当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130238

漏洞标题:再次沦陷全国教育机构尚德教育核心系统已shell多处打包紧急修复

相关厂商:sunland.com

漏洞作者: 路人甲

提交时间:2015-07-29 17:29

修复时间:2015-09-12 18:20

公开时间:2015-09-12 18:20

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-29: 细节已通知厂商并且等待厂商处理中
2015-07-29: 厂商已经确认,细节仅向厂商公开
2015-08-08: 细节向核心白帽子及相关领域专家公开
2015-08-18: 细节向普通白帽子公开
2015-08-28: 细节向实习白帽子公开
2015-09-12: 细节向公众公开

简要描述:

再次沦陷全国教育机构尚德教育核心系统# 已shell多处打包 紧急修复

详细说明:

中国领先的互联网教育公司——尚德机构(北京尚佳崇业教育科技有限公司),是中国最大的职业教育机构之一,自2001年成立,尚德机构迎来了黄金发展的13年。尚德机构的培训课程和服务范围广阔,从职业资格认证、技能培训,到与职业相关的就业服务;尚德致力于提高学员的职场竞争力,客户遍及中国很多个大中城市,已培训十余万名学员。
尚德机构旗下有嗨学网(haixue.com)、 悦成3G,、狐逻学院、 对啊网(duia.com)等主营业务,在全国17大城市设有学校,北京设有8大分校,课程的市场占有率最高达70%。13年来,机构学员数量呈几何倍数增长,尚德为各行业培养出优秀的人才,毕业学员在职场中占据重要位置。
尚德设有3大教育方向—职业资格证书培训、学历教育培训、IT培训,其中职业资格证书培训设有人力、心理、会计、注会、PMP、建造。学历教育培训包括自考、成考、MBA。IT培训包括IOS、andriod等。 爱平等、爱自由、爱梦想是尚德人的口号。
尚德机构拥有7个信条——异于常人的雄心、有价值的阅读、怀疑精神和独立思考、迅猛的行动、审慎的自省、不怕出错敢于担当、惊人的意志力——机构鼓励尚德人与学员们在漫漫人生航行中找寻正确的方向。 我们有信仰,所以我们有希望,尚德机构关心每一位学员的成长,为学员创造价值就是尚德的价值。

漏洞证明:

涉及全国各地的地区有:

160.png


161.png


159.png


渗透前做了一个IP整理
先找到了邮件平台
爆破无果,过程不细述

http://mail.sunlands.com/


偶然在底部发现了OA核心平台

177.png


点进去

http://222.35.91.201:7001/defaultroot/login.jsp


找到5处任意上传点
可以直接上传jsp文件
这里一并打包,厂商紧急全部修补!

http://222.35.91.201:7001//defaultroot/extension/smartUpload.jsp?path=information&fileName=infoPicName&saveName=infoPicSaveName&tableName=infoPicTable&fileMaxSize=0&fileMaxNum=0&fileType=gif,jpg,bmp,jsp,png&fileMinWidth=0&fileMinHeight=0&fileMaxWidth=0&fileMaxHeight=0
http://222.35.91.201:7001/defaultroot/work_flow/formOptJSPUpload.jsp
http://222.35.91.201:7001/defaultroot/work_flow/formStartJSPUpload.jsp
http://222.35.91.201:7001/defaultroot/govezoffice/custom_documentmanager/smartUpload.jsp?path=innerMailbox&fileName=innerMailFileName&saveName=innerMailSaveName&tableName=innerMaildisplaytable&fileMaxSize=0&fileMaxNum=0&fileType=&fileMinHeight=0&fileMinWidth=0&fileMaxHeight=0&fileMaxWidth=0
http://222.35.91.201:7001/defaultroot/public/jsp/goodsphotoupload.jsp?path=goodspic&visualName=goodsPicName&hiddenName=goodsPicName&del=yes


JAVAENV:

