当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2016-0187216
漏洞标题:
中国南方电网getshell到内网漫游
相关厂商:
中国南方电网
漏洞作者:
镱鍚
提交时间:
2016-03-21 11:52
修复时间:
2016-05-05 15:43
公开时间:
2016-05-05 15:43
漏洞类型:
服务弱口令
危害等级:
自评Rank:
20
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2016-03-21: 细节已通知厂商并且等待厂商处理中
2016-03-21: 厂商已经确认,细节仅向厂商公开
2016-03-31: 细节向核心白帽子及相关领域专家公开
2016-04-10: 细节向普通白帽子公开
2016-04-20: 细节向实习白帽子公开
2016-05-05: 细节向公众公开

简要描述:

RT

详细说明:

(PS:能给高rank吗??^_^)

http://116.55.241.7:9091/manager/html
tomcat弱口令:both  tomcat


1.png


简单部署,getshell

http://116.55.241.7:9091/job/index.jsp


2.png


简单看了下,发现是内网机器,权限还是多高的

3.png


4.png


5.png


然后就开始内网漫游啦,这里首先给厂商说下抱歉,不知道怎么的,搞的你们的站点有时都不能访问了,就只是简单探测了一下,不敢再深入了
内网开放的web服务:

http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success


6.png


7.png


8.png


9.png


内网开放端口

10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open
10.180.201.250:21 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:21 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open


就不继续了,危害还是多大的,望尽快修复^_^

漏洞证明:

(PS:能给高rank吗??^_^)

http://116.55.241.7:9091/manager/html
tomcat弱口令:both  tomcat


1.png


简单部署,getshell

http://116.55.241.7:9091/job/index.jsp


2.png


简单看了下,发现是内网机器,权限还是多高的

3.png


4.png


5.png


然后就开始内网漫游啦,这里首先给厂商说下抱歉,不知道怎么的,搞的你们的站点有时都不能访问了,就只是简单探测了一下,不敢再深入了
内网开放的web服务:

http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success


6.png


7.png


8.png


9.png


内网开放端口

10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open
10.180.201.250:21 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:21 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open


就不继续了,危害还是多大的,望尽快修复^_^

修复方案:

..

版权声明:转载请注明来源 镱鍚@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-03-21 15:43

厂商回复:

感谢关注。

最新状态:

暂无