当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107459

漏洞标题:百合网某站服务器可Getshell三

相关厂商:百合网

漏洞作者: 路人甲

提交时间:2015-04-12 20:34

修复时间:2015-04-17 20:36

公开时间:2015-04-17 20:36

漏洞类型:命令执行

危害等级:高

自评Rank:18

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-12: 细节已通知厂商并且等待厂商处理中
2015-04-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

百合网某站getshell#可获用户充值等信息包含多处数据库信息与服务器信息

详细说明:

涉及服务器:http://117.41.240./49/50/51
网址:http://117.41.240.50:8080/BaiHeTwoPortal/baihe/sendMessage.action
描述:站点存在Struts2命令执行漏洞,导致Getshell

1.png


1.png


4.png

漏洞证明:

数据库信息一:

#Remote server configuration
APIKey=139982M03V8W3EIL4AKL9BRO8KM2WTG9
SecretKey=WE0X1Z29B8TF39IG1NCEOUTX31DQ94S4
domain=http://open1.baihe.com/api/
#localUrl=http://117.41.240.50:8089/BaiHeTwoPortal/
#Database connection configuration
jdbc_driver=com.mysql.jdbc.Driver
jdbc_url=jdbc:mysql://117.41.240.49:3306/BAIHE_V2
jdbc_user=sa
jdbc_password=asdf123
#Default country-85-CHINA and province-8634-Anhui
DEFAULT_COUNTRY=86
DEFAULT_PROVINCE=8636
#Order information-Anhui
anhui_order_url=http://61.191.44.221:8090/aaa/authorization.do
anhui_sp_code=sp_njxj
anhui_key=4cf2f83410081cf2
anhui_service_code=service_dshl
#order price
order_price=9.9
#JX Web Service
JX_Web_Service=http://117.41.240.73:8080/jxiptv/iptv/ws/UpcWebService?wsdl
JX_Web_Service_NameSpace=http://ws.iptv.cndatacom.com/
#Account Info
BUSINESS_CODE=BAIHE
BUSINESS_TYPE=1
USERNAME=njxj
CODE=12345678
SP_ID=23189971
PRODUCT_ID=123307001200191013689
########################MemCached setting########################
mem_servers=117.41.240.49:11211



#Remote server configuration
APIKey=139982M03V8W3EIL4AKL9BRO8KM2WTG9
SecretKey=WE0X1Z29B8TF39IG1NCEOUTX31DQ94S4
domain=http://open1.baihe.com/api/
#Database connection configuration
jdbc_driver=com.mysql.jdbc.Driver
jdbc_url=jdbc:mysql://117.41.240.49:3306/BAIHE_V2
jdbc_user=sa
jdbc_password=asdf123



datasource.jdbc.driverClassName=com.mysql.jdbc.Driver
#datasource.jdbc.url=jdbc:mysql://localhost:3306/APPSTORE?useUnicode=true&characterEncoding=utf-8
#datasource.jdbc.username=root
#datasource.jdbc.password=123456
datasource.jdbc.url=jdbc:mysql://117.41.240.49:3306/APPSTORE?useUnicode=true&characterEncoding=utf-8
datasource.jdbc.username=sa
datasource.jdbc.password=asdf123
datasource.jdbc.initialSize=3
datasource.jdbc.maxActive=10
datasource.jdbc.maxIdle=5
datasource.jdbc.minIdle=1
datasource.jdbc.maxWait=1000
datasource.jdbc.maxIdleTime=25000
datasource.jdbc.preferredTestQuery=select id from test where id=1
datasource.jdbc.testConnectionOnCheckout=true
datasource.slave.driverClassName=com.mysql.jdbc.Driver
datasource.slave.url=jdbc:mysql://117.41.240.49:3306/APPSTORE?useUnicode=true&characterEncoding=utf-8
datasource.slave.username=sa
datasource.slave.password=asdf123
#datasource.slave.url=jdbc:mysql://192.168.1.184:3306/APPSTORE?useUnicode=true&characterEncoding=utf-8
#datasource.slave.username=sa
#datasource.slave.password=asdf123
datasource.slave.initialSize=3
datasource.slave.maxActive=10
datasource.slave.maxIdle=5
datasource.slave.minIdle=1
datasource.slave.maxWait=1000
datasource.slave.maxIdleTime=25000
datasource.slave.preferredTestQuery=select id from test where id=1
datasource.slave.testConnectionOnCheckout=true
#File and image server connection address
imageServerIpAddress=http://117.41.240.50:8021/filemanage/
#imageServerIpAddress=http://192.168.2.108:8080/img/
#Synchronization system connection address
sysServerIpAddress=http://192.168.2.182:8078/ClientSysData/
#Currently connected to the system address, send e-mail when a registered user, the system displays the login link address
serverIpAddress=http://localhost:8888/BTOP/
#Register with the mailbox
fromEmail=Managesystem
#mail.host=smtp.263xmail.com
mail.host=smtp.163.com
[email protected]
mail.password=xiaojian00
#memcacheIP
#"192.168.11.98:11211", "192.168.11.98:11212"
memCacheIp = 117.41.240.49:11211
# limti upload file size
limitUploadPicSize=102400
#System identification
sign=client
ottSign=
#Resolve the apk command path
#/media/30387FB3387F7726/demouploadfileapk/android-sdk-linux/platform-tools/ linux extracting androidSDK path corresponding to the configuration according to the SDK path
#aapt d badging Unzip command
parseApkCommand=/usr/local/platform-tools/aapt d badging
from_path=/home/btop/pay/ftpfile/
back_path =/home/btop/pay/ftpfile/back
back_path_false =/home/btop/pay/ftpfile/false
ftp.ip=172.24.23.150
ftp.port=21
ftp.username=bestftp
ftp.password=bestvwin
ftp.localpath=/usr/
ftp.ftppath=/usr/bestftp/