java.vendor : BEA Systems, Inc. sun.java.launcher : SUN_STANDARD org.xml.sax.parser : weblogic.xml.jaxp.RegistryParser sun.management.compiler : BEA JRockit(R) Optimizing Compiler com.sun.xml.ws.api.streaming.XMLStreamReaderFactory.woodstox : true os.name : Linux sun.boot.class.path : /bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386/jrockit/jrockit1.6.0.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386/jrockit/jmapi.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386/jrockit/jmxmapi.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386/jrockit/rmp.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386/jrockit/latency.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/resources.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/rt.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/sunrsasign.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/jsse.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/jce.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/charsets.jar:/bea11g/jrockit_160_14_R27.6.5-32/jre/classes java.vm.specification.vendor : Sun Microsystems Inc. java.runtime.version : 1.6.0_14-b08 weblogic.Name : AdminServer user.name : root user.language : zh java.naming.factory.initial : weblogic.jndi.WLInitialContextFactory sun.boot.library.path : /bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386 wlw.testConsole : wlw.iterativeDev : java.version : 1.6.0_14 user.timezone : Asia/Shanghai sun.arch.data.model : 32 javax.rmi.CORBA.UtilClass : weblogic.iiop.UtilDelegateImpl java.endorsed.dirs : /bea11g/jrockit_160_14_R27.6.5-32/jre/lib/endorsed vde.home : /bea11g/user_projects/domains/mydomain/servers/AdminServer/data/ldap sun.cpu.isalist : sun.jnu.encoding : UTF-8 file.encoding.pkg : sun.io wlw.logErrorsToConsole : file.separator : / java.specification.name : Java Platform API Specification java.vm.vendor.url.bug : http://edocs.bea.com/jrockit/go2troubleshooting.html java.class.version : 50.0 java.vm.vendor.url : http://www.bea.com/ weblogic.home : /bea11g/wlserver_10.3/server user.country : CN java.home : /bea11g/jrockit_160_14_R27.6.5-32/jre platform.home : /bea11g/wlserver_10.3 com.sun.xml.ws.api.streaming.XMLStreamWriterFactory.woodstox : true java.vm.info : compiled mode os.version : 2.6.18-194.el5 org.omg.CORBA.ORBSingletonClass : weblogic.corba.orb.ORB path.separator : : java.vm.version : R27.6.5-32_o-121899-1.6.0_14-20091001-2113-linux-ia32 java.protocol.handler.pkgs : weblogic.net|weblogic.utils|weblogic.utils|weblogic.utils java.awt.printerjob : sun.print.PSPrinterJob java.security.policy : /bea11g/wlserver_10.3/server/lib/weblogic.policy sun.io.unicode.encoding : UnicodeLittle java.naming.factory.url.pkgs : weblogic.jndi.factories:weblogic.corba.j2ee.naming.url:weblogic.jndi.factories:weblogic.corba.j2ee.naming.url user.home : /root wls.home : /bea11g/wlserver_10.3/server java.specification.vendor : Sun Microsystems Inc. org.xml.sax.driver : weblogic.xml.jaxp.RegistryXMLReader java.library.path : /bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386/jrockit:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386:/bea11g/jrockit_160_14_R27.6.5-32/jre/../lib/i386:/bea11g/patch_wls1032/profiles/default/native:/bea11g/patch_oepe1032/profiles/default/native:/bea11g/user_projects/domains/mydomain/lib::/bea11g/wlserver_10.3/server/native/linux/i686:/bea11g/wlserver_10.3/server/native/linux/i686/oci920_8 java.vendor.url : http://www.bea.com/ java.vm.vendor : BEA Systems, Inc. java.runtime.name : Java(TM) SE Runtime Environment java.class.path : /bea11g/patch_wls1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/bea11g/patch_oepe1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/bea11g/jrockit_160_14_R27.6.5-32/lib/tools.jar:/bea11g/utils/config/10.3/config-launch.jar:/bea11g/wlserver_10.3/server/lib/weblogic_sp.jar:/bea11g/wlserver_10.3/server/lib/weblogic.jar:/bea11g/modules/features/weblogic.server.modules_10.3.2.0.jar:/bea11g/wlserver_10.3/server/lib/webservices.jar:/bea11g/modules/org.apache.ant_1.7.0/lib/ant-all.jar:/bea11g/modules/net.sf.antcontrib_1.0.0.0_1-0b2/lib/ant-contrib.jar:/bea11g/wlserver_10.3/common/eval/pointbase/lib/pbclient57.jar:/bea11g/wlserver_10.3/server/lib/xqrl.jar