当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095896

漏洞标题: 某通用型Ess(高层主管支持系统)与PSA(经理平台)两类管理系统均可Getshell(3例测试,含三十余处本地配置与数据库)

相关厂商:诺明软件

漏洞作者: 路人甲

提交时间:2015-02-11 15:58

修复时间:2015-04-30 18:48

公开时间:2015-04-30 18:48

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某通用型Ess(高层主管支持系统)与PSA(经理平台)均存在漏洞Getwebshell!(以下给予三例测试,包含三十余处本地配置信息以及数据库信息),相关站点摸索也是大型企业!(有一例貌似是爱立信还是宜通世纪等)|乌云漏洞平台改革了,ID:疯狗也说了,越详细奖励越多,这次我就整理与写的比较详细,支持乌云!支持重视网络安全的大中小企业!未来、互联网会更好!

详细说明:

诺明软件1999年成立以来,一直坚持“软件助力企业发展,软件让管理更轻松”的理念,致力于企业管理软件的开发和推广。我们既借鉴国际先进的管理实践,又兼顾中国本地企业的管理文化,借助领先的信息技术和丰富的行业经验,搭建起知识和价值的桥梁,帮助中国本地企业优化业务流程,提高管理水平,实现业务增值。

系统开发商www.norming.com.cn,看了系统开发商介绍,ESS与PSA好像是核心业务


Norming Ess 管理系统所处均存在Struts2命令执行漏洞。
给予3例测试

Ess(高层主管支持系统)
http://220.249.82.196:8082/ess/Homepage.action
http://101.231.48.155:8888/ess/Homepage.action
http://117.79.225.151:8080/ess/ss/Homepage.action


PSA(经理平台)
http://220.249.82.196:8082/psa/Homepage.action
http://101.231.48.155:8888/psa/Homepage.action
http://117.79.225.151:8080/psa/Homepage.action


1、命令执行

以上给予测试链接均可以作为Struts2命令执行入口


2、默认配置

三案例大多默认配置一致,mysql|oraclr|sqlserver数据库默认密码等风险


3、Database

包含数据库与默认信息每站高达10+以上,影响较大!


Getshell之后:

http://220.249.82.196:8082/ess/Homepage.action


1.png



<code>http://117.79.225.151:8080/psa/Homepage.action

</code>

1.png


http://101.231.48.155:8888/ess/Homepage.action


1.png

漏洞证明:

