当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102461

漏洞标题:中国石化某站文件下载数据库连接信息泄露

相关厂商:中国石油化工股份有限公司

漏洞作者: 独孤求败

提交时间:2015-03-20 09:40

修复时间:2015-03-25 09:42

公开时间:2015-03-25 09:42

漏洞类型:任意文件遍历/下载

危害等级:低

自评Rank:1

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-20: 细节已通知厂商并且等待厂商处理中
2015-03-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国石化某站文件下载数据库连接信息泄露

详细说明:

中国石化某站文件下载数据库连接信息泄露。
地址:http://218.58.78.123:8080/web.rar

QQ图片20150319215320.png

QQ图片20150319215351.png


数据库信息:

QQ图片20150319220547.png

漏洞证明:

数据库信息代码如下:

<?xml version="1.0"?><!--2008-09-24 portal--><configuration>
<!--AJAX begin-->
<configSections>
<sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/>
<sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="Everywhere"/>
<section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/>
<section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/>
</sectionGroup>
</sectionGroup>
</sectionGroup>
</configSections>
<!--AJAX end-->
<appSettings>
<add key="ConnCountInPool" value="5"/>
<add key="ConnectionString" value="Data Source=orcl;User ID=hsejwbx;Password=hsejwbx;"/>
<add key="FCKeditor:BasePath" value="~/fckEditor/"/>
<add key="FCKeditor:UserFilesPath" value="/SlnPortal/KnowledgeArt/xkziArticle/UserFiles"/>
<add key="IsRoleLoadAll" value="0"/>
<!--菜单是否折叠兄弟节点-->
<add key="IsMenuCollapseBrothers" value="1"/>
<!--菜单路径为空时main框架是否显示其子菜单页面-->
<add key="IsDisplayChildMenu" value="1"/>
<!--是否中石化提升系统-->
<!--<add key="IsPtscts" value="1"/>-->
<!--是否角色委托-->
<add key="IsUserDelegate" value="0"/>
<add key="EncryptMode" value="1"/>
<add key="--ValidationExpression" value="(?!^[0-9]*$)(?!^[\Wa-zA-Z]*$)^([\W0-9A-Za-z]{6,6})$"/>
<add key="--ErrorMessage" value="密码格式不正确!"/>
<add key="--EnableImport" value="1"/>
<!--密码失效日期:以月为单位-->
<add key="--ExpiryDate" value="3"/>
<!--密码重置为1,需要登录时重新设置密码-->
<add key="--LoginReset" value="1"/>
<!--设置桌面快捷方式显示图片的大小-->
<add key="QuickLinkWidth" value="128"/>
<add key="QuickLinkHeight" value="95"/>
<add key="TopMenuCount" value="20"/><!--header顶部横向一级菜单显示个数-->
<add key="IsDomainUserLogin" value="2"/><!--0普通登录;1域用户登录;2既可以域用户登录,也可以普通用户登录-->
<add key="DomainServerIP" value="192.168.100.1"/>
<!--用salien.com必须web服务器也在域里,用ip地址就不用在域里。-->
<add key="WebSeriveSSO" value="http://localhost:14338/SSOService2/OThinkerSSO.asmx"/>
<!--公共密码-->
<add key="--CommonPassword" value="111"/>
<!--是否绑定IP-->
<add key="--IsBandIP" value="1"/>
<!-- 班次个数 -->
<add key="--ShiftCount" value="3"/>
<!-- 班次时间点 -->
<add key="--Shift_TIME_0" value="06:00:00"/>
<add key="--Shift_TIME_1" value="14:00:00"/>
<add key="--Shift_TIME_2" value="22:00:00"/>
<add key="ChartHttpHandler" value="Storage=memory;Timeout=180;Url=~/temp/;"/>
<!-- 菜单是否加密 -->
<add key="IsMenuEncrypt" value="0"/>
<!--下拉框显示样式1 旧版 2 新版-->
<!--<add key="DropDownListVersion" value ="2"/>-->
<!--add zxm 090508 查询时错误提示方式("Off" 错误明细; "On" 错误简单提示 )-->
<add key="customErrors" value="On"/>
<!--<add key="PrintPagePath" value ="../../report/generates/printpage.aspx"/>-->
<!--add zxm 0906(true 弹出打印对话框; false 不弹出打印对话框)-->
<!--<add key="DirectPrint" value ="true"/>-->
<!--add 090616(审批:1 旧版; 2 新版 ;默认为2)-->
<add key="WorkFlowVersion" value="2"/>
<!--add 090619(打印注册:1 脚本; 2 cookie ;默认为1)-->
<add key="PrintRegister" value="2"/>
<add key="afc" value="../../masterkey/slnmesflowchart2.html"/>
<!--是否工程分类;瓦斯不分类,镇海分类-->
<add key="isPrjSort" value="true"/>
<!--是否存在属性分组-->
<add key="isGroupP" value="false"/>
</appSettings>
<!--Web Parts Connection-->
<connectionStrings>
<clear/>
<add name="LocalSQLServer" connectionString="Server=.;Database=aspnetdb;trusted_connection=yes"/>
<add name="OraAspNetConString" connectionString="Data Source=221;User ID=ptsb_zh;Password=ptsb_zh;"/>
</connectionStrings>
<system.web>
<pages enableEventValidation="false" enableSessionState="true" validateRequest="false"><!--theme="Blue"-->
<controls>
<add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</controls>
</pages>
<httpHandlers>
<add path="ChartAxd.axd" verb="*" type="Dundas.Charting.WebControl.ChartHttpHandler" validate="false"/>
<add path="*.aspx" verb="*" type="SlnPortal.Utility.MyHandlerFactory"/>

