乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-07: 细节已通知厂商并且等待厂商处理中 2016-01-11: 厂商已经确认,细节仅向厂商公开 2016-01-21: 细节向核心白帽子及相关领域专家公开 2016-01-31: 细节向普通白帽子公开 2016-02-10: 细节向实习白帽子公开
可泄漏近大量用户姓名,联系方式,地址。大量内网敏感信息。
http://**.**.**.**:4180/login/login.do 存在sturts2命令执行漏洞web路径为: /opt/hermes/billManager/resin_billmanager/webapps/bill/
内附大量用户信息。
数据库太多了,就不仔细一一连接了。可以肯定的是,这绝对绝对不是测试系统!
<!-- 数据库的引用名称 --> <hermes> <user>{IDEA}raC3qKC2</user> <password>{IDEA}raC3qKC2</password> <database>HERMES</database> <server>ORADB</server> <driver>oracle</driver> </hermes> <aimc-test-229> <user>{IDEA}pKywsKg=</user> <password>{IDEA}W1Gm6xJC3Fer</password> <database>AIMC-TEST-229</database> <server>AIMC-TEST-229</server> <driver>oracle</driver> </aimc-test-229> <hermes-db-240> <user>{IDEA}raC3qKC2</user> <password>{IDEA}raC3qKC2</password> <database>HERMES</database> <server>HERMES</server> <driver>oracle</driver> </hermes-db-240> <integ-db-240> <user>{IDEA}jIuRgII=</user> <password>{IDEA}jIuRgII=</password> <database>INTEG</database> <server>INTEG</server> <driver>oracle</driver> </integ-db-240> <ms1-index-db> <user>{IDEA}t6qqsQ==</user> <password>{IDEA}9PT09PT0</password> <database>test</database> <server>**.**.**.**</server> <driver>mysql</driver>
com.mysql.jdbc.Driverjdbc:mysql**.**.**.**:3306/Bill189DB?user=root&password=bI11i89db
某表段包含过亿数据,无奈mysql查询时直接卡死,管理员也没有进行索引
<project basedir="." default="mysql189bill" name="189bill"> <path id="mySqlDriver.classpath"> <pathelement location="../lib/mysql-connector-java-5.1.18-bin.jar"/> </path> <path id="oracleDriver.classpath"> <pathelement location="../lib/classes12.jar"/> </path> <target name="db_189bill" description="sql for 189bill"> <sql driver="oracle.jdbc.driver.OracleDriver" url="jdbc:oracle:thin:ehome_bill/ehomebill090512@**.**.**.**:1521:prtdb" userid="ehome_bill" password="ehomebill090512" onerror="continue" print="yes" src="oracle.sql" classpathref="oracleDriver.classpath" /> </target> <target description="Executes an SQL Script" name="mysql189bill"> <sql classpathref="mySqlDriver.classpath" driver="com.mysql.jdbc.Driver" src="${sqlfile}" print="yes" url="jdbc:mysql://localhost:3306/Bill189DB?autoReconnect=true&useUnicode=true&characterEncoding=gbk" userid="root" password="123456"/> </target> <!-- ?????欢 --> <property name="serv.user" value="hermes" /> <property name="serv.password-scp" value="!@#$&*()@" /> <property name="serv.port" value="22" /> <property name="serv.knownhosts" value="/opt/hermes/.ssh/known_hosts" /> <!-- scp ?版??″?; --> <target name="scp2server">
<forward_alias_domain>**.**.**.**</forward_alias_domain> <ldap_url>ldap**.**.**.**:8889</ldap_url> <ldap_authtype>simple</ldap_authtype> <ldap_username>admin</ldap_username>
<V_NEW_USER_URL>http://**.**.**.**/webmail/activeUser.jsp?action=0#toUserID=%s#ip=%s</V_NEW_USER_URL> <V_COMMEND_USER_URL>http://**.**.**.**/webmail/activeUser.jsp?action=1#toUserID=%s#recommendUserID=%s#ip=%s</V_COMMEND_USER_URL> <MT_URL>**.**.**.**:8082/uwpp/request/mt.jsp?sp_code=21CN#cp_code=21CNEMAIL#cp_id=21cnemail#cp_pwd=myemail137#service_id=DXZCYJ#fee=%s#des=%s#src=2100#content=%s#fmt=GBK#msg_type=3#link_id=%s#region=%s</MT_URL> <CORP_MT_URL>**.**.**.**:8082/uwpp/request/corp.jsp?cp_code=21CNEMAIL#cp_id=21cnemail#cp_pwd=myemail137#des=%s#content=%s#sp_code=21CN</CORP_MT_URL>
<server_ip> hermes_appdog_host</server_ip> <server_port>110</server_port> <server_conn_timeout>5</server_conn_timeout> <server_transport_timeout>5</server_transport_timeout> <test_account>hermesmon@1</test_account> <test_account_pwd>hermesmon</test_account_pwd> <smon_server_ip>**.**.**.**</smon_server_ip> <smon_server_port>8000</smon_server_port>
<server_name>guid-svr1</server_name> <sap_name>guid-svc-sock-sap</sap_name> <test_account>hermesmon@**.**.**.**</test_account> <test_account_pwd>hermesmon</test_account_pwd> <client_group_name>guid</client_group_name> <server_group_id>0</server_group_id> <check_interval>2</check_interval> </watch_object> <watch_object id="2"> <name>UD</name> <enable>yes</enable> <!--modify by liyang--> <server_name>ud-svr1</server_name> <sap_name>ud-svc-sock-sap</sap_name> <server_conn_timeout>5</server_conn_timeout> <server_transport_timeout>5</server_transport_timeout> <test_account>hermesmon@1</test_account> <test_account_pwd>hermesmon</test_account_pwd> <client_group_name>lmtp</client_group_name> <server_group_id>1</server_group_id> <check_interval>2</check_interval> <restart_retry_times>3</restart_retry_times> </watch_object> <watch_object id="3"> <name>ms</name> <enable>yes</enable> <!