当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0183359

漏洞标题:中银保险某重要系统命令执行可Getshell

相关厂商:中银保险有限公司

漏洞作者: 暴走

提交时间:2016-03-11 16:48

修复时间:2016-03-16 11:25

公开时间:2016-03-16 11:25

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-11: 细节已通知厂商并且等待厂商处理中
2016-03-11: 厂商已经确认,细节仅向厂商公开
2016-03-16: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

给个高分可否,小礼物真的会送吗。

详细说明:

中银保险参数管理平台(http://111.205.37.193:7001/BOCIParamManager/)
之前有白帽子提交过webloigc后台弱口令导致getshell,这个漏洞是修补了,可是反序列化没修补。

2.png

漏洞证明:

测试结果:

3.png


内网IP地址

4.png


开放了3389、21等N多端口

活动连接
  协议  本地地址          外部地址        状态
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6100           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6200           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:30005          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49174          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49175          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49184          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49198          0.0.0.0:0              LISTENING
  TCP    21.8.143.113:139       0.0.0.0:0              LISTENING
  TCP    21.8.143.113:445       21.8.143.114:50996     ESTABLISHED
  TCP    21.8.143.113:7001      0.0.0.0:0              LISTENING
  TCP    21.8.143.113:7001      21.8.143.24:30349      TIME_WAIT
  TCP    21.8.143.113:7001      21.8.143.24:33745      TIME_WAIT
  TCP    21.8.143.113:7001      21.8.143.24:39151      TIME_WAIT
  TCP    21.8.143.113:7001      21.8.143.24:51216      TIME_WAIT
  TCP    21.8.143.113:7001      21.8.143.24:52160      TIME_WAIT
  TCP    21.8.143.113:7001      21.8.143.24:63610      TIME_WAIT
  TCP    21.8.143.113:7001      21.8.143.50:3961       ESTABLISHED
  TCP    21.8.143.113:7001      21.8.143.50:24606      ESTABLISHED
  TCP    21.8.143.113:7001      21.8.143.50:58333      TIME_WAIT
  TCP    21.8.143.113:7001      22.8.142.51:52412      ESTABLISHED
  TCP    21.8.143.113:7001      22.8.142.53:47623      ESTABLISHED
  TCP    21.8.143.113:7001      22.8.142.53:49399      TIME_WAIT
  TCP    21.8.143.113:7001      22.8.142.53:60535      TIME_WAIT
  TCP    21.8.143.113:9005      0.0.0.0:0              LISTENING
  TCP    21.8.143.113:49963     21.8.143.202:1521      ESTABLISHED
  TCP    21.8.143.113:53403     21.8.143.202:1521      ESTABLISHED
  TCP    21.8.143.113:53694     21.8.143.202:1521      ESTABLISHED
  TCP    21.8.143.113:53790     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53793     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53794     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53796     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53798     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53799     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53802     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53803     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53804     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53807     21.8.143.113:30005     TIME_WAIT
  TCP    21.8.143.113:53808     21.8.143.113:30005     TIME_WAIT
  TCP    127.0.0.1:6100         127.0.0.1:53791        TIME_WAIT
  TCP    127.0.0.1:6100         127.0.0.1:53795        TIME_WAIT
  TCP    127.0.0.1:6100         127.0.0.1:53800        TIME_WAIT
  TCP    127.0.0.1:6100         127.0.0.1:53805        TIME_WAIT
  TCP    127.0.0.1:6200         127.0.0.1:53792        TIME_WAIT
  TCP    127.0.0.1:6200         127.0.0.1:53797        TIME_WAIT
  TCP    127.0.0.1:6200         127.0.0.1:53801        TIME_WAIT
  TCP    127.0.0.1:6200         127.0.0.1:53806        TIME_WAIT
  TCP    127.0.0.1:7001         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:9005         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:49969        127.0.0.1:49970        ESTABLISHED
  TCP    127.0.0.1:49970        127.0.0.1:49969        ESTABLISHED
  TCP    127.0.0.1:49971        127.0.0.1:49972        ESTABLISHED
  TCP    127.0.0.1:49972        127.0.0.1:49971        ESTABLISHED
  TCP    127.0.0.1:49973        127.0.0.1:49974        ESTABLISHED
  TCP    127.0.0.1:49974        127.0.0.1:49973        ESTABLISHED
  TCP    127.0.0.1:49975        127.0.0.1:49976        ESTABLISHED
  TCP    127.0.0.1:49976        127.0.0.1:49975        ESTABLISHED
  TCP    127.0.0.1:49977        127.0.0.1:49978        ESTABLISHED
  TCP    127.0.0.1:49978        127.0.0.1:49977        ESTABLISHED
  TCP    127.0.0.1:49979        127.0.0.1:49980        ESTABLISHED
  TCP    127.0.0.1:49980        127.0.0.1:49979        ESTABLISHED
  TCP    [::]:135               [::]:0                 LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  TCP    [::]:3389              [::]:0                 LISTENING
  TCP    [::]:47001             [::]:0                 LISTENING
  TCP    [::]:49152             [::]:0                 LISTENING
  TCP    [::]:49153             [::]:0                 LISTENING
  TCP    [::]:49174             [::]:0                 LISTENING
  TCP    [::]:49175             [::]:0                 LISTENING
  TCP    [::]:49184             [::]:0                 LISTENING
  TCP    [::]:49198             [::]:0                 LISTENING
  TCP    [::1]:7001             [::]:0                 LISTENING
  TCP    [::1]:9005             [::]:0                 LISTENING
  TCP    [2002:1508:8f71::1508:8f71]:445  [2002:1508:8f71::1508:8f71]:53449  ESTABLISHED
  TCP    [2002:1508:8f71::1508:8f71]:7001  [::]:0                 LISTENING
  TCP    [2002:1508:8f71::1508:8f71]:9005  [::]:0                 LISTENING
  TCP    [2002:1508:8f71::1508:8f71]:53449  [2002:1508:8f71::1508:8f71]:445  ESTABLISHED
  TCP    [fe80::200:5efe:21.8.143.113%12]:7001  [::]:0                 LISTENING
  TCP    [fe80::200:5efe:21.8.143.113%12]:9005  [::]:0                 LISTENING
  UDP    0.0.0.0:123            *:*                    
  UDP    0.0.0.0:500            *:*                    
  UDP    0.0.0.0:4500           *:*                    
  UDP    0.0.0.0:5355           *:*                    
  UDP    21.8.143.113:137       *:*                    
  UDP    21.8.143.113:138       *:*                    
  UDP    127.0.0.1:53302        *:*                    
  UDP    127.0.0.1:53870        *:*                    
  UDP    127.0.0.1:54748        *:*                    
  UDP    127.0.0.1:60396        *:*                    
  UDP    127.0.0.1:63134        *:*                    
  UDP    [::]:123               *:*                    
  UDP    [::]:500               *:*                    
  UDP    [::]:4500              *:*


