乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-22: 细节已通知厂商并且等待厂商处理中 2016-03-25: 厂商已经确认,细节仅向厂商公开 2016-04-04: 细节向核心白帽子及相关领域专家公开 2016-04-14: 细节向普通白帽子公开 2016-04-24: 细节向实习白帽子公开 2016-05-09: 细节向公众公开
https://**.**.**.**
Whoami: WebPath: /app/smscorpoffer/v07/htdocs/htmlOS.Name: SunOSOS.Version: 5.10Java.Home: /usr/jdk/instances/jdk1.6.0/jreJava.Version: 1.6.0_16OS.arch: sparcv9User.Name: tomcatUser.Home: /usr/local/jakartaUser.Dir: /usr/local/jakartaJava.Class.Path: ./:/usr/java/lib/tools.jar:/usr/java/bin:/usr/java/lib:/u01/app/oracle/product/10.2/jdbc/lib/ojdbc14.jar:/u01/app/oracle/product/10.2/jdbc/lib/classes12.zip:/u01/app/oracle/product/10.2/jdbc/lib/nls_charset12.jar:/usr/j2ee/lib/j2ee.jar:/usr/local/jakarta/tomcat/bin/bootstrap.jar:/usr/local/jakarta/tomcat/bin/commons-logging-api.jarJava.IO.Tmpdir: /usr/local/jakarta/tomcat/temp
hosts文件
#::1 localhost **.**.**.** localhost **.**.**.** ad**.**.**.** vas1 game1 **.**.**.****.**.**.** vas3 **.**.**.** loghost**.**.**.** orgsms **.**.**.****.**.**.** dsd **.**.**.****.**.**.** corpsms **.**.**.****.**.**.**1 vasback1**.**.**.**04 test-vas3 test-**.**.**.****.**.**.**14 test-**.**.**.****.**.**.**15 test-**.**.**.****.**.**.**00 itadmin01 log01**.**.**.** hp01**.**.**.** mis01**.**.**.** mbs1**.**.**.** mbs2**.**.**.** mbs1-vip**.**.**.** mbs2-vip**.**.**.** hpmis **.**.**.****.**.**.** gemprot**.**.**.** gemprop
在网站的根目录下有个叫hi.jsp的文件,我起初以为是webshell,但神奇的是里面保存了数据库配置信息
String driverClassName = "oracle.jdbc.driver.OracleDriver"; String dbURL = "jdbc:oracle:thin:@dev2:1521:ptcdev2"; String dbUser = "ptcwap"; String dbPassword = "pawptc"; Class.forName(driverClassName);
#database connectiondbcpName = java:comp/env/jdbc/debug_ptcwap_ptcgvasdb_driver= oracle.jdbc.driver.OracleDriverdb_url = jdbc:oracle:thin:@dev2:1521:ptcdev2db_username = ptcmailerdb_password = ptcmailer
#database connection#corpsms.dbcpName =java:comp/env/jdbc/ptcwap_ptcgvascorpsms.db_driver=oracle.jdbc.OracleDrivercorpsms.db_url=jdbc:oracle:thin:@vas1:1521:vascorpsms.db_username=vascorpsms.db_password=freevas#mms.dbcpName =java:comp/env/jdbc/ptcwap_ptcgvasmms.db_driver=oracle.jdbc.OracleDrivermms.db_url=jdbc:oracle:thin:@vas1:1521:ptcgvasmms.db_username=MMSOWNmms.db_password=OWNMMS
危害等级:高
漏洞Rank:11
确认时间:2016-03-25 17:29
CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.
暂无