:,isPerPage:true,hjlx:-
1,fwpjs:,PageOffset:0,p_gybh:1,p_gnbh:14250010,ygbhlx:1,dfhm:,mtlx:-1,p_gymm:AEIFCAJEOIACHCGCCGLI,khbh:-
1,ygbhs:,thlxs:
40418401 = 40418401;p_gybh:1,p_gnbh:40418401,p_czzd:127.0.0.1,bh:8,p_gymm:AEIFCAJEOIACHCGCCGLI,p_kzcs:
19100002 = 19100002;glgzmc:规则4,sjlySQL:select 1 from
temp_test,kzbs:d,bz:d,p_kzcs:,p_gybh:1,p_gnbh:19100002,p_czzd:127.0.0.1,p_gymm:AEIFCAJEOIACHCGCCGLI
13990006 = 13990006;zzkhrq:30001231,khzzh:13,lxdz:,p_fyqs:1,khzt:,sr1:,p_gybh:1,csrq1:,khxm:4,khbh:-
1,csrq2:,p_sfbz:0,jgid:,p_fyhs:10,zjlx:-
1,khlx:,khjl:,p_czzd:127.0.0.1,sr2:,zjhm:,qskhrq:19491001,lxhm:,bz:,p_kzcs:,p_pxzd:,p_gnbh:13990006,sfkzqx:1,khjb2:,yzbm
:,szdq:,khxb:,szsf:,khjb1:,p_gymm:AEIFCAJEOIACHCGCCGLI
查询通话类型 = 14020001;lxbh:,zt:,sfbkzs:
待回复信息内容查询(回复后台用) = 19500003;lxfsbs:
ZJCQPZ =\u6211
OTHER = \u6211
ftp.download.dir = ftpdownload
C:\gzgj\kccs\UPLOAD\UserFiles\Image\sn.txt
UserName tfzq
PlatForm all
Ora-VERSION 10.0.2.0
Modules 87
Days 180
NHOSTS 0
ISSUE_DATE 2012/04/20
LICENSE_KEY 2f276bda3e6a54ef01cd5947624a185fb7c8a083956396eccd127a1ebeee5037


POC

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


7.jpg


8.jpg


9.jpg


10.jpg


11.jpg


12.jpg


13.jpg


14.jpg

修复方案

你们懂的

状态信息 2016-06-13: 细节已通知厂商并且等待厂商处理中
2016-06-19: 厂商已经确认,细节仅向厂商公开
2016-06-19: 厂商已经修复漏洞并主动公开,细节向公众公开
厂商回复此系统为光证国际,已转发他们,谢谢
回应信息危害等级:中漏洞Rank:10 确认时间:2016-06-19 09:27