--modify by liyang--> <server_name>ms-svr1</server_name> <sap_name>ms-svc-sock-sap</sap_name> <test_account>zas@testmail.**.**.**.**</test_account> <test_account_pwd>111111</test_account_pwd> <client_group_name>lmtp</client_group_name> <server_group_id>1</server_group_id> <check_interval>2</check_interval> <restart_retry_times>3</restart_retry_times> </watch_object> <watch_object id="4"> <name>session</name> <enable>yes</enable> <!--modify by liyang--> <server_name>session-svr1</server_name> <sap_name>session-svc-sock-sap</sap_name> <server_conn_timeout>5</server_conn_timeout> <server_transport_timeout>5</server_transport_timeout> <test_account>hermesmon@1</test_account> <test_account_pwd>hermesmon</test_account_pwd> <client_group_name>session</client_group_name> <server_group_id>1</server_group_id> <check_interval>2</check_interval> </watch_object> <watch_object id="5"> <name>pop3</name> <enable>yes</enable> <!--modify by liyang--> <server_name>pop3-svr1</server_name> <sap_name>pop3-svc-sock-sap</sap_name> <server_conn_timeout>5</server_conn_timeout> <server_transport_timeout>5</server_transport_timeout> <test_account>hermesmon@1</test_account> <test_account_pwd>hermesmon</test_account_pwd> <client_group_name>lmtp</client_group_name> <server_group_id>1</server_group_id> <check_interval>2</check_interval> </watch_object> <watch_object id="6"> <name>lmtp</name> <enable>yes</enable> <!--modify by liyang--> <server_name>lmtp-svr1</server_name> <sap_name>lmtp-svc-sock-sap</sap_name> <server_conn_timeout>5</server_conn_timeout> <server_transport_timeout>5</server_transport_timeout> <test_account>hermesmon@1</test_account> <test_account_pwd>hermesmon</test_account_pwd> <client_group_name>lmtp</client_group_name> <server_group_id>1</server_group_id> <check_interval>2</check_interval> </watch_object> <watch_object id="7"> <name>imap</name> <enable>yes</enable> <!--modify by liyang--> <server_name>imap-svr1</server_name> <sap_name>imap-svc-sock-sap</sap_name> <server_conn_timeout>5</server_conn_timeout> <server_transport_timeout>5</server_transport_timeout> <test_account>hermesmon@1</test_account> <test_account_pwd>hermesmon</test_account_pwd> <client_group_name>lmtp</client_group_name> <server_group_id>1</server_group_id> <check_interval>2</check_interval> </watch_object> <watch_object id="8"> <name>eop</name> <enable>yes</enable> <!--modify by liyang--> <server_name>eop-svr1</server_name> <sap_name>eop-svc-sock-sap</sap_name> <server_conn_timeout>5</server_conn_timeout> <server_transport_timeout>5</server_transport_timeout> <test_account>zas@1</test_account> <test_account_pwd>111111</test_account_pwd> <client_group_name>eop</client_group_name> <server_group_id>1</server_group_id> <check_interval>2</check_interval> </watch_object> </app_client_conf> <ip_allow_list> <ip1>**.**.**.**</ip1> <ip2>**.**.**.**</ip2> <ip2>**.**.**.**</ip2>
<user>{IDEA}raC3qKC2</user> <password>{IDEA}raC3qKC2</password> <database>189TEST</database> <server>189TEST</server> <driver>oracle</driver> <charset>AMERICAN_AMERICA.WE8ISO8859P1</charset> </hermes> <aimc> <user>{IDEA}qay8pKui</user> <password>{IDEA}e2CSP5MYy+Kropr09/bx</password> <database>AIMC-LIYANG</database> <server>AIMC-LIYANG</server> <driver>oracle</driver> <charset>AMERICAN_AMERICA.US7ASCII</charset> </aimc> <hermes_test> <user>{IDEA}QJmV9bejPbU=</user> <password>{IDEA}QJmV9bejPbU=</password> <database>mailads</database> <server>MAILADS</server> <driver>oracle</driver> </hermes_test> <ms-index-db> <user>{IDEA}raC3qKC2</user> <password>{IDEA}UjWzQr6BCwu8jQ==</password> <database>hermes</database> <server>ms_index_host</server> <driver>mysql</driver> </ms-index-db> <pub-temp-db> <user>{IDEA}t6qqsQ==</user> <password>{IDEA}9Pf28fDz</password> <database>public</database> <server>localhost</server> <driver>mysql</driver> </pub-temp-db> <public-db> <user>{IDEA}t6qjqrexrw==</user> <password>{IDEA}t6qjqrexrw==</password> <database>DB3</database> <server>PUBLIC_DB</server> <driver>oracle</driver>
你们是当社工库一样使用了么?数据库太多了,就不仔细一一连接了。可以肯定的是,这绝对绝对不是测试系统!数据库太多了,就不仔细一一连接了。可以肯定的是,这绝对绝对不是测试系统!
危害等级:高
漏洞Rank:10
确认时间:2016-01-11 15:42
CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.
暂无