当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111127

漏洞标题:你贷款我知道集都风险投资平台getshell/数据库多处/看我重置所有用户密码

相关厂商:上海集都创投

漏洞作者: 路人甲

提交时间:2015-04-29 20:51

修复时间:2015-06-13 20:52

公开时间:2015-06-13 20:52

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

你贷款我知道?0x01:getshell 0x02:信息泄露(包含身份证等)0x03:默认配置(包括病毒系统)0x04:数据库泄露(所有数据库)0x05:密码重置(注册过的所有用户)

详细说明:

所属厂商:上海集都创投
网站:集都创投风险控制系统
http://fengkong.gidon.cn/findpassword/getCodePage.action
0x01:getshell
站点存在Struts2命令执行导致getwebshell
目录:D:\apache-tomcat-7.0.59-risk\webapps\RiskControl\

1.png


0x02:信息泄露

2.png


0x03:默认配置

#病毒扫描功能开关。默认为关闭,值为true时功能开启
mvs.upload.enable=true
#文件上传的目标地址
#mvs.upload.targetURL=http://IQCD-D0049:8080/uploader/upload
mvs.upload.targetURL=http://mvs-stg.pingan.com.cn:8080/uploader/upload
#mvs.upload.targetURL=http://10.25.32.11:8787/uploader/upload
#验证虚拟用户密码地址
#mvs.validate.url=http://IQCD-D0049:8080/uploader/validateVUser
mvs.validate.url=http://mvs-stg.pingan.com.cn:8080/uploader/validateVUser
#mvs.upload.targetURL=http://10.25.32.11:8787/uploader/upload
#调用病毒扫描接口时的用户名
mvs.upload.user=test
#调用病毒扫描接口时的密码
mvs.upload.password=123456
#HESSIANREMOTE_CLIENT_URL=http://192.168.1.244:8088/zhengXin/remoting/hessianRemote
#HESSIANREMOTE_CLIENT_URL=http://203.110.164.62:8088/zhengXin/remoting/hessianRemote
HESSIANREMOTE_CLIENT_URL=http://www.benbei365.com/remoting/hessianRemote


第二处:

datasource.driverClassName=oracle.jdbc.driver.OracleDriver
datasource.url=jdbc:oracle:thin:@127.0.0.1:1521:orcl
datasource.username=fmsdata
datasource.password=fmsdata
datasource.maxActive=5
datasource.maxIdle=2
datasource.maxWait=120000
datasource.defaultAutoCommit=false
datasource.whenExhaustedAction=1
datasource.validationQuery=select 1 from dual
datasource.testOnBorrow=true
datasource.testOnReturn=false
hibernate.dialect=org.hibernate.dialect.OracleDialect
hibernate.connection.release_mode=after_transaction
hibernate.jdbc.batch_size=25
hibernate.jdbc.fetch_size=50
hibernate.cglib.use_reflection_optimizer=true
hibernate.max_fetch_depth=3
hibernate.show_sql=true
dbBackupAction.dbclientstring=huainan
dbBackupAction.backupdir=E\:\\backup
#hibernate.cache.use_query_cache=true
#hibernate.cache.provider_class=org.hibernate.cache.EhCacheProvider
# <Context path="/upload/pic" debug="0" docBase="/usr/local/upload" reloadable="true"></Context>
# http://192.168.1.222:8080/upload/pic/20131124/1385306431517.png
pic_url=http://127.0.0.1:8080/upload/pic
#uploadpath
uploadpath=/usr/local/upload/pic
#Spring quartz time
# 0 0 12 * * ? 
quartzJobQueueRunTask=0 0 17 * * ?
quartzJobQueueRunTaskTaskBeyondDriving=0 0 0 * * ?
quartzJobQueueRunTaskTaskSaveOrUpdateAlarm=0 5 * * * ?
#mapkey=http://app.mapabc.com/apis?t=flashmap&v=2.4.1&key=0f7780e5262c159dc1b1fd417036071653c30e2674ff9ace22392351f16c67d281f6ad575c507b05
#gongfushuai
#mapkey=http://app.mapabc.com/apis?t=flashmap&v=2.4.1&key=ad175860c5046a5365f38c1876b28f258deb68b3ea52217c3c0ff7a961de3712ef0216c89ce9a7ee
#mapkey=http://app.mapabc.com/apis?t=flashmap&v=2.4.1&key=f6c97a7f64063cfee7c2dc2157847204d4dbf093b023619a3f7f23383d3e7fe5819c30d2f5f9fb07
#http://115.29.233.153
mapkey=http://app.mapabc.com/apis?t=flashmap&v=2.4.1&key=d2f4070d7464f17405922e8e73bd42d61e9ec646728b9c6e6500369e3b7d73952997ada9993d6ab0
mapXY=116.397428,39.90923
mapZoom=11
# baodan 
policyPath=policy.xlsx
# shebei 
terminalPath=terminal.xls
#tipsTimer 
tipsTimer=300000


