当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169600

漏洞标题:浙江移动政企一卡通管理平台(泄露数千万敏感信息/20W移动账号信息/大量办公信息外泄)

相关厂商:center

漏洞作者: 路人甲

提交时间:2016-01-13 16:29

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-13: 细节已通知厂商并且等待厂商处理中
2016-01-15: 厂商已经确认,细节仅向厂商公开
2016-01-25: 细节向核心白帽子及相关领域专家公开
2016-02-04: 细节向普通白帽子公开
2016-02-14: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

浙江移动政企一卡通管理平台(泄露5000W敏感信息/20W移动账号信息/大量办公信息外泄)

详细说明:

**.**.**.**/commoncard/login/login_cmcc.jsp 浙江移动政企一卡通管理平台存在命令执行,通过写shell,配置数据库发现大量信息,4000W的敏感登录信息以及1000W其他信息,有20W工号登陆账号。
数据过大,截取部分

漏洞证明:

000.png

db.png

xinxi.png

xinxi1.png

xinxi2.png

xinxi3.png

xinxi4.png

xinxi5.png

xinxi6.png

xinxi7.png

xinxi8.png

xinxi9.png

xinxi10.png

<name>jndirccard2</name>
  <jdbc-driver-params>
    <url>jdbc:oracle:thin:@(DESCRIPTION =    (ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCP)(HOST = **.**.**.**)(PORT = 1521))      (ADDRESS = (PROTOCOL = TCP)(HOST = **.**.**.**)(PORT = 1521))    )    (LOAD_BALANCE = yes)    (CONNECT_DATA =      (SERVER = DEDICATED)      (SERVICE_NAME = orcl)    )  )</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>rccard2</value>
      </property>
    </properties>
    <password-encrypted>{3DES}0KboIHsXEeALiawzDHHORbnAgqtKiytP</password-encrypted> Onecard!QAZ5WSX#EDC