数据库信息具体列出了220……的,其余的部分大小异同!因为部分库是默认配置


http://220.249.82.196:8082/ess/Homepage.action
数据库及敏感信息


ESS(管理系统)
nor_conn_local.properties
hibernate.url=jdbc:jtds:sqlserver://172.16.130.179:1433;databasename=teamsun1219
hibernate.username=sa
hibernate.password=sql_2005
hibernate.dialect=org.hibernate.dialect.SQLServerDialect
hibernate.driver=net.sourceforge.jtds.jdbc.Driver
hibernate.url=jdbc:jtds:sqlserver://jlh:1433;databasename=test1129_1226
hibernate.username=sa
hibernate.password=sa2005
hibernate.dialect=org.hibernate.dialect.SQLServerDialect
hibernate.driver=net.sourceforge.jtds.jdbc.Driver
lobHandler=defaultLobHandler
hibernate.url=jdbc:oracle:thin:@192.168.1.199:1521:ORCL
hibernate.username=psa
hibernate.password=psa
hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
hibernate.driver=oracle.jdbc.driver.OracleDriver
hibernate.showsql=true
hibernate.format_sql=true
hibernate.url=jdbc:oracle:thin:@59.174.243.54:1521:ORCL
hibernate.username=efmdb
hibernate.password=efmdb
hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
hibernate.driver=oracle.jdbc.driver.OracleDriver
hibernate.showsql=true
hibernate.format_sql=true
hibernate.url=jdbc:oracle:thin:@atlas:1521:efuture3
hibernate.username=system
hibernate.password=dell1
hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
hibernate.driver=oracle.jdbc.driver.OracleDriver
hibernate.showsql=true
hibernate.format_sql=true
hibernate.url=jdbc:jtds:sqlserver://192.168.1.141:1533;databasename=zjk;
hibernate.username=sa
hibernate.password=zryh2008
hibernate.dialect=org.hibernate.dialect.SQLServerDialect
hibernate.driver=net.sourceforge.jtds.jdbc.Driver
hibernate.showsql=true
hibernate.format_sql=true
lobHandler=defaultLobHandler
team_conn_local.properties
hibernate.url=jdbc:oracle:thin:@172.16.1.27:1521:STDB
hibernate.username=nuoming
hibernate.password=nm1122
hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
hibernate.driver=oracle.jdbc.driver.OracleDriver
lobHandler=defaultLobHandler
hibernate_conn_local.properties
hibernate.url=jdbc:oracle:thin:@192.168.1.27:1521:orcl
hibernate.username=psa
hibernate.password=psa
hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
hibernate.driver=oracle.jdbc.driver.OracleDriver
hibernate.showsql=false
hibernate.format_sql=true
lobHandler=oracle9iLobHandler
struts.properties
struts.i18n.reload=true
struts.devMode=true
struts.multipart.maxSize=10485760
struts.configuration.xml.reload=true
struts.url.http.port=8080
struts.multipart.saveDir=C:\\Documents and Settings\\Administrator
PSA(管理系统)
nor_conn_local.properties
hibernate.url=jdbc:oracle:thin:@192.168.1.27:1521:efmdb
hibernate.username=efmdb
hibernate.password=efmdb
hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
hibernate.driver=oracle.jdbc.driver.OracleDriver
lobHandler=defaultLobHandler
norming-config.properties
#app url
path.ess=http://221.232.80.212:8082/ess/
path.ehr=http://221.232.80.212:8082/psa/
path.erc=http://localhost:8080/erc/
path.tomcat=D:/Tomcat 6.0/webapps/psa/
appname=ehr
#for AD User 
#sso.adurl=http://192.168.1.133/ext/ssoforj2ee.aspx
#id=psa 
#pass=psa
ooo.folder=C:/Program Files (x86)/OpenOffice.org 3/program/
ooo.host=localhost
ooo.port=8181
rmi.host=
rmi.port=50000
team_conn_local.properties
hibernate.url=jdbc:oracle:thin:@localhost:1521:orcl
hibernate.username=efmdb1
hibernate.password=efmdb1
hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
hibernate.driver=oracle.jdbc.driver.OracleDriver
hibernate.showsql=true
hibernate.format_sql=true
lobHandler=defaultLobHandler
hibernate_conn_local.properties
hibernate.url=jdbc:oracle:thin:@192.168.1.27:1521:orcl
hibernate.username=psa
hibernate.password=psa
hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
hibernate.driver=oracle.jdbc.driver.OracleDriver
hibernate.showsql=false
hibernate.format_sql=true
lobHandler=oracle9iLobHandler
(sql).properties
############################################
#  \u7487\u5cf0\u6087\u9477\ue047\ue195\u7f03\ufffd
# 192.168.1.137:1433
############################################
hibernate.url=jdbc:jtds:sqlserver://localhost:1433;databasename=ehr
hibernate.username=sa
hibernate.password=sa
hibernate.dialect=org.hibernate.dialect.SQLServerDialect
hibernate.driver=net.sourceforge.jtds.jdbc.Driver
hibernate.showsql=true
hibernate.format_sql=true
lobHandler=defaultLobHandler
(or).properties
hibernate.url=jdbc:oracle:thin:@192.168.1.36:1521:oracle
hibernate.username=HRMS
hibernate.password=HRMS
hibernate.dialect=org.hibernate.dialect.Oracle9Dialect
hibernate.driver=oracle.jdbc.driver.OracleDriver
hibernate.showsql=true
hibernate.format_sql=true
lobHandler=oracle9iLobHandler
(mysql).properties
hibernate.url=jdbc:mysql://localhost:3306/ehr?useOldAliasMetadataBehavior=true&useUnicode=true&characterEncoding=utf-8
hibernate.username=root
hibernate.password=root
hibernate.dialect=org.hibernate.dialect.MySQL5Dialect
hibernate.driver=com.mysql.jdbc.Driver
hibernate.showsql=true
hibernate.format_sql=true
lobHandler=defaultLobHandler
<code>http://117.79.225.151:8080/psa/Homepage.action
数据库部分信息


