乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-11: 细节已通知厂商并且等待厂商处理中 2015-07-14: 厂商已经确认,细节仅向厂商公开 2015-07-24: 细节向核心白帽子及相关领域专家公开 2015-08-03: 细节向普通白帽子公开 2015-08-13: 细节向实习白帽子公开 2015-08-28: 细节向公众公开
听说集市又上新品了。
1.站点url:http://114.251.229.203:8080/mcl/2.站点名:阳光保险直赔后台管理系统存在的问题 配置不当存在invoker/JMXInvokerServlet,可远程部署war来getshell。
3.getshell
重要配置文件
<?xml version='1.0'?><!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"><!-- The XML based JAAS login configuration read by theorg.jboss.security.auth.login.XMLLoginConfig mbean. Addan application-policy element for each security domain.The outline of the application-policy is:<application-policy name="security-domain-name"> <authentication> <login-module code="login.module1.class.name" flag="control_flag"> <module-option name = "option1-name">option1-value</module-option> <module-option name = "option2-name">option2-value</module-option> ... </login-module> <login-module code="login.module2.class.name" flag="control_flag"> ... </login-module> ... </authentication></application-policy>$Revision: 64598 $--><policy> <!-- Used by clients within the application server VM such as mbeans and servlets that access EJBs. --> <application-policy name = "client-login"> <authentication> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> <!-- Any existing security context will be restored on logout --> <module-option name="restore-login-identity">true</module-option> </login-module> </authentication> </application-policy> <!-- Security domain for JBossMQ --> <application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/DefaultDS</module-option> <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> </login-module> </authentication> </application-policy> <!-- Security domain for JBossMQ when using file-state-service.xml <application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option> </login-module> </authentication> </application-policy> --> <!-- Security domains for testing new jca framework --> <application-policy name = "HsqlDbRealm"> <authentication> <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required"> <module-option name = "principal">sa</module-option> <module-option name = "userName">sa</module-option> <module-option name = "password"></module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option> </login-module> </authentication> </application-policy> <application-policy name = "JmsXARealm"> <authentication> <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required"> <module-option name = "principal">guest</module-option> <module-option name = "userName">guest</module-option> <module-option name = "password">guest</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the jmx-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/jmx-console-users.properties</module-option> <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the web-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name = "web-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">web-console-users.properties</module-option> <module-option name="rolesProperties">web-console-roles.properties</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the JBossWS security domain. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name="JBossWS"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">props/jbossws-users.properties</module-option> <module-option name="rolesProperties">props/jbossws-roles.properties</module-option> <module-option name="unauthenticatedIdentity">anonymous</module-option> </login-module> </authentication> </application-policy> <!-- The default login configuration used by any security domain that does not have a application-policy entry with a matching name --> <application-policy name = "other"> <!-- A simple server login module, which can be used when the number of users is relatively small. It uses two properties files: users.properties, which holds users (key) and their password (value). roles.properties, which holds users (key) and a comma-separated list of their roles (value). The unauthenticatedIdentity property defines the name of the principal that will be used when a null username and password are presented as is the case for an unuathenticated web client or MDB. If you want to allow such users to be authenticated add the property, e.g., unauthenticatedIdentity="nobody" --> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /> </authentication> </application-policy> <application-policy name = "EncryptDBPassword"> <authentication> <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username">slrsbase</module-option> <module-option name="password">6ab9c9fd6bb32fab4dae2fd16fb6f26c</module-option> <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/slrsprd,service=LocalTxCM</module-option> </login-module> </authentication> </application-policy> <application-policy name = "slis"> <authentication> <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username">slismcl</module-option> <module-option name="password">-5eec0864921c8737</module-option> <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/slis,service=LocalTxCM</module-option> </login-module> </authentication> </application-policy> <application-policy name = "mcl"> <authentication> <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username">mclbase</module-option> <module-option name="password">2707edc4b3d0a2bfb7b2aa3f2a5b7d20</module-option> <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/mcl,service=LocalTxCM</module-option> </login-module> </authentication> </application-policy></policy>
1.删除接口2.限制访问
危害等级:高
漏洞Rank:10
确认时间:2015-07-14 16:36
CNVD确认所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置.
暂无