当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168268

漏洞标题:点到为止之湖北CA数字认证管理中心某服务器存在命令执行

相关厂商:湖北省数字证书认证管理中心

漏洞作者: 路人甲

提交时间:2016-01-08 13:08

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:命令执行

危害等级:高

自评Rank:13

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-08: 细节已通知厂商并且等待厂商处理中
2016-01-12: 厂商已经确认,细节仅向厂商公开
2016-01-22: 细节向核心白帽子及相关领域专家公开
2016-02-01: 细节向普通白帽子公开
2016-02-11: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

rt

详细说明:

#Struts2命令执行

http://**.**.**.**:8001/css/self/searchCertApply!searchCert.do


不要小看css.hbca。shell后可以跨到其它站点
#shell:

2016-01-08_091934.png

漏洞证明:

整理敏感信息如下:
001

#SQLServer2005以上
#hibernate.dialect=org.hibernate.dialect.SQLServerDialect
#validationQuery.sqlserver=SELECT 1
#jdbc.url.jeecg=jdbc:sqlserver**.**.**.**:1697;DatabaseName=jeecg
#jdbc.username.jeecg=sa
#jdbc.password.jeecg=SA
#jdbc.dbType=sqlserver
#postgresSQL
#hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
#validationQuery.sqlserver=SELECT 1
#jdbc.url.jeecg=jdbc:postgresql://localhost:5432/jeecg
#jdbc.username.jeecg=postgres
#jdbc.password.jeecg=postgres
#jdbc.dbType=postgres
#MySQL
hibernate.dialect=org.hibernate.dialect.MySQLDialect
validationQuery.sqlserver=SELECT 1
#jdbc.url.jeecg=jdbc:mysql://localhost:3306/jeewx?useUnicode=true&characterEncoding=UTF-8
jdbc.url.jeecg=jdbc:mysql://WebAppServer1:3306/jeewx?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&failOverReadOnly=false&maxReconnects=10
jdbc.username.jeecg=root
jdbc.password.jeecg=11111111
jdbc.dbType=mysql
#Oracle
#hibernate.dialect=org.hibernate.dialect.OracleDialect
#validationQuery.sqlserver=SELECT 1 FROM DUAL
#jdbc.url.jeecg=jdbc:oracle:thin:@**.**.**.**:1521:dhtest
#jdbc.username.jeecg=jeecg
#jdbc.password.jeecg=jeecg
#jdbc.dbType=oracle
#更新|创建|验证数据库表结构|不作改变 默认update(create,validate,none)
hibernate.hbm2ddl.auto=none


002

<!-- 各厂商介质相关属性配置 
<property name="ukeyMap">
<map>
<entry key="HHUK JDZY CSP V3.0">
<map>
<entry key="name" value="华虹V3"></entry>
<entry key="p11Lib" value="hhpkcs1114.dll"></entry>
<entry key="algorithm" value="RSA"></entry>
</map>
</entry>
<entry key="HaiTai Cryptographic Service Provider 20485">
<map>
<entry key="name" value="海泰V3"></entry>
<entry key="p11Lib" value="HtPkcs1120485.dll"></entry>
<entry key="algorithm" value="RSA"></entry>
</map>
</entry>
<entry key="Tianyu Cryptographic Service Provider">
<map>
<entry key="name" value="天喻"></entry>
<entry key="p11Lib" value="typkcs11.dll"></entry>
<entry key="algorithm" value="RSA"></entry>
</map>
</entry>
<entry key="M&amp;W eKey XCSP V3">
<map>
<entry key="name" value="明华V3"></entry>
<entry key="p11Lib" value="mwpkcs11_v3.dll"></entry>
<entry key="algorithm" value="RSA"></entry>
</map>
</entry>
<entry key="XiangSheng Cryptographic Service Provider">
<map>
<entry key="name" value="翔晟"></entry>
<entry key="p11Lib" value="NORECOVER"></entry>
<entry key="algorithm" value="RSA"></entry>
</map>
</entry>
<entry key="FEITIAN ePassNG RSA Cryptographic Service Provider">
<map>
<entry key="name" value="飞天"></entry>
<entry key="p11Lib" value="NORECOVER"></entry>
<entry key="algorithm" value="RSA"></entry>
</map>
</entry>

