乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-24: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-11: 厂商已经主动忽略漏洞,细节向公众公开
打打卡。
url:
http://cim.chinamacro.com/RNBSS/user_login.do
存在struts2漏洞,上传拿shell大马:
http://cim.chinamacro.com/RNBSS/conn.jsp
一句话
http://cim.chinamacro.com/RNBSS/cmd.jsp
在网站配置文件找到两个数据库连接配置信息
<property name="url" value="jdbc:sqlserver://192.168.0.21:1433;DatabaseName=条码系统_热能;"> </property> <property name="username" value="sa"></property> <property name="password" value="sa@sqlserver2005"></property> </bean> <bean id="erpDataSource" class="org.apache.commons.dbcp.BasicDataSource"> <property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"> </property> <property name="url" value="jdbc:oracle:thin:@192.168.0.39:1521:ebs"> </property> <property name="username" value="apps"></property> <property name="password" value="apps"></property>
服务器在内网。regeorg进行转发连数据库
其他的信息
<db-user>cpcbase</db-user> <db-password>inrpt</db-password> <select-tran-level>1</select-tran-level> <update-tran-level>2</update-tran-level> <db-driver>oracle.jdbc.driver.OracleDriver</db-driver> <db-url>jdbc:oracle:thin:@192.168.0.17:1521:pdm</db-url> <set-tran-level>false</set-tran-level> </vaultdata></vaultdata-refs><!--控制台密码1:一般用户--><console-password1>macro</console-password1><!--控制台密码2:开发员--><console-password2>macrosinocc</console-password2><!--控制台密码3:管理员--><console-password3>macroadmin</console-password3><!--重启密码--><restart-password>macrorestart</restart-password>
38W客户数据
服务器直接命令提权即可上去
admin/admin
点到为止。你们自行修复
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)