破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

金蝶主站部分源码泄露

编号42889
Urlhttp://www.wooyun.org/bug.php?action=view&id=42889
漏洞状态厂商已经确认
漏洞标题金蝶主站部分源码泄露
漏洞类型敏感信息泄露
厂商金蝶
白帽子想要减肥的胖纸
提交日期2013-11-14 16:30:00
公开日期2013-12-29 16:31:00
修复时间(not set)
确认时间2013-11-14 00:00:00
Confirm Spend0
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank10
漏洞简介
配置不当,造成源码泄露。回顾了贵公司对白帽子提交漏洞的反馈,很多时候给了1rank或者忽略。呵呵
漏洞细节

服务器配置不当,造成目录便利和代码泄露。

POC

Index of /webapp/sme
Parent Directory
activMailTemplate.jsp
activMailTemplate.jsp.bak
activMailTemplate1.jsp.bak
activMailTemplate11.jsp
b1.jsp
b2.jsp
b3.jsp
b4.jsp
b5.jsp
bottom.jsp
chuangye.jsp
css/
cuxiao.jsp
e_learning.jsp
e_learning.jsp.bak
images/
img/
index.jsp
index_090614.jsp
index_090617.jsp
js/
jxc.jsp
kehu.jsp
map.txt
map/
news.jsp
register.jsp
renshi.jsp
right.jsp
slider/
taocan.jsp
template/
tijian.jsp
top.jsp
var.jsp
ys_assist.html
ys_assist.swf
ys_cunchu.jsp
ys_kuaiji.jsp
ys_shangpu.jsp
复件 activMailTemplate.jsp


<%@ page contentType="text/html;charset=GBK"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=GBK">
<title>中小企业转型与升级——金蝶援助计划</title>
<jsp:include page="/common/meta.htm"/>
<meta http-equiv="Content-Type" content="text/html; charset=GBK">
<meta name="Cache-Control" content="no-cache, must-revalidate">
<meta name="Expires" content="Mon, 26 Jul 1970 00:00:00 GMT">
<meta name="Pragma" content="no-cache">
<script src=" http://www.google-analytics.com/urchin.js " type="text/javascript"></script>
<script src=" http://www.kingdee.com/script/urchinTracker.js " type="text/javascript"></script>
<link href="css/index.css" rel="stylesheet" type="text/css" />
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}
//-->
</script>
</head>
<body bgcolor="#FFFFFF" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table width="930" height="81" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"> <jsp:include page="top.jsp"></jsp:include> </td>
</tr>
</table>
<table width="930" height="150" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td bgcolor="#FFFFFF"><a href="http://www.kingdee.com/news/subject/09yzjh/index_news.jsp"><img src="images/chuangye.jpg" width="930" height="150" border="0"></a></td>
</tr>
</table>
<table width="930" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="930" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" valign="top"><table width="100%" height="1" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/d01.gif"></td>
</tr>
</table></td>
</tr>
</table>
<table width="930" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="700" valign="top"> <table width="696" height="120" border="0" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"><img src="images/bt23.gif" width="696" height="120"></td>
</tr>
</table>
<table width="700" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"><table width="693" height="300" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="1" bgcolor="#d9d9d9"></td>
<td width="691" valign="top"><table width="600" height="25" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td class="bigtext">大学生创业就业计划——中小企业转型与升级 金蝶援助计划</td>
</tr>
</table>
<table width="100" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" height="25" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"><p>有梦想的创业者们,来吧!加入到我们的队伍中来,金蝶为你点燃激情,成就创业梦想。金蝶为帮助中小企业度过经济危机的寒冬,特别推出了“中小企业转型与升级金蝶援助计划”的活动。<br>
今天,金蝶邀请有梦想的你,共同来帮助中小企业度难关!</p></td>
</tr>
</table>
<table width="100" height="15" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"><table width="100%" height="1" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/d01.gif"></td>
</tr>
</table></td>
</tr>
</table>
<table width="100" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" height="20" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="20"><img src="images/0001.gif" width="13" height="13"></td>
<td>登陆金蝶网站注册成为“金蝶援助大使”。</td>
</tr>
</table>
<table width="100" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" height="20" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="20"><img src="images/0002.gif" width="13" height="13"></td>
<td>金蝶集团将对“援助大使”进行集中培训,提升援助能力。</td>
</tr>
</table>
<table width="100" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" height="20" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="20" valign="top"><img src="images/0003.gif" width="13" height="13"></td>
<td>暑假回家乡期间,以“金蝶援助大使”的身份,向家乡所在城市的中小企业推广 “中小企业转型与升级 金蝶援助计划”。</td>
</tr>
</table>
<table width="100" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" height="20" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="20"><img src="images/0004.gif" width="13" height="13"></td>
<td>凡有企业经“援助大使”推广注册,援助大使即有机会获取创业“第一桶金”。</td>
</tr>
</table>
<table width="100" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" height="20" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="20"><img src="images/0005.gif" width="13" height="13"></td>
<td>金蝶将对表现优秀的“援助大使”进行评估,择优录取。</td>
</tr>
</table>
<table width="100" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" height="20" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="20"><img src="images/0006.gif" width="13" height="13"></td>
<td>通过活动提升个人就业能力,了解认识更多的中小企业,增加社会接触面,获取就业机会与就业范围。</td>
</tr>
</table>
<table width="100" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="100" height="15" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"><table width="100%" height="1" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/d01.gif"></td>
</tr>
</table></td>
</tr>
</table>
<table width="100" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="600" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center"><a href="http://www.kingdee.com/diagnose/asistantReg.jsp" target="_blank"><img src="images/but_zc.gif" width="81" height="25" border="0"></a></td>
</tr>
</table>
<table width="100" height="20" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table></td>
<td width="1" bgcolor="#d9d9d9"></td>
</tr>
</table></td>
</tr>
</table>
<table width="700" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"><img src="images/j2.jpg" width="696" height="10"></td>
</tr>
</table>
<table width="100" height="10" border="0" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
</td>
<td width="8"></td>
<td width="222" valign="top"><table width="100" height="3" border="0" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="222" height="10" border="0" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"><jsp:include page="right.jsp"></jsp:include></td>
</tr>
</table> </td>
</tr>
</table>
<table width="930" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="930" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"></td>
</tr>
</table>
<table width="930" height="10" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3"><table width="100%" height="1" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/d01.gif"></td>
</tr>
</table></td>
</tr>
</table>
<table width="930" height="30" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" bgcolor="#FFFFFF"><jsp:include page="bottom.jsp"></jsp:include></td>
</tr>
</table>
</body>
</html>