######################Constranst setting########################
#imageServerIpAddress=http://192.168.2.182:8078/filemanage/
#synServerIpAddress=http://192.168.2.155:8080/btopsyndata/
#interfaceAddress=http://192.168.2.183:8080/btopinterface/
#######################DataBase setting########################
############# MySql
#master db write
jdbc.driver=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://117.41.240.49:3306/APPSTORE?createDatabaseIfNotExist=true&useUnicode=true&characterEncoding=utf-8&autoReconnect=true
jdbc.username=sa
jdbc.password=asdf123
#slave db read
jdbc.slave.url=jdbc:mysql://117.41.240.49:3306/APPSTORE?createDatabaseIfNotExist=true&useUnicode=true&characterEncoding=utf-8&autoReconnect=true
jdbc.slave.username=sa
jdbc.slave.password=asdf123
############# H2
#h2 standalone database settings
#jdbc.driver=org.h2.Driver
#jdbc.url=jdbc:h2:tcp://localhost/~/GAMESYS
#jdbc.username=sa
#jdbc.password=
#hibernate.dialect=org.hibernate.dialect.H2Dialect
############# log4jdbc
#log4jdbc driver
#jdbc.driver=net.sf.log4jdbc.DriverSpy
#jdbc.url=jdbc:log4jdbc:h2:tcp://localhost/~/GAMESYS
############# oracle
#oracle database settings
#jdbc.driver=oracle.jdbc.driver.OracleDriver
#jdbc.url=jdbc:oracle:thin:@127.0.0.1:1521:XE
#jdbc.username=sa
#jdbc.password=
#hibernate.dialect=org.hibernate.dialect.Oracle10gDialect
########################DataBasePool setting########################
#dbcp settings
dbcp.maxIdle=5
dbcp.maxActive=40
#c3p0 settings
datasource.jdbc.initialPoolSize=3
datasource.jdbc.minPoolSize=2
datasource.jdbc.maxPoolSize=50
datasource.jdbc.acquireIncrement=5
datasource.jdbc.maxStatements=100
datasource.jdbc.maxIdleTime=25000
datasource.jdbc.idleConnectionTestPeriod=18000
#default use Pool's
#datasource.jdbc.maxWait=0
#datasource.jdbc.numHelperThreads=3
########################MemCached setting########################
mem_servers=117.41.240.49:11211
mem_initConn=2
mem_minConn=2
mem_maxConn=300
mem_threshold=10
mem_defaultET=300
#custome parmater
#Cache a day = 1L*24*60*60*1000
cache_expire_time=86400000L
#exclude_cache_methods=getSlaveVersion_getMasterVersion
#include_cache_methods=get*
#flush_cache_methods=save_update_delete
#######################Hibernate setting########################
hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialect
hibernate.show_sql=false
hibernate.format_sql=false
hibernate.use_sql_comments=false
hibernate.max_fetch_depth=3
hibernate.cache.use_query_cache=false
hibernate.jdbc.batch_size=20
hibernate.default_batch_fetch_size=20
hibernate.jdbc.fetch_size=20
hibernate.query.substitutions=true 1, false 0
hibernate.bytecode.use_reflection_optimizer=true
hibernate.order_updates=true
#DEFAULT none,option(none,create,update,validate...)
hibernate.hbm2ddl.auto=update
# second_level_cache
hibernate.cache.provider_class=org.hibernate.cache.OSCacheProvider
#hibernate.cache.use_second_level_cache=true
#hibernate.cache.use_query_cache=true
#hibernate.cache.region.factory_class=org.hibernate.cache.EhCacheRegionFactory
#net.sf.ehcache.configurationResourceName=/ehcache_hibernate.xml
#hibernate.cache.use_structured_entries=true
#hibernate.generate_statistics=true
#spring default / thread / JTA..
hibernate.current_session_context_class=org.springframework.orm.hibernate3.SpringSessionContext
hibernate.transaction.factory_class=org.hibernate.transaction.JDBCTransactionFactory
########################Cookie setting########################
cookie_expire_time=86400
#######################Mail setting########################
# This properties file is used to configure mail settings in
# /WEB-INF/classes/logback.xml
#\u53D1\u4EF6\u4EBA
[email protected]
#\u76EE\u6807\u63A5\u6536\u4EBA
[email protected]
#\u90AE\u4EF6\u670D\u52A1\u5668\u5730\u5740
mail.smtphost=smtp.263xmail.com
#\u7528\u6237\u540D
[email protected]
#\u5BC6\u7801
mail.password=zhc982?
mail.debug=false
mail.transport.protocol=smtp
#JX Web Service
JX_Web_Service=http://117.41.240.73:8080/jxiptv/iptv/ws/UpcWebService?wsdl
JX_Web_Service_NameSpace=http://ws.iptv.cndatacom.com/
#Account Info
BUSINESS_CODE=BAIHE
USERNAME=njxj
CODE=12345678
FTP_DIR=/boss/ftp/sp/
FTP_IP=10.60.6.246
FTP_USER=xjnt
FTP_PWD=xjnt
#http://128.129.99.49:1389/


邮箱:

mail_from [email protected]
mail_host =mail.emotte.com
mail_userName [email protected]
mail_password =emotte.com


某办公系统

http://117.41.240.50:8078/meis/ioif/loginAo!doLoginVertify.action   admin/123456

修复方案:

贵站漏洞尽快修复,权限以及影响面较广,作为白帽子这是我应该做的,希望正确面对安全问题,更多敏感信息以及危害自己排查!20Rank有木有~$$有木有~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-17 20:36

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无