当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115299

漏洞标题:某市国土资源执法视频监控系统沦陷,内网危急.机密资料可能已外泄

相关厂商:cncert国家互联网应急中心

漏洞作者: 朱元璋

提交时间:2015-05-21 15:25

修复时间:2015-07-09 18:30

公开时间:2015-07-09 18:30

漏洞类型:命令执行

危害等级:高

自评Rank:19

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-21: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经确认,细节仅向厂商公开
2015-06-04: 细节向核心白帽子及相关领域专家公开
2015-06-14: 细节向普通白帽子公开
2015-06-24: 细节向实习白帽子公开
2015-07-09: 细节向公众公开

简要描述:

传有马,自己杀

详细说明:

地址http://36.32.160.67:81/license!getExpireDateOfDays.action存在命令执行漏洞

0.png


直接进入内网看看

1.png

2.png

3.png


看下端口情况netstat -an

活动连接
  协议  本地地址          外部地址        状态
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:81             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:83             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:554            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:556            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:558            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2121           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:4000           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:4567           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5001           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6000           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6008           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6010           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6100           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6200           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6202           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6203           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6300           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6302           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6304           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6310           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6354           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6357           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6410           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6454           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6500           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6502           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6600           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6666           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6904           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7000           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7002           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7010           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7072           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7100           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7102           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7200           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7300           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7302           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7310           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8008           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8009           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8600           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:23400          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:38457          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49192          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49193          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:61616          0.0.0.0:0              LISTENING
  TCP    36.32.160.67:81        36.32.160.67:55641     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55642     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55643     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55644     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55645     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55646     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55647     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55648     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55649     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55650     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55651     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55652     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55653     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55654     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55655     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55656     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55657     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55658     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55659     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55660     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55661     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55662     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55663     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55664     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55665     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55666     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55667     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55668     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55669     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55670     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55671     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55672     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55673     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55674     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55675     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55676     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55677     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55678     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55679     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55680     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55681     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55682     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55683     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55684     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55685     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55686     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55687     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55688     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55689     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55690     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55691     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55692     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55693     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55694     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55695     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55696     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55697     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55698     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55699     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55700     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55701     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55702     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55703     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55704     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55705     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55706     TIME_WAIT
  TCP    36.32.160.67:81        36.32.160.67:55707     TIME_WAIT
  TCP    36.


net start

r
ÒѾ­Æô¶¯ÒÔÏ Windows ·þÎñ: 
   AlarmServer
   Apache Tomcat HIKCMS
   Application Experience
   Application Host Helper Service
   Application Management
   Base Filtering Engine
   cascade
   Certificate Propagation
   COM+ Event System
   Cryptographic Services
   DCOM Server Process Launcher
   DecodeServer
   Desktop Window Manager Session Manager
   DHCP Client
   Diagnostic Policy Service
   DNS Client
   Group Policy Client
   IKE and AuthIP IPsec Keying Modules
   IP Helper
   IPsec Policy Agent
   Mag Server
   media
   Microsoft FTP Service
   MonitorScreen
   MySQL
   Network Connections
   Network List Service
   Network Location Awareness
   Network Store Interface Service
   nms
   NvrVodServer
   PAG
   Plug and Play
   Power
   Print Spooler
   PTZProxyService
   RecordQueryService
   Remote Desktop Configuration
   Remote Desktop Services
   Remote Desktop Services UserMode Port Redirector
   Remote Procedure Call (RPC)
   RPC Endpoint Mapper
   Security Accounts Manager
   Server
   Shell Hardware Detection
   Software Protection
   SPP Notification Service
   System Event Notification Service
   Task Scheduler
   TCP/IP NetBIOS Helper
   User Profile Service
   VodServer
   VRB
   VRMServer
   VTDU
   Windows Event Log
   Windows Firewall
   Windows Management Instrumentation
   Windows Presentation Foundation Font Cache 3.0.0.0
   Windows Process Activation Service
   Windows Update
   Workstation
   World Wide Web Publishing Service
   Ö÷¶¯·ÀÓù
ÃüÁî³É¹¦Íê³É¡£
E:\zyrh\tomcat-6.0.35-4.0.43473\webapps\ROOT>


