Arbitrary city hotspot Download Vulnerability + insecure factors + Weak Password

City hotspot background management does not have the permission to directly download any file, as long as the path is correct, root permission download plus a variety of insecure vulnerabilities 1. The vulnerability file is/DrcomManager/download. jsp? Filepath =/etc/(close) & filename = passwd

You can use this file for download without setting permissions.

With the highest permission, you can download passwd and shadow.



This is the password file of the official demo platform a month ago. I don't know how to fix it now. Although the vulnerability is still present, but shadow has no data, you should be familiar with this file officially.

2. The database connection pool address is not changed by default. The address/DrcomManager/AdminP can be found on the Internet for several customers. The default address is not changed and the SID + username + password + SYS password of oracle is drcom.

It doesn't matter if the default password is changed. Most of oracle versions are 10GR2. It is easy to find the path and then download PWD + SID. ora file and then crack or download tomcat's proxoolconf. if the xml file contains the Database Password tomcat, first check the version and then Baidu will be able to know the default directory name. Generally, the path can be found by default.



3. The password stored in the database is encrypted in ASCII format. It is easy to find the rule that the last digit a is fixed. You can write a script to crack all the attacks. This is the database of a school.

4. This is a bit biased, but I still have to say that the oracle version is 10GR2. In windows, the TNS_AUTH_SESSKEY overflow vulnerability exists. My school is windows.

However, in Windows, you can modify the overflow length by using the SHELL instead of studying it.



If permission escalation occurs, oracle JAVA can be used for permission escalation. However, my school shows that rmjvm can be used before JAVA is installed. delete the SQL statement, restart the database, and then initjvm. SQL can install JAVA and create JAVA functions to escalate Permissions

 

Solution:

1. Force remind the customer to change the Database Password

2. Vulnerability file setting permissions

3. Change the encryption method

4. We recommend that you update the oracle version.