</map>
</property>
-->

<!-- 系统相关常量信息 -->
<property name="map">
<map>
<!-- 短信发送配置(URL) -->
<entry key="smsURL" value="http://**.**.**.**:8899/sms/Api/Send.do"></entry>
<!-- 短信发送配置(账号) -->
<entry key="smsCORPID" value="200487"></entry>
<!-- 短信发送配置(用户名) -->
<entry key="smsUSERNAME" value="hb_sz"></entry>
<!-- 短信发送配置(密码) -->
<entry key="smsPASSWORD" value="sz0815"></entry>
<!-- 短信发送配置(内容) -->
<entry key="smsContent" value="尊敬的客户,您的业务受理号为:"></entry>

<entry key="keyLength" value="1024"></entry>

<entry key="tomcatUrl" value="F:/apache-tomcat-6.0.32/webapps/css/downloads/"></entry>

<!-- 支付宝跳转页面 -->
<entry key="notify_url" value="**.**.**.**:8001/css/alipay/notify_url.jsp"></entry>
<entry key="return_url" value="**.**.**.**:8001/css/alipay/return_url.jsp"></entry>
</map>
</property>


003

#SQLServer2005以上
#hibernate.dialect=org.hibernate.dialect.SQLServerDialect
#validationQuery.sqlserver=SELECT 1
#jdbc.url.jeecg=jdbc:sqlserver**.**.**.**:1697;DatabaseName=jeecg
#jdbc.username.jeecg=sa
#jdbc.password.jeecg=SA
#jdbc.dbType=sqlserver
#postgresSQL
#hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
#validationQuery.sqlserver=SELECT 1
#jdbc.url.jeecg=jdbc:postgresql://localhost:5432/jeecg
#jdbc.username.jeecg=postgres
#jdbc.password.jeecg=postgres
#jdbc.dbType=postgres
#MySQL
hibernate.dialect=org.hibernate.dialect.MySQLDialect
validationQuery.sqlserver=SELECT 1
#jdbc.url.jeecg=jdbc:mysql://localhost:3306/jeewx?useUnicode=true&characterEncoding=UTF-8
jdbc.url.jeecg=jdbc:mysql://WebAppServer1:3306/jeewx?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&failOverReadOnly=false&maxReconnects=10
jdbc.username.jeecg=root
jdbc.password.jeecg=11111111
jdbc.dbType=mysql
#Oracle
#hibernate.dialect=org.hibernate.dialect.OracleDialect
#validationQuery.sqlserver=SELECT 1 FROM DUAL
#jdbc.url.jeecg=jdbc:oracle:thin:@**.**.**.**:1521:dhtest
#jdbc.username.jeecg=jeecg
#jdbc.password.jeecg=jeecg
#jdbc.dbType=oracle
#更新|创建|验证数据库表结构|不作改变 默认update(create,validate,none)
hibernate.hbm2ddl.auto=none


004

hibernate.connection.driver_class=oracle.jdbc.driver.OracleDriver
hibernate.connection.url=jdbc\:oracle\:thin\:@**.**.**.**\:1521\:hbcadb
hibernate.connection.username=cssuser
hibernate.connection.password=cssuser2013
hibernate.c3p0.min_size=10
hibernate.c3p0.max_size=100
hibernate.c3p0.timeout=180
hibernate.c3p0.acquire_increment=5
hibernate.c3p0.idle_test_period=300
hibernate.c3p0.max_statements=0
hibernate.dialect=org.hibernate.dialect.Oracle10gDialect
hibernate.show_sql=false
hibernate.format_sql=false
org.apache.ws.security.crypto.provider=**.**.**.**ponents.crypto.Merlin
org.apache.ws.security.crypto.merlin.file=css.jks
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=11111111
org.apache.ws.security.crypto.merlin.keystore.alias=css
org.apache.ws.security.crypto.merlin.alias.password=11111111
appId=wx9c2f15696ed15cb1
appSecret=5072c85598a157e90d29a9ed4611132e
bycxkey=bycx
llcxkey=llcx
zdcxkey=zdcx
fwcxkey=fwcx
notbd=yhbd
wxfw=**.**.**.**\:80

修复方案:

尽快修复。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-12 16:15

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置.

最新状态:

暂无