0x04:数据库一大堆

# connect to intranet
#jdbc.mysql.driverClassName=com.mysql.jdbc.Driver
#jdbc.mysql.url=jdbc:mysql://192.168.1.111:3306/risk_control
#jdbc.mysql.username=root
#jdbc.mysql.password=111111
jdbc.username=jm  
jdbc.password=111111  
jdbc.host=localhost 
jdbc.port=3306  
jdbc.exportDatabaseName=sa   
jdbc.importDatabaseName=sa   
# connect to internet 
jdbc.mysql.driverClassName=com.mysql.jdbc.Driver
jdbc.mysql.url=jdbc:mysql://localhost:3306/risk_control
jdbc.mysql.username=root
jdbc.mysql.password=JiDon123%^&
*901188BED7FFF54AE52DD24389F00ABD2263CFD1  root
*FD571203974BA9AFE270FE62151AE967ECA5E0AA  jm
FeeAmt=0
#
userName=jiumai
passWord=jiumai
MD5key=rliJXadMeq16
Merno=00000000000443
Signtype=M
bizType=10
Prdordnam=\u5145\u503c\u5361
TranType=2201
Paytype=01
bankCode=ICBC
Return_url=http://www.gidon.cn/jdct/webPage/account/pay_result.jsp
Notify_url =http://www.gidon.cn/jdct/webURechargeRecordAction_backPay.do
webURL=http://www.gidon.cn
# oracle
#jdbc.driver=oracle.jdbc.driver.OracleDriver
#jdbc.url=jdbc:oracle:thin:@192.168.0.58:1521:orcl
#hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
# sqlserver
#jdbc.driver=com.microsoft.sqlserver.jdbc.SQLServerDriver
#jdbc.url=jdbc:sqlserver://192.168.1.144\\MSSQLSERVER:1433;databaseName=P2P_DB
#hibernate.dialect=org.hibernate.dialect.SQLServerDialect
# mysql
jdbc.driver=org.gjt.mm.mysql.Driver
jdbc.url=jdbc:mysql\://localhost:3306/sa
hibernate.dialect=org.hibernate.dialect.MySQLDialect
jdbc.username=jm
jdbc.password=111111
jdbc.initialPoolSize=1
jdbc.minPoolSize=1
jdbc.maxPoolSize=300
jdbc.maxIdleTime=60
jdbc.acquireIncrement=5
jdbc.idleConnectionTestPeriod=60
hibernate.show_sql=true
hibernate.format_sql=false


33.png

漏洞证明:

0x05:看我如何重置任意用户密码

mst_host=smtp.163.com
from = [email protected]
pwd=jiumai


此邮箱为网站邮件系统,登陆,如图

1.png

1.png

1.png


2.png


3.png


[email protected] 密码修改为wooyun 只做安全测试

修复方案:

安全问题希望贵公司正确面对!个人能力有限,更多自己排查与重新配置!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)