2015-11-10: 细节已通知厂商并且等待厂商处理中 2015-11-20: 厂商已经确认,细节仅向厂商公开 2015-11-30: 细节向核心白帽子及相关领域专家公开 2015-12-10: 细节向普通白帽子公开 2015-12-20: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
RT
系统简介地址http://**.**.**.**/lzzx/zwdt/201503/t20150325_79612.htm地址**.**.**.**:8080/mgslw/qunzhongpage.action存在命令执行漏洞
直接上传木马到服务器,数据我没动哦
[*] 磁盘列表 [ C:D:E:F:G: ]C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\mgslw\mgslw\> net user\\ 的用户帐户-------------------------------------------------------------------------------Administrator Guest IUSR_NX-LWDXPT007 IWAM_NX-LWDXPT007 SUPPORT_388945a0 命令运行完毕,但发生一个或多个错误。系统找不到指定的路径。C:\Program Files\Apache Software Foundation\Tomcat 6.0\> net share共享名 资源 注释-------------------------------------------------------------------------------F$ F:\ 默认共享 IPC$ 远程 IPC ADMIN$ C:\WINDOWS 远程管理 D$ D:\ 默认共享 E$ E:\ 默认共享 C$ C:\ 默认共享 命令成功完成。C:\Program Files\Apache Software Foundation\Tomcat 6.0\> net view发生系统错误 6118。此工作组的服务器列表当前无法使用C:\Program Files\Apache Software Foundation\Tomcat 6.0\> netstat -anoActive Connections Proto Local Address Foreign Address State PID TCP **.**.**.**:7 **.**.**.**:0 LISTENING 1692 TCP **.**.**.**:9 **.**.**.**:0 LISTENING 1692 TCP **.**.**.**:13 **.**.**.**:0 LISTENING 1692 TCP **.**.**.**:17 **.**.**.**:0 LISTENING 1692 TCP **.**.**.**:19 **.**.**.**:0 LISTENING 1692 TCP **.**.**.**:42 **.**.**.**:0 LISTENING 1808 TCP **.**.**.**:53 **.**.**.**:0 LISTENING 1152 TCP **.**.**.**:80 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:135 **.**.**.**:0 LISTENING 652 TCP **.**.**.**:445 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:1029 **.**.**.**:0 LISTENING 1152 TCP **.**.**.**:1030 **.**.**.**:0 LISTENING 420 TCP **.**.**.**:1069 **.**.**.**:0 LISTENING 1808 TCP **.**.**.**:1070 **.**.**.**:0 LISTENING 1692 TCP **.**.**.**:1433 **.**.**.**:0 LISTENING 1436 TCP **.**.**.**:3112 **.**.**.**:0 LISTENING 1436 TCP **.**.**.**:3389 **.**.**.**:0 LISTENING 2440 TCP **.**.**.**:8009 **.**.**.**:0 LISTENING 1732 TCP **.**.**.**:8080 **.**.**.**:0 LISTENING 1732 TCP **.**.**.**:1031 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1032 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1033 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1042 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1043 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1044 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1052 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1053 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1054 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1061 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1062 **.**.**.**:1433 ESTABLISHED 1732 TCP **.**.**.**:1071 **.**.**.**:0 LISTENING 2576 TCP **.**.**.**:1433 **.**.**.**:1031 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1032 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1033 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1042 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1043 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1044 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1052 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1053 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1054 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1061 ESTABLISHED 1436 TCP **.