config.xml

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
  <name>base_domain</name>
  <domain-version>10.3.6.0</domain-version>
  <security-configuration>
    <name>base_domain</name>
    <realm>
      <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
        <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
      <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
      <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
        <sec:name>SystemPasswordValidator</sec:name>
        <pas:min-password-length>8</pas:min-password-length>
        <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
      </sec:password-validator>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}35uscvHlIcGYxHP8/cYYvz/HBNTXRuyMdTWJxMviEROzQg71NmNyJnbZWZPSf8vT83QmQ7p4Lw+oi8HFgmNmIC766Qv1IrXtcMFyYgBo5EdD/yq2ltrqUXOL1DWIMH17</credential-encrypted>
    <node-manager-username>aNpdpFYxhR</node-manager-username>
    <node-manager-password-encrypted>{AES}jVtYKs0BcCaIcIONh9GnkJjfaLex7Ai8USCfJzQeJIQ=</node-manager-password-encrypted>
  </security-configuration>
  <server>
    <name>AdminServer01</name>
    <listen-address></listen-address>
  </server>
  <production-mode-enabled>true</production-mode-enabled>
  <embedded-ldap>
    <name>base_domain</name>
    <credential-encrypted>{AES}FcHxi+7xjZj3VICingEIe/0JViC6wu2jI8URmDK5i0O/U0tCzjWYC+2jsoxx9sXQ</credential-encrypted>
  </embedded-ldap>
  <administration-port-enabled>true</administration-port-enabled>
  <administration-port>9005</administration-port>
  <configuration-version>10.3.6.0</configuration-version>
  <app-deployment>
    <name>BOCIParamManager</name>
    <target>AdminServer01</target>
    <module-type>war</module-type>
    <source-path>D:\鍙傛暟绠$悊杞欢\BOCIParamManager.war</source-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <app-deployment>
    <name>BOCIDispatchService</name>
    <target>AdminServer01</target>
    <module-type>war</module-type>
    <source-path>D:\褰卞儚澶勭悊杞欢\BOCIDispatchService.war</source-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <admin-server-name>AdminServer01</admin-server-name>
  <jdbc-system-resource>
    <name>PARA_MANG_DS</name>
    <target>AdminServer01</target>
    <descriptor-file-name>jdbc/PARA_MANG_DS-2338-jdbc.xml</descriptor-file-name>
  </jdbc-system-resource>
  <jdbc-system-resource>
    <name>DispatchServiceDS</name>
    <target>AdminServer01</target>
    <descriptor-file-name>jdbc/DispatchServiceDS-4602-jdbc.xml</descriptor-file-name>
  </jdbc-system-resource>
</domain>


数据库配置文件在 D:\Oracle\Middleware\user_projects\domains\base_domain\config\jdbc\PARA_MANG_DS-2338-jdbc.xml

<?xml version='1.0' encoding='UTF-8'?>
<jdbc-data-source xmlns="http://xmlns.oracle.com/weblogic/jdbc-data-source" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/jdbc-data-source http://xmlns.oracle.com/weblogic/jdbc-data-source/1.2/jdbc-data-source.xsd">
  <name>PARA_MANG_DS</name>
  <jdbc-driver-params>
    <url>jdbc:oracle:thin:@(description=(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCP)(HOST = DBServer1)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = DBServer2)(PORT = 1521))(load_balance=yes)(failover=yes))(connect_data=(service_name=bocicm)(instance_name=bocicm1)(instance_name=bocicm2)))</url>
    <driver-name>oracle.jdbc.xa.client.OracleXADataSource</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>appadmin</value>
      </property>
    </properties>
    <password-encrypted>{AES}qEnPROhlP75yK60Zu46b8ekijQCUWsoI5KSLOsoDdK0=</password-encrypted>
  </jdbc-driver-params>
  <jdbc-connection-pool-params>
    <test-table-name>SQL SELECT 1 FROM DUAL</test-table-name>
  </jdbc-connection-pool-params>
  <jdbc-data-source-params>
    <jndi-name>PARA_MANG_DS</jndi-name>
    <global-transactions-protocol>TwoPhaseCommit</global-transactions-protocol>
  </jdbc-data-source-params>
</jdbc-data-source>


就不上传shell深入了,不是不会哦...

修复方案:

小礼物小礼物.

版权声明:转载请注明来源 暴走@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-03-11 17:09

厂商回复:

非常感谢,小礼物准备中......

最新状态:

2016-03-16:已修复