systeminfo

Ö÷»úÃû:           WIN-MLH3H2L94B6
OS Ãû³Æ:          Microsoft Windows Server 2008 R2 Enterprise 
OS °æ±¾:          6.1.7601 Service Pack 1 Build 7601
OS ÖÆÔìÉÌ:        Microsoft Corporation
OS ÅäÖÃ:          ¶ÀÁ¢·þÎñÆ÷
OS ¹¹¼þÀàÐÍ:      Multiprocessor Free
×¢²áµÄËùÓÐÈË:     Windows Óû§
×¢²áµÄ×éÖ¯:       
²úÆ· ID:          00486-001-0001076-84308
³õʼ°²×°ÈÕÆÚ:     2013/5/23, 17:02:26
ϵͳÆô¶¯Ê±¼ä:     2015/4/14, 9:29:23
ϵͳÖÆÔìÉÌ:       IBM
ϵͳÐͺÅ:         System x3620 M3 -[7376I28]-
ϵͳÀàÐÍ:         x64-based PC
´¦ÀíÆ÷:           °²×°ÁË 1 ¸ö´¦ÀíÆ÷¡£
                  [01]: Intel64 Family 6 Model 44 Stepping 2 GenuineIntel ~1580 Mhz
BIOS °æ±¾:        IBM Corp. -[HSE120BUS-1.09]-, 2012/2/3
Windows Ŀ¼:     C:\Windows
ϵͳĿ¼:         C:\Windows\system32
Æô¶¯É豸:         \Device\HarddiskVolume1
ϵͳÇøÓòÉèÖÃ:     zh-cn;ÖÐÎÄ(Öйú)
ÊäÈë·¨ÇøÓòÉèÖÃ:   zh-cn;ÖÐÎÄ(Öйú)
ʱÇø:             (UTC+08:00)±±¾©£¬ÖØÇ죬Ïã¸ÛÌرðÐÐÕþÇø£¬ÎÚ³ľÆë
ÎïÀíÄÚ´æ×ÜÁ¿:     16,373 MB
¿ÉÓõÄÎïÀíÄÚ´æ:   321 MB
ÐéÄâÄÚ´æ: ×î´óÖµ: 32,744 MB
ÐéÄâÄÚ´æ: ¿ÉÓÃ:   27,582 MB
ÐéÄâÄÚ´æ: ʹÓÃÖÐ: 5,162 MB
Ò³ÃæÎļþλÖÃ:     C:\pagefile.sys
Óò:               WORKGROUP
µÇ¼·þÎñÆ÷:       ÔÝȱ
ÐÞ²¹³ÌÐò:         °²×°ÁË 1 ¸öÐÞ²¹³ÌÐò¡£
                  [01]: KB976902
Íø¿¨:             °²×°ÁË 3 ¸ö NIC¡£
                  [01]: Intel(R) 82575EB Gigabit Network Connection
                      Á¬½ÓÃû:      ±¾µØÁ¬½Ó
                      ÆôÓÃ DHCP:   ·ñ
                      IP µØÖ·
                        [01]: 36.32.160.67
                        [02]: fe80::8931:bb0e:f543:9a8d
                  [02]: Intel(R) 82575EB Gigabit Network Connection
                      Á¬½ÓÃû:      ±¾µØÁ¬½Ó 2
                      ״̬:        ûÓÐÓ²¼þ
                  [03]: IBM USB Ô¶³Ì NDIS ÍøÂçÉ豸
                      Á¬½ÓÃû:      ±¾µØÁ¬½Ó 3
                      ״̬:        ûÓÐÓ²¼þ
E:\zyrh\tomcat-6.0.35-4.0.43473\webapps\ROOT>

漏洞证明:

系统情况已经清楚完了,再进一步探究内网,感觉没必要了,点到为止,只是测试.

修复方案:

版权声明:转载请注明来源 朱元璋@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-25 18:29

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给安徽分中心,由安徽分中心后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论