http://117.79.225.151:8080/psa/Homepage.action
数据库及敏感信息-(疑似为爱立信/宜通世纪)
ESS(管理系统)
hibernate_conn_local.properties
hibernate.url=jdbc:jtds:sqlserver://localhost:46937;databasename=PSA630_ETONE
hibernate.username=sa
hibernate.password=Etone2012
hibernate.dialect=org.hibernate.dialect.SQLServerDialect
hibernate.driver=net.sourceforge.jtds.jdbc.Driver
hibernate.showsql=false
hibernate.format_sql=true
lobHandler=defaultLobHandler
norming-config.properties
# page config.
page.size=15
page.max.size=5000
path.ehr=http://localhost:8080/psa/
path.ess=http://localhost:8080/ess/
#login.control=1
appname=ess
sdf.default = yyyy-MM-dd
#sso.adurl=http://192.168.1.33/ext/ssoforj2ee.aspx
#ooo.folder=D:/Program Files/OpenOffice.org 3/program/
#ooo.host=localhost
#ooo.port=8181
rmi.port=50000
PSA(经理平台)
norming-config.properties
#app url
path.ess=http://localhost:8080/ess/
path.ehr=http://localhost:8080/psa/
path.erc=http://localhost:8080/erc/
appname=ehr
#for AD User 
#sso.adurl=http://192.168.1.133/ext/ssoforj2ee.aspx
id=psa
pass=psa
#ooo.folder=D:/Program Files/OpenOffice.org 3/program/
#ooo.host=localhost
#ooo.port=8181
db.lock_timeout=20000


http://101.231.48.155:8888/ess/Homepage.action
数据库部分信息


ESS(管理系统)
norming-config.properties
# page config.
page.size=15
page.max.size=5000
path.ehr=http://192.168.1.250:8888/psa/
path.ess=http://192.168.1.250:8888/ess/
#login.control=1
appname=ess
sdf.default = yyyy-MM-dd
#sso.adurl=http://192.168.1.33/ext/ssoforj2ee.aspx
#ooo.folder=D:/Program Files/OpenOffice.org 3/program/
#ooo.host=localhost
#ooo.port=8181
rmi.port=50000
hibernate_conn_local.properties
#Fri May 10 17:44:40 CST 2013
hibernate.password=sa
lobHandler=defaultLobHandler
hibernate.driver=net.sourceforge.jtds.jdbc.Driver
hibernate.showsql=false
hibernate.dialect=org.hibernate.dialect.SQLServerDialect
hibernate.url=jdbc\:jtds\:sqlserver\://localhost\:1433;databasename\=psaprc
hibernate.username=sa
hibernate.format_sql=true
PSA(经理平台)
hibernate_conn_local.properties
#Thu May 16 13:46:54 CST 2013
hibernate.password=sa
lobHandler=defaultLobHandler
hibernate.driver=net.sourceforge.jtds.jdbc.Driver
hibernate.showsql=false
hibernate.dialect=org.hibernate.dialect.SQLServerDialect
hibernate.url=jdbc\:jtds\:sqlserver\://localhost\:1433;databasename\=psaprc
hibernate.username=sa
hibernate.format_sql=true


由于分析时间过长文件也太多,在这里当然也只列出部分,更多请详细盘查。
在这里仅仅列出http://220.249.82.196:8082/ess/Homepage.action数据库以及配置的相关密码
其余2例测试,部分默认是一致的。
一组组密码:
sa  sql_2005  
efmdb  efmdb
psa psa
system dell1
nuoming nm1122
efmdb1
root root
HRMS HRMS
sa   sa
sa zryh2008


部分信息属于贵公司利益敏感信息未列出!望见谅!

修复方案:

1、贵公司也看到此系统的配置以及运行环境所处的风险,希望贵公司能正确对待!(以上3例要是更加深入去链接数据库以及挖掘会更大影响到用户的利益与风险,但此漏洞我只需列出案例的测试与包含的风险。更多也请贵公司多多包涵,不吝指教!)
2、作为一名白帽子这是我应该做的!希望大家都关注、注重网络安全事件以及自身安全!
3、#$奖励有没有?
#$礼物有没有呢?

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