该文件对应主站 http://www.kingdee.com/sme/chuangye.jsp
web.xml

contextConfigLocation /WEB-INF/classes/conf/spring/applicationContext*.xml Set Character Encoding com.mykingdee.filters.SetCharacterEncodingFilter encoding GB2312	 utf8encoding .action accessControl com.mykingdee.auth.web.AccessControlFilter SimplePageCachingFilter net.sf.ehcache.constructs.web.filter.SimplePageCachingFilter hitCountFilter com.mykingdee.hitcount.web.HitCountFilter UrlRewriteFilter org.tuckey.web.filters.urlrewrite.UrlRewriteFilter logLevel WARN confPath /WEB-INF/urlrewrite.xml UrlRewriteFilter /* Set Character Encoding /* accessControl /* hitCountFilter /* struts2 org.apache.struts2.dispatcher.FilterDispatcher actionPackages com.kingdee config struts-default.xml,struts-plugin.xml,conf/struts/struts.xml struts2-cleanup org.apache.struts2.dispatcher.ActionContextCleanUp struts2 *.action REQUEST FORWARD struts2-cleanup *.action org.springframework.web.context.ContextLoaderListener com.mykingdee.listener.AppInit com.mykingdee.listener.MemcachedListener action org.apache.struts.action.ActionServlet config /WEB-INF/classes/conf/struts1/struts-config.xml ,/WEB-INF/classes/conf/struts1/struts-config-adminsys.xml ,/WEB-INF/classes/conf/struts1/struts-config-book.xml ,/WEB-INF/classes/conf/struts1/struts-config-ceomailbox.xml ,/WEB-INF/classes/conf/struts1/struts-config-cert.xml ,/WEB-INF/classes/conf/struts1/struts-config-certificate.xml ,/WEB-INF/classes/conf/struts1/struts-config-comment.xml ,/WEB-INF/classes/conf/struts1/struts-config-diaocha.xml ,/WEB-INF/classes/conf/struts1/struts-config-feedback.xml ,/WEB-INF/classes/conf/struts1/struts-config-hr.xml ,/WEB-INF/classes/conf/struts1/struts-config-investorstock.xml ,/WEB-INF/classes/conf/struts1/struts-config-kdcombranch.xml ,/WEB-INF/classes/conf/struts1/struts-config-mail.xml ,/WEB-INF/classes/conf/struts1/struts-config-news.xml ,/WEB-INF/classes/conf/struts1/struts-config-newsletter.xml ,/WEB-INF/classes/conf/struts1/struts-config-searcher.xml ,/WEB-INF/classes/conf/struts1/struts-config-support.xml ,/WEB-INF/classes/conf/struts1/struts-config-union.xml ,/WEB-INF/classes/conf/struts1/struts-config-usermember.xml ,/WEB-INF/classes/conf/struts1/struts-config-vote.xml ,/WEB-INF/classes/conf/struts1/struts-config-hitcount.xml ,/WEB-INF/classes/conf/struts1/struts-config-hpkdsolution.xml ,/WEB-INF/classes/conf/struts1/struts-config-pubadmin.xml ,/WEB-INF/classes/conf/struts1/struts-config-training.xml ,/WEB-INF/classes/conf/struts1/struts-config-enterfor.xml ,/WEB-INF/classes/conf/struts1/struts-config-member.xml ,/WEB-INF/classes/conf/struts1/struts-config-newFeedBack.xml ,/WEB-INF/classes/conf/struts1/struts-config-everywhere.xml ,/WEB-INF/classes/conf/struts1/struts-config-license.xml ,/WEB-INF/classes/conf/struts1/struts-config-diagnose.xml ,/WEB-INF/classes/conf/struts1/struts-config-partner.xml ,/WEB-INF/classes/conf/struts1/struts-config-local.xml debug 3 detail 3 2 LoginPage Dispatch Servlet com.mykingdee.auth.web.LoginPageDispatchServlet 4 NumValidate com.mykingdee.mb.util.NumValidate CitySvl com.mykingdee.mb.util.CitySvl LoadXML com.mykingdee.mb.util.LoadXML check com.mykingdee.license.servlet.SerialNoCheck checkSN com.mykingdee.license.servlet.GetCheckResult Connector com.fredck.FCKeditor.connector.ConnectorServlet baseDir /UserFiles/ debug true 1 SimpleUploader com.fredck.FCKeditor.uploader.SimpleUploaderServlet baseDir /UserFiles/ debug true enabled true AllowedExtensionsFile DeniedExtensionsFile php|php3|php5|phtml|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|dll|reg|cgi AllowedExtensionsImage jpg|gif|jpeg|png|bmp DeniedExtensionsImage AllowedExtensionsFlash swf|fla DeniedExtensionsFlash 1 Connector /editor/filemanager/browser/default/connectors/jsp/connector SimpleUploader /editor/filemanager/upload/simpleuploader NumValidate /NumValidate CitySvl /CitySvl LoadXML /servlet/LoadXML action *.do jsp *.jhtml LoginPage Dispatch Servlet /loginPageDispatchServlet check /license/servlet/check checkSN /license/servlet/checkSN 120 mp4 video/mp4 index.html index.htm index.jsp 400 /error/400.html 404 /error/404.html 500 /error/500.html mykingdee_taglib /WEB-INF/tlds/mykingdee-taglib-1.0.tld fckeditor_taglib /WEB-INF/tlds/FCKeditor.tld /WEB-INF/struts-bean.tld /WEB-INF/tlds/struts/struts-bean.tld /WEB-INF/struts-html.tld /WEB-INF/tlds/struts/struts-html.tld /WEB-INF/struts-logic.tld /WEB-INF/tlds/struts/struts-logic.tld /WEB-INF/struts-nested.tld /WEB-INF/tlds/struts/struts-nested.tld /WEB-INF/struts-template.tld /WEB-INF/tlds/struts/struts-template.tld /WEB-INF/tlds/oscache.tld /WEB-INF/tlds/oscache.tld

修复方案

你猜?

状态信息 2013-11-14: 细节已通知厂商并且等待厂商处理中
2013-11-14: 厂商已经确认,细节仅向厂商公开
2013-11-24: 细节向核心白帽子及相关领域专家公开
2013-12-04: 细节向普通白帽子公开
2013-12-14: 细节向实习白帽子公开
2013-12-29: 细节向公众公开
厂商回复重复提交了,这个我们内部已经讨论处理,因有业务需要故,暂时放那!谢谢!
回应信息危害等级:中漏洞Rank:10 确认时间:2013-11-14 19:59
Showing 1-6 of 6 items.
评论内容评论人点赞数评论时间

胖子又憤青了

帅气凌云02013-11-16 17:29:00

@想要减肥的胖纸 哎 小白只是路过

小贱02013-11-14 20:26:00

@金蝶 @小贱 @蟋蟀哥哥 我肿么木看到wooyun里有提交金蝶主站源码的咩?那就继续放那,我只是个打酱油的。呵呵

想要减肥的胖纸02013-11-14 20:23:00

c重复提交也给10?

小贱02013-11-14 20:16:00

胖子又调皮了

蟋蟀哥哥02013-11-14 17:17:00

1楼广告出租

小贱02013-11-14 16:40:00