数据库配置

Query#0 : select t.TABLE_NAME,t.NUM_ROWS from user_tables t order by NUM_ROWS desc
TABLE_NAME
VARCHAR2	NUM_ROWS
NUMBER
CWA_CRD_DAILY	40609216
CWA_DAY_LIST	37605889
CNS_DAY_BOOK	19207483
SYS_DATAMOVE_NOTES	7566977
CWA_CRD_DAILY_INVALID	3806919
SYS_GRP_DAYCOUNT	1238830
AEG_USR_LOG	1178024
SYS_CNS_SUB_LEDG_HIS	986807
EAEVENT	481471
CWA_SCHE_LIST	457548
STAT_CNS_DEV	457182
CNS_GEN_BOOK	435049
STAT_CNS_REPORT	364118
CNS_ALLW_LIST	352543
SYS_SMS_SENDLIST	330789
CNS_DAYBOOK_ALARM	264654
CNS_IN_OUT_SUM	238088
CRD_SVC_LIST	230721
EAEXCEPTION	218270
CNS_DISTR_LIST	199153
CNS_SUB_LEDG	159309
CRD_ISSU_LIST	158573
CNS_ALLW_DOWN_LIST	142407
CNS_CASH_BOOK	138437
CNS_TIME_SUM	138366
EAUSER	136167
CNS_AREA_LEDG	115227
CWA_SCHE_BOOK	105789
CNS_AGT_LIST	88648
SYS_UMPAY_DATA	86962
CRD_BLK_LIST	67548
CNS_DAY_SUM	64937
EAROLEAUTHORIZE	53995
CWA_SPC_BOOK	45182
CNS_ALLW_INFO	37988
CWA_GRP_LIST	24704
STAT_TRANSCOUNT_CARD_MONTH	22541
STAT_TRANSCOUNT_PER_MONTH	21866
EAEVENT_20140731	21193
CWA_ACC_BOOK	15657
CNS_TRD_KIND	12415
CWA_RUN_LIST	11638
CWA_CRD_DAILY_20150828	10983
EAIMPORTDATA	9425
EADEPT	7167
SYS_GRPS_DUTY	4509
CWA_MONTH_BOOK_DETAIL	4123
CNS_ALLW_RECOVERY	3712
SYS_CNS_SUB_LEDG_ANALYSE	3603
DEV_TRM_INFO	3100
EAUSERAUTHORIZE	2214
SYS_DEALMONEY_TEMP	2179
CWA_RUN_DEF	2150
CNS_BIZ_INFO	1892
EAROLE	1687
CWA_RUN_BASE	1480
CNS_DAY_BOOK_DELETE	1349
CRD_ISSU_LIST_TEMP	1254
CNS_SUB_LEDG_TEMP	1254
CRD_TYPE_INFO	1086
CWA_HLD_LIST	1075
EAMENU	994
CNS_AREA_INFO	857
SYS_GRPS_INFO	828
SYS_GRPS_SEQ	786
SYS_DATAMOVE_GRPS_ALREADY	781
CWA_SYS_INFO	772
SYS_DATAMOVE_GRPS	772
SYS_MESSAGE_OPEN_INFO	720
CWA_LEAV_TYPE	695
EACODE	474
CNS_PAY_RATE	462
CWA_GRP_DEF	357
EAMENU_COMPARE	349
CNS_CRD_LIMIT	328
CRD_BLK_LIST_9_PENGM	316
CNS_SUB_SVC_LIST	304
CNS_GRP_LIST	281
CNS_CASH_BOX	242
SYS_DATAMOVE_EXLUDETABLE	149
SYS_DATAMOVE_COMPARE	144
SYS_GRPS_ZX_20160105	131
CWA_MONTH_BOOK_DETAIL_STAT	119
SYS_ALLW_5750000065	88
CWA_SPECIAL_APPLY	87
SCS_LOG_INFO	63
SYS_AEG_INFO_20140731	62
SYS_NEW_BUSINESS_TONGYYKT_MTH	56
CNS_DAYBOOK_ALARM_OLD	55
CNS_TIME_SEG	47
CNS_TRD_PARA	37
SYS_NEW_BUSINESS_TYYKT_CT_MTH	30
EAPARAM	30
CNS_PAY_RATE_TEMP	25
CNS_DISC_RATE	25
CNS_CLEAR_LIST	21
APL_CODE_INFO	16
CNS_VERS_INFO	14
SYS_AREA_INFO	12
SCS_SMS_INFO	11
SYS_WEEKSUM	11
SYS_REF_QESTION	10
EAROLETYPERELATION	10
DEV_FAC_INFO	6
CNS_PAY_LOG	6
CNS_DAY_BOOK_TEMP	6
DEV_FACVER_INFO	5
CNS_CHARGE_RATE	4
CNS_SVC_PRIC	2
DEV_BLK_IP	2
SYS_UMPAY_INFO	2
CWA_LEAV_REMI	1
APP_WHITEIP_LIST	1
CNS_CONTROL_PARA	1
DEV_TRM_NO	1
AEG_USER_PERM	0
AEG_USER_TMP	0
ALM_ACC_BOOK	0
ALM_DAY_BOOK	0
ALM_PERS_INFO	0
ALM_PROC_BOOK	0
ALM_SMS_LIST	0
ALM_TYPE_INFO	0
AREA_GRPS_INFO	0
CNS_DAY_RPT	0
SYS_UMPAY_INFO_CACHE	0
SYS_AEG_INFO	0
SCS_BIZ_PAY	0
CNS_PARA_INFO	0
CNS_SAVE_LIST	0
CNS_SUSPEND	0
CNS_SUSPEND_DISP	0
CWA_ATTD_LIST	0
CWA_ATTD_RATE	0
CWA_DAY_LIST_129_BAK	0
CWA_MON_LIST	0
CWA_PERS_RUN	0
DEV_BAS_INFO	0
DEV_DOWN_CTRL	0
DEV_OWN_BOOK	0
DEV_USE_BOOK	0
EABEANMONITOR	0
EADATAROLE	0
EAHELP	0
EAHTTPSESSION	0
EAICON	0
EAJDBCMONITOR	0
EAROLE_OLD	0
EASEQUENCE	0
EASMSTEMPLATE	0
EAUSERAUTHORIZE_MONITOR	0
EAUSERMENUMAP	0
EAUSERSUBINFO	0
EA_LOAD_INFO	0
EVENTCODE	0
EVENT_TYPE_INFO	0
MOB_ISSU_LIST	0
MTG_ACC_INFO	0
MTG_ATTD_TYPE	0
MTG_PERS_INFO	0
MTG_SCR_INFO	0
MTG_SITE_INFO	0
OTHERRUNINFO	0
STAT_GRP_EXCLUDE	0
SYS_APPCONFIG	0
SYS_BUSI_LOCK	0
SYS_DATAMOVE_TABLECOLUMN	0
SYS_MBL_CRD_STATE	0
SYS_MBL_VALIDATE	0
SYS_SQL_TEST	0
SYS_TBL_DATSTAT	0
SYS_VER_INFO	0
EAEVENT_CACHE	0
EAEXCEPTION_CACHE	0
CWA_CRD_DAILY_INVALID_CACHE	0
CNS_DAY_BOOK_DELETE_CACHE	0
SYS_DATA_COMPARE	0
EAUSERPHOTO	0
PLAN_TABLE	0
SYS_AEG_INFO_TEMP	0
SYS_AEG_INFO_CACHE	0
AEG_ALM_LOG	0
AEG_CTRL_INFO	0
AEG_CTRL_TYPE	0
AEG_DOOR_INFO	0
AEG_DOOR_ZONE	0
AEG_EVT_DEF	0
AEG_HLD_INFO	0
AEG_PERM_DEF	0
AEG_PERM_LIST	0
AEG_TIME_REG	0

数据库结构

**.**.**.**/rcscs/1.jspx 9635789

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-01-15 18:04

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无