当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106300

漏洞标题:海尔某站两处配置不当已入内网

相关厂商:海尔集团

漏洞作者: fuckadmin

提交时间:2015-04-07 06:40

修复时间:2015-05-22 13:18

公开时间:2015-05-22 13:18

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-07: 细节已通知厂商并且等待厂商处理中
2015-04-07: 厂商已经确认,细节仅向厂商公开
2015-04-17: 细节向核心白帽子及相关领域专家公开
2015-04-27: 细节向普通白帽子公开
2015-05-07: 细节向实习白帽子公开
2015-05-22: 细节向公众公开

简要描述:

有人说过海尔产品链太长,自然问题就多了。

详细说明:

1.
第一处

1.jpg


接口存在咯,就getshell~~

2.jpg


2.第二处
http://jiaju.haier.net/haier/sys/Login_dologin.action
没啥说的,之前有人提过,但还是没修复~~

3.jpg


3.漫游内网
数据库配置

<?xml version="1.0" encoding="UTF-8"?>
<!-- ===================================================================== -->
<!--                                                                       -->
<!--  JBoss Server Configuration                                           -->
<!--                                                                       -->
<!-- ===================================================================== -->
<!-- $Id: mssql-ds.xml 63175 2007-05-21 16:26:06Z rrajesh $ -->
  <!-- ======================================================================-->
  <!-- New ConnectionManager setup for Microsoft SQL Server 2005  driver     -->
  <!-- Further information about the Microsoft JDBC Driver version 1.1      -->
  <!-- can be found here:                                                   -->
  <!-- http://msdn2.microsoft.com/en-us/library/aa496082.aspx               -->  
  <!-- ===================================================================== -->
<datasources>
  <local-tx-datasource>
    <jndi-name>MSSQLDS</jndi-name>
    <connection-url>jdbc:sqlserver://10.135.106.147;databaseName=EBHaier</connection-url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>  
    <user-name>sa</user-name>
    <password>Haier123#</password>
    <min-pool-size>50</min-pool-size>
    <max-pool-size>500</max-pool-size>
      <blocking-imeout-millis>30000</blocking-imeout-millis>
      <idel-timeout-minutes>1</idel-timeout-minutes>
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SQLExceptionSorter</exception-sorter-class-name>
      <metadate>
         <type-mapping>MS SQLSERVER2008</type-mapping>
      </metadate>
  </local-tx-datasource>
  <local-tx-datasource>
    <jndi-name>MSSQLDS_Test</jndi-name>
    <connection-url>jdbc:sqlserver://10.135.106.147;databaseName=20141117EBHaier</connection-url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>  
    <user-name>sa</user-name>
    <password>Haier123#</password>
    <min-pool-size>50</min-pool-size>
    <max-pool-size>500</max-pool-size>
      <blocking-imeout-millis>30000</blocking-imeout-millis>
      <idel-timeout-minutes>1</idel-timeout-minutes>
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SQLExceptionSorter</exception-sorter-class-name>
      <metadate>
         <type-mapping>MS SQLSERVER2008</type-mapping>
      </metadate>
  </local-tx-datasource>
</datasources>


4.jpg

漏洞证明:

1.
第一处

1.jpg


接口存在咯,就getshell~~

2.jpg


2.第二处
http://jiaju.haier.net/haier/sys/Login_dologin.action
没啥说的,之前有人提过,但还是没修复~~

3.jpg


3.漫游内网
数据库配置

<?xml version="1.0" encoding="UTF-8"?>
<!-- ===================================================================== -->
<!--                                                                       -->
<!--  JBoss Server Configuration                                           -->
<!--                                                                       -->
<!-- ===================================================================== -->
<!-- $Id: mssql-ds.xml 63175 2007-05-21 16:26:06Z rrajesh $ -->
  <!-- ======================================================================-->
  <!-- New ConnectionManager setup for Microsoft SQL Server 2005  driver     -->
  <!-- Further information about the Microsoft JDBC Driver version 1.1      -->
  <!-- can be found here:                                                   -->
  <!-- http://msdn2.microsoft.com/en-us/library/aa496082.aspx               -->  
  <!-- ===================================================================== -->
<datasources>
  <local-tx-datasource>
    <jndi-name>MSSQLDS</jndi-name>
    <connection-url>jdbc:sqlserver://10.135.106.147;databaseName=EBHaier</connection-url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>  
    <user-name>sa</user-name>
    <password>Haier123#</password>
    <min-pool-size>50</min-pool-size>
    <max-pool-size>500</max-pool-size>
      <blocking-imeout-millis>30000</blocking-imeout-millis>
      <idel-timeout-minutes>1</idel-timeout-minutes>
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SQLExceptionSorter</exception-sorter-class-name>
      <metadate>
         <type-mapping>MS SQLSERVER2008</type-mapping>
      </metadate>
  </local-tx-datasource>
  <local-tx-datasource>
    <jndi-name>MSSQLDS_Test</jndi-name>
    <connection-url>jdbc:sqlserver://10.135.106.147;databaseName=20141117EBHaier</connection-url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>  
    <user-name>sa</user-name>
    <password>Haier123#</password>
    <min-pool-size>50</min-pool-size>
    <max-pool-size>500</max-pool-size>
      <blocking-imeout-millis>30000</blocking-imeout-millis>
      <idel-timeout-minutes>1</idel-timeout-minutes>
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SQLExceptionSorter</exception-sorter-class-name>
      <metadate>
         <type-mapping>MS SQLSERVER2008</type-mapping>
      </metadate>
  </local-tx-datasource>
</datasources>


4.jpg

修复方案:

1.删除接口
2.修复漏洞

版权声明:转载请注明来源 fuckadmin@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-04-07 13:16

厂商回复:

谢乌云平台白帽子的测试与提醒,我方已安排人员进行处理

最新状态:

暂无