java.vm.specification.name : Java Virtual Machine Specification java.vm.specification.version : 1.0 javax.rmi.CORBA.PortableRemoteObjectClass : weblogic.iiop.PortableRemoteObjectDelegateImpl sun.cpu.endian : little kernel.download.enabled : false sun.os.patch.level : unknown java.io.tmpdir : /tmp java.vendor.url.bug : http://edocs.bea.com/jrockit/go2troubleshooting.html os.arch : i386 java.awt.graphicsenv : sun.awt.X11GraphicsEnvironment java.ext.dirs : /bea11g/jrockit_160_14_R27.6.5-32/jre/lib/ext user.dir : /bea11g/user_projects/domains/mydomain weblogic.ext.dirs : /bea11g/patch_wls1032/profiles/default/sysext_manifest_classpath:/bea11g/patch_oepe1032/profiles/default/sysext_manifest_classpath line.separator : java.vm.name : BEA JRockit(R) javax.xml.soap.MessageFactory : weblogic.webservice.core.soap.MessageFactoryImpl weblogic.management.discover : true org.omg.CORBA.ORBClass : weblogic.corba.orb.ORB file.encoding : UTF-8 javax.xml.rpc.ServiceFactory : weblogic.webservice.core.rpc.ServiceFactoryImpl weblogic.classloader.preprocessor : weblogic.diagnostics.instrumentation.DiagnosticClassPreProcessor java.specification.version : 1.6 System Environment >>
--------------------------------------------------------------------------------
TERM : vt100 CLUSTER_PROPERTIES : -Dweblogic.management.discover=true JAVA_HOME : /bea11g/jrockit_160_14_R27.6.5-32 WLS1032_PATCH_CLASSPATH : /bea11g/patch_wls1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar SSH_CLIENT : 61.190.4.66 54292 22 WLS1032_PATCH_LIBPATH : /bea11g/patch_wls1032/profiles/default/native JAVA_PROPERTIES : -Dplatform.home=/bea11g/wlserver_10.3 -Dwls.home=/bea11g/wlserver_10.3/server -Dweblogic.home=/bea11g/wlserver_10.3/server -Dweblogic.management.discover=true POINTBASE_TOOLS : /bea11g/wlserver_10.3/common/eval/pointbase/lib/pbtools57.jar MAIL : /var/spool/mail/root JAVA_VM : -jrockit SERVER_NAME : AdminServer PATHSEP : : HOSTNAME : localhost.localdomain ANT_CONTRIB : /bea11g/modules/net.sf.antcontrib_1.0.0.0_1-0b2 PWD : /bea11g/user_projects/domains/mydomain PRODUCTION_MODE : WEBLOGIC_CLASSPATH : /bea11g/patch_wls1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/bea11g/patch_oepe1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/bea11g/jrockit_160_14_R27.6.5-32/lib/tools.jar:/bea11g/utils/config/10.3/config-launch.jar:/bea11g/wlserver_10.3/server/lib/weblogic_sp.jar:/bea11g/wlserver_10.3/server/lib/weblogic.jar:/bea11g/modules/features/weblogic.server.modules_10.3.2.0.jar:/bea11g/wlserver_10.3/server/lib/webservices.jar:/bea11g/modules/org.apache.ant_1.7.0/lib/ant-all.jar:/bea11g/modules/net.sf.antcontrib_1.0.0.0_1-0b2/lib/ant-contrib.jar WLS_MEM_ARGS_32BIT : -Xms512m -Xmx512m LONG_DOMAIN_HOME : /bea11g/user_projects/domains/mydomain G_BROKEN_FILENAMES : 1 MEM_DEV_ARGS : NLSPATH : /usr/dt/lib/nls/msg/%L/%N.cat CLASSPATHSEP : : MODULES_DIR : /bea11g/modules JAVA_DEBUG : INPUTRC : /etc/inputrc MEM_ARGS : -Xms512m -Xmx512m HISTSIZE : 1000 PATH : /bea11g/wlserver_10.3/server/bin:/bea11g/modules/org.apache.ant_1.7.0/bin:/bea11g/jrockit_160_14_R27.6.5-32/jre/bin:/bea11g/jrockit_160_14_R27.6.5-32/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/oracle/oracle/product/10.2.0/dbhome/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin ARDIR : /bea11g/wlserver_10.3/server/lib WEBLOGIC_EXTENSION_DIRS : /bea11g/patch_wls1032/profiles/default/sysext_manifest_classpath:/bea11g/patch_oepe1032/profiles/default/sysext_manifest_classpath POINTBASE_HOME : /bea11g/wlserver_10.3/common/eval/pointbase WLS1032_PATCH_EXT_DIR : /bea11g/patch_wls1032/profiles/default/sysext_manifest_classpath PATCH_CLASSPATH : /bea11g/patch_wls1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/bea11g/patch_oepe1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar verboseLoggingFlag : false DOMAIN_HOME : /bea11g/user_projects/domains/mydomain MEM_ARGS_32BIT : -Xms512m -Xmx512m FEATURES_DIR : /bea11g/modules/features MEM_MAX_PERM_SIZE : -XX:MaxPermSize=128m SSH_ASKPASS : /usr/libexec/openssh/gnome-ssh-askpass DATABASE_CLASSPATH : /bea11g/wlserver_10.3/common/eval/pointbase/lib/pbclient57.jar JAVA_VENDOR : Oracle MEM_MAX_PERM_SIZE_32BIT : -XX:MaxPermSize=128m SAMPLES_HOME : /bea11g/wlserver_10.3/samples ORACLE_HOME : /oracle/oracle/product/10.2.0/dbhome SHLVL : 3 SUN_JAVA_HOME : ORACLE_BASE : /oracle/oracle XFILESEARCHPATH : /usr/dt/app-defaults/%L/Dt BEA_HOME : /bea11g MEM_PERM_SIZE_32BIT : -XX:PermSize=48m OEPE1032_PATCH_EXT_DIR : /bea11g/patch_oepe1032/profiles/default/sysext_manifest_classpath JAVA_OPTIONS : -Xverify:none -da -Dplatform.home=/bea11g/wlserver_10.3 -Dwls.home=/bea11g/wlserver_10.3/server -Dweblogic.home=/bea11g/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/bea11g/patch_wls1032/profiles/default/sysext_manifest_classpath:/bea11g/patch_oepe1032/profiles/default/sysext_manifest_classpath SSH_TTY : /dev/pts/0 enableHotswapFlag : LOGNAME : root MEM_ARGS_64BIT : -Xms512m -Xmx512m WLS1032_PATCH_PATH : /bea11g/patch_wls1032/profiles/default/native _ : /bea11g/jrockit_160_14_R27.6.5-32/bin/java BEA_JAVA_HOME : /bea11g/jrockit_160_14_R27.6.5-32 doExitFlag : false LD_LIBRARY_PATH : /bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386/jrockit:/bea11g/jrockit_160_14_R27.6.5-32/jre/lib/i386:/bea11g/jrockit_160_14_R27.6.5-32/jre/../lib/i386:/bea11g/patch_wls1032/profiles/default/native:/bea11g/patch_oepe1032/profiles/default/native:/bea11g/user_projects/domains/mydomain/lib::/bea11g/wlserver_10.3/server/native/linux/i686:/bea11g/wlserver_10.3/server/native/linux/i686/oci920_8 SSH_CONNECTION : 61.190.4.66 54292 222.35.91.201 22 OLDPWD : /bea11g/user_projects/domains/mydomain SHELL : /bin/bash PATCH_LIBPATH : /bea11g/patch_wls1032/profiles/default/native:/bea11g/patch_oepe1032/profiles/default/native JAVA_PROFILE : CLASSPATH : /bea11g/patch_wls1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/bea11g/patch_oepe1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/bea11g/jrockit_160_14_R27.6.5-32/lib/tools.jar:/bea11g/utils/config/10.3/config-launch.jar:/bea11g/wlserver_10.3/server/lib/weblogic_sp.jar:/bea11g/wlserver_10.3/server/lib/weblogic.jar:/bea11g/modules/features/weblogic.server.modules_10.3.2.0.jar:/bea11g/wlserver_10.3/server/lib/webservices.jar:/bea11g/modules/org.apache.ant_1.7.0/lib/ant-all.jar:/bea11g/modules/net.sf.antcontrib_1.0.0.0_1-0b2/lib/ant-contrib.jar:/bea11g/wlserver_10.3/common/eval/pointbase/lib/pbclient57.jar:/bea11g/wlserver_10.3/server/lib/xqrl.jar PATCH_PATH : /bea11g/patch_wls1032/profiles/default/native:/bea11g/patch_oepe1032/profiles/default/native WLS_MEM_ARGS_64BIT : -Xms512m -Xmx512m POST_CLASSPATH : /bea11g/wlserver_10.3/common/eval/pointbase/lib/pbclient57.jar:/bea11g/wlserver_10.3/server/lib/xqrl.jar ANT_HOME : /bea11g/modules/org.apache.ant_1.7.0 USER : root DEBUG_PORT : 8453 WL_HOME : /bea11g/wlserver_10.3 HOME : /root WLS_HOME : /bea11g/wlserver_10.3/server MEM_PERM_SIZE : -XX:PermSize=48m SERVER_CLASS : weblogic.Server JAVA_USE_64BIT : LESSOPEN : |/usr/bin/lesspipe.sh %s ORACLE_SID : oa MEM_MAX_PERM_SIZE_64BIT : -XX:MaxPermSize=256m LS_COLORS : no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35: POINTBASE_CLASSPATH : :/bea11g/wlserver_10.3/common/eval/pointbase/lib/pbembedded57.jar:/bea11g/wlserver_10.3/common/eval/pointbase/lib/pbclient57.jar OEPE1032_PATCH_PATH : /bea11g/patch_oepe1032/profiles/default/native OEPE1032_PATCH_LIBPATH : /bea11g/patch_oepe1032/profiles/default/native OEPE1032_PATCH_CLASSPATH : /bea11g/patch_oepe1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar MEM_PERM_SIZE_64BIT : -XX:PermSize=128m POINTBASE_FLAG : false LANG : zh_CN.UTF-8


已shell:

178.png


重要性厂商自查,数据库没有碰
紧急修复!

修复方案:

尽快修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-07-29 18:19

厂商回复:

感谢您对尚德的关注。

最新状态:

暂无