**.**.**:1433 **.**.**.**:1062 ESTABLISHED 1436 TCP **.**.**.**:5152 **.**.**.**:0 LISTENING 1320 TCP **.**.**.**:8005 **.**.**.**:0 LISTENING 1732 TCP **.**.**.**:139 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:1156 **.**.**.**:80 CLOSE_WAIT 1392 TCP **.**.**.**:8080 **.**.**.**:32962 FIN_WAIT_2 1732 TCP **.**.**.**:8080 **.**.**.**:32969 ESTABLISHED 1732 UDP **.**.**.**:7 *:* 1692 UDP **.**.**.**:9 *:* 1692 UDP **.**.**.**:13 *:* 1692 UDP **.**.**.**:17 *:* 1692 UDP **.**.**.**:19 *:* 1692 UDP **.**.**.**:42 *:* 1808 UDP **.**.**.**:445 *:* 4 UDP **.**.**.**:1028 *:* 1152 UDP **.**.**.**:1645 *:* 704 UDP **.**.**.**:1646 *:* 704 UDP **.**.**.**:1812 *:* 704 UDP **.**.**.**:1813 *:* 704 UDP **.**.**.**:53 *:* 1152 UDP **.**.**.**:123 *:* 792 UDP **.**.**.**:1025 *:* 704 UDP **.**.**.**:1026 *:* 704 UDP **.**.**.**:1027 *:* 1152 UDP **.**.**.**:1068 *:* 1808 UDP **.**.**.**:10000 *:* 1180 UDP **.**.**.**:53 *:* 1152 UDP **.**.**.**:67 *:* 1692 UDP **.**.**.**:68 *:* 1692 UDP **.**.**.**:123 *:* 792 UDP **.**.**.**:137 *:* 4 UDP **.**.**.**:138 *:* 4 UDP **.**.**.**:2535 *:* 1692C:\Program Files\Apache Software Foundation\Tomcat 6.0\> tasklist /svc映像名称 PID 服务 ========================= ======== ============================================System Idle Process 0 暂缺 System 4 暂缺 smss.exe 288 暂缺 csrss.exe 336 暂缺 winlogon.exe 360 暂缺 services.exe 408 Eventlog, PlugPlay lsass.exe 420 HTTPFilter, NtLmSsp, ProtectedStorage, SamS svchost.exe 592 DcomLaunch svchost.exe 652 RpcSs svchost.exe 704 AeLookupSvc, AudioSrv, CryptSvc, dmserver, EventSystem, HidServ, IAS, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, Themes, winmgmt, wuauserv, WZCSVC svchost.exe 756 Dhcp, Dnscache svchost.exe 792 LmHosts, W32Time ZhuDongFangYu.exe 812 ZhuDongFangYu spoolsv.exe 976 Spooler msdtc.exe 1000 MSDTC dns.exe 1152 DNS FireSvc.exe 1180 FireSvc inetinfo.exe 1288 IISADMIN jqs.exe 1320 JavaQuickStarterService FrameworkService.exe 1392 McAfeeFramework sqlservr.exe 1436 MSSQL$SQLEXPRESS naPrdMgr.exe 1468 暂缺 tcpsvcs.exe 1692 DHCPServer, SimpTcp sqlwriter.exe 1716 SQLWriter tomcat6.exe 1732 Tomcat6 wins.exe 1808 WINS svchost.exe 1896 W3SVC svchost.exe 2440 TermService alg.exe 2576 ALG svchost.exe 2772 TapiSrv wmiprvse.exe 2920 暂缺 logon.scr 3092 暂缺 cmd.exe 2736 暂缺 tasklist.exe 3588 暂缺 wmiprvse.exe 3556 暂缺 C:\Program Files\Apache Software Foundation\Tomcat 6.0\> net start已经启动以下 Windows 服务: Apache Tomcat 6 Application Experience Lookup Service Application Layer Gateway Service COM+ Event System Cryptographic Services DCOM Server Process Launcher DHCP Client DHCP Server Distributed Transaction Coordinator DNS Client DNS Server Event Log HID Input Service HTTP SSL IIS Admin Service Internet Authentication Service Java Quick Starter Logical Disk Manager McAfee Desktop Firewall Service McAfee Framework Service Network Connections Network Location Awareness (NLA) NT LM Security Support Provider Plug and Play Print Spooler Protected Storage Remote Access Connection Manager Remote Procedure Call (RPC) Secondary Logon Security Accounts Manager Server Shell Hardware Detection Simple TCP/IP Services SQL Server (SQLEXPRESS) SQL Server VSS Writer System Event Notification Task Scheduler TCP/IP NetBIOS Helper Telephony Terminal Services Themes Windows Audio Windows