当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-033527

漏洞标题:海尔检测信息平台webdav漏洞和目录遍历

相关厂商:海尔集团

漏洞作者: YY-2012

提交时间:2013-08-05 15:50

修复时间:2013-09-19 15:51

公开时间:2013-09-19 15:51

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-05: 细节已通知厂商并且等待厂商处理中
2013-08-06: 厂商已经确认,细节仅向厂商公开
2013-08-16: 细节向核心白帽子及相关领域专家公开
2013-08-26: 细节向普通白帽子公开
2013-09-05: 细节向实习白帽子公开
2013-09-19: 细节向公众公开

简要描述:

存在webdav漏洞,可以查看网站文件与数据,且有写权限,可以上传webshell等操作,从而控制整台服务器。

详细说明:

青岛海尔检测信息平台
http://218.58.70.220/
http://218.58.70.220/sl.asp;.txt 一句话密码:1pass
http://218.58.70.220/wooyun.txt
目录遍历例子:
http://218.58.70.220/WJ_MarketNew/
http://218.58.70.220/WJ_Market/
http://218.58.70.220/WasterDayWork/
http://218.58.70.220/SupplyAudit/
智能电子外检管理系统
http://218.58.70.220/wj_zndz/
海尔检测公司信息管理平台
http://218.58.70.220/Protype/

漏洞证明:

驱动器 E 中的卷没有标签。
 卷的序列号是 0EA5-B8B3
 E:\webroot\Jiance17_191 的目录
2013-08-05  14:55    <DIR>          .
2013-08-05  14:55    <DIR>          ..
2005-11-18  18:32                41 1.asp
2013-08-05  08:14           167,244 11.asp
2013-05-15  09:10    <DIR>          aspnet_client
2013-05-15  09:10    <DIR>          BaseInformation
2006-11-17  16:02             2,074 chai1117.html
2003-05-16  14:12               941 content.asp
2013-05-15  09:10    <DIR>          ContentPage
2003-02-26  17:06             2,674 contentPage_Left.htm
2003-04-15  13:10             2,693 contentPage_Main.htm
2012-05-14  18:40             1,561 contentPage_top.asp
2003-04-15  13:10             3,006 contentPage_Top.htm
2003-09-24  11:47             1,662 contentPage_top1.asp
2003-04-15  13:10               581 content_bottom.asp
2013-05-15  09:10    <DIR>          content_images
2006-11-17  15:31             5,874 content_left.asp
2003-04-15  13:10               918 content_middle.htm
2013-05-15  09:10    <DIR>          Department
2006-10-23  11:00            16,384 detail.xls
2006-10-24  16:28            38,400 detail24.xls
2013-05-15  09:09    <DIR>          dyypms
2013-05-15  09:09    <DIR>          Employee
2004-01-16  12:34               285 err.htm
2013-05-15  09:09    <DIR>          ForZndz
2006-06-21  16:31            30,208 fubiao.xls
2004-12-06  14:23             3,640 ggSupply.htm
2013-05-15  09:09    <DIR>          Gist
2013-05-15  09:09    <DIR>          gmds
2011-04-18  18:57           620,386 gongfangjy.doc.docx
2006-06-01  14:10            25,088 gysdj.doc
2006-06-10  13:14            26,112 gysdytz.doc
2006-08-04  10:38           126,976 haierRoHSfirst.xls
2006-08-04  10:38           126,976 haierRoHSfirst1.xls
2006-06-21  17:21            83,968 haierRoHSfirst2.xls
2013-05-15  09:09    <DIR>          Headship
2005-08-12  10:48         1,682,944 help.ppt
2008-02-25  14:25         3,679,694 hrzzs.pdf
2013-07-29  17:38    <DIR>          images
2013-05-15  09:09    <DIR>          images192
2013-05-15  09:09    <DIR>          imagestop
2013-05-15  09:09    <DIR>          imagestop1
2013-05-15  15:09    <DIR>          includes
2013-02-19  09:38             8,810 index.asp
2005-01-03  18:52                48 index.html
2003-09-14  12:42             5,840 index1.asp
2013-05-15  09:09    <DIR>          index2_images
2013-05-15  09:09    <DIR>          index_images
2005-05-21  13:14             1,317 index_维护.asp
2007-12-28  11:36             1,488 index公告.asp
2006-10-24  15:02             1,247 info.asp
2006-08-29  17:05             3,949 info1.asp
2013-05-15  09:09    <DIR>          inform
2013-05-16  06:39             3,053 infox.asp
2006-11-14  14:05             1,457 info_pay_tg.htm
2006-09-20  15:28             6,350 info_pay_tg1.htm
2006-10-24  16:28             1,908 info_pay_tg2.htm
2005-05-26  04:42             8,106 iuident.cab
2006-06-28  12:14           284,160 jiupian.doc
2005-01-03  18:07             2,044 loadingbar.asp
2012-05-24  14:15             4,398 login.asp
2003-09-14  12:43             1,317 login1.asp
2004-11-16  15:44               196 logoff.asp
2011-12-21  13:35            22,534 main.asp
2003-04-17  09:35               116 main.css
2003-05-16  00:00           106,796 main.jpg
2005-04-30  14:29             4,141 main0501.asp
2005-09-05  13:32             6,422 main050915.asp
2006-08-09  16:57            11,658 main1.asp
2006-08-18  15:46            11,903 main11.asp
2013-05-16  06:39            15,965 main20041224.htm
2005-09-29  17:37             7,075 main20051008.asp
2007-07-19  09:50            50,819 main_1.asp
2005-09-05  11:01             6,026 main_供应商培训.asp
2005-08-19  13:53             5,916 main_系统升级.asp
2005-05-21  10:17             5,400 main_维护.asp
2013-05-15  09:09    <DIR>          News
2013-05-15  09:09    <DIR>          News1
2007-12-17  09:59            24,576 PayType.doc
2006-03-14  14:01            26,112 PayType1.doc
2006-08-19  17:04         2,870,533 pic.rar
2005-03-01  11:23             1,664 Pinshen.htm
2006-08-31  15:50           295,424 print.exe
2006-07-27  17:17            81,408 productdeclaration.xls
2006-06-30  16:53            51,200 productdeclaration1.xls
2006-07-12  20:12            81,920 productdeclaration2.xls
2006-07-17  12:06            81,408 productdeclaration3.xls
2006-07-18  09:32            75,776 productdeclaration4.xls
2013-05-15  09:09    <DIR>          Protype
2005-01-26  10:41            21,091 PX2.asp
2004-12-13  10:50             1,271 QuitAwoke.asp
2010-02-02  15:40         2,059,776 REACH.doc
2013-05-16  06:44               980 redirectpage.asp
2013-05-15  09:09    <DIR>          Rohs
2006-03-27  10:58            15,872 ROHS.xls
2006-07-10  12:03           239,104 ROHS1.xls
2009-10-14  09:18         1,011,712 ROHS2.doc
2006-06-21  17:20            39,424 RoHSCARREPORT.xls
2006-11-14  13:25            40,960 RoHSdeclare.doc
2006-08-29  17:24           498,688 ROHS宣告表上传操作步骤说明.doc
2006-08-29  19:06           344,983 ROHS宣告表上传操作步骤说明.rar
2006-08-04  15:56           232,448 RoHS宣告表管理流程.doc
2006-06-29  18:51            39,424 RoHS改善计划书.doc
2006-06-21  17:04            28,672 Rohs有害物质清单及限制.doc
2006-08-28  13:41            19,968 rosedeclaration.doc
2005-01-28  12:57            24,576 s2.doc
2005-07-07  15:42             7,807 selectViewFunction.js
2006-06-08  17:09             1,297 sendsms.asp
2013-08-04  14:38                27 sl.asp;.txt
2013-05-15  09:06    <DIR>          SocietyFeedBack
2010-04-21  09:22             1,023 style.css
2004-12-06  12:16            24,576 supply.doc
2013-05-15  09:06    <DIR>          SupplyAppeal
2013-05-15  09:06    <DIR>          SupplyAssessManage
2004-06-05  13:48           137,665 SupplyAssessManageSupplyAppraise.xls
2013-05-15  09:06    <DIR>          SupplyAudit
2006-11-14  13:25           172,032 Supplydeclare.doc
2013-05-15  09:05    <DIR>          SupplyPort
2007-11-07  15:16         4,528,636 supplySys.pdf
2010-12-31  09:13         1,256,448 Supply_9S.doc
2013-05-15  09:05    <DIR>          TestWork
2006-03-27  10:51            25,600 tongzhi.doc
2008-02-25  14:27             1,870 tongzhi.html
2007-12-24  11:33            57,856 tongzhi1.doc
2007-12-27  11:10            54,784 tongzhi2.doc
2003-06-23  10:42        34,411,520 UM-Guide.doc
2013-05-15  09:05    <DIR>          uploadfiles
2003-11-18  10:34            24,576 urlsend.dll
2006-06-13  13:23            24,576 urlsend1.dll
2013-05-15  09:05    <DIR>          UserMgr
2013-05-15  09:05    <DIR>          WasterDayWork
2013-05-15  09:04    <DIR>          WJ_Market
2013-05-15  09:04    <DIR>          WJ_MarketNew
2013-05-15  09:04    <DIR>          WJ_ZNDZ
2013-08-05  14:55                 8 wooyun.txt
2006-08-14  09:51                 0 WUTRACK.BIN
2006-08-18  15:46            15,872 xinpindeclare.xls
2013-05-15  09:04    <DIR>          XLS
2003-07-18  10:45               111 XLSCareerFeedBack.xls
2003-07-17  16:55               173 XLSCareerWaster.xls
2004-05-11  13:03            18,739 XLSFeedBack.xls
2004-06-07  11:11           910,553 XLSJiuPian.xls
2003-10-30  08:58               724 XLSSQM.xls
2004-06-11  20:24           298,326 XLSSupply.xls
2004-04-15  16:12            10,968 XLSUnusualInfo.xls
2004-06-17  09:01            24,066 XLSWaster.xls
2007-03-14  14:33           880,640 xunjian.doc
2006-06-01  14:26            25,088 xxttz.doc
2006-04-17  12:54            24,064 zhakou.doc
2013-05-15  09:04    <DIR>          _vti_pvt
2005-09-19  09:26            18,944 供应商评价办法0902.xls
2006-07-10  14:58            19,456 好消息.doc
2006-08-28  13:27            19,456 好消息2.doc
2006-08-28  13:37            19,968 审核通告2.doc
2006-09-01  09:34           240,128 宣告表打印操作说明.doc
2006-11-17  15:59         1,038,336 家用空调入立体库明细及与检验员对应表.xls
2011-12-20  16:43           924,501 市场反馈9S模块操作手册-供应商.pdf
2006-08-31  18:56           256,858 打印必备安装程序.rar
2006-06-08  17:17                 0 新建 文本文档 (2).txt
2006-03-03  15:23               257 新建 文本文档.txt
2006-06-10  13:14            26,112 检测公司打假通告.doc
2006-11-17  15:59           347,648 洗衣机立体库采购组及检验员分配(新).xls
2006-08-28  13:32            19,968 海尔供应商RoHS审核通告2.doc
2006-08-28  13:35            19,968 海尔供应商审核通告2.doc
2006-11-17  15:59           269,312 海梅入立体库统计(按采购组)及检验员分配.xls
2006-02-09  15:13            16,384 用户密码更改申请单.xls
             127 个文件     61,626,680 字节
              39 个目录 111,696,314,368 可用字节


1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


7.jpg


8.jpg


修复方案:

可以禁用WebDAV
修改平台登录密码

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-08-06 08:54

厂商回复:

感谢 @YY-2012 的工作,已根据白帽子披露整改如下:
对服务器虚拟目录权限、IIS webdav组件进行分析和程序排查,2013-08-06凌晨对服务器IIS webdav组件和服务器虚拟目录权限进行修改服务器配置参数,浏览服务器虚拟目录权限取消,IIS webdav组件已禁用。
请白帽子们继续友好监督海尔信息安全工作,非常感谢。

最新状态:

2013-08-14:业务单位的最新答复为:经过这段时间的整顿,已经完成了方案中的整改并对防sql注入进行了完善,接下来我们将进一步跟踪平台的系统安全性。也请各位白帽子持续友好监督海尔信息安全工作,非常感谢。