<!--AJAX begin-->
<remove verb="*" path="*.asmx"/>
<add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false"/>
</httpHandlers>
<httpModules>
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</httpModules>
<!--AJAX end-->
<httpRuntime maxRequestLength="1048576" executionTimeout="3600"/>
<compilation debug="true">
<assemblies>
<add assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

<add assembly="System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.DirectoryServices.Protocols, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.ServiceProcess, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Web.RegularExpressions, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/></assemblies>
</compilation>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms name="SlnPortalUserCookie" loginUrl="Login.aspx" defaultUrl="default.aspx" protection="Encryption" path="/"><!--Login_NJ.aspx-menutop_NJ.aspx-menutop_zhy.aspx-->
</forms>
</authentication>
<webParts enableExport="true">
<personalization defaultProvider="CustomOraclePersonalizationProvider">
<providers>
<add connectionStringName="OraAspNetConString" applicationName="PortalTest" name="CustomOraclePersonalizationProvider" type="SlnPortal.Utility.Personalization.SlnOraclePersonalizationProvider,SlnPortal, Version=3.0.0.3, Culture=neutral"/>
</providers>
<authorization>
<allow users="*" verbs="enterSharedScope"/>
<allow users="*" verbs="modifyState"/>
</authorization>
</personalization>
</webParts>
<!---负载平衡的环境需要设置machineKey-->
<!--<machineKey validationKey="90CBB9B2FAD04C6F869A58D6A42AED0D13F3440227CD725F6008BC4835B7C0BFBEFFAE214DC81DAE3CD7E395A70B0D6C492EFB8C8BE69F9E86D006D2320FE524"
decryptionKey="69A5A438452FCB3C031FEA245DEF770191A16609E9E4A62F" validation="SHA1" decryption="3DES" />-->
<!--StateServer:Session can not invalidation,InProc;timeout的单位是分-->
<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="240"/>
<globalization requestEncoding="gb2312" responseEncoding="gb2312"/><!--utf-8-->
<xhtmlConformance mode="Legacy"/>
</system.web>
<!--AJAX begin-->
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<add name="ScriptModule" preCondition="integratedMode" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</modules>
<handlers>
<remove name="WebServiceHandlerFactory-Integrated"/>
<add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</handlers>
</system.webServer>
<!--AJAX end-->
</configuration>

修复方案:

。。。

版权声明:转载请注明来源 独孤求败@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-25 09:42

厂商回复:

最新状态:

2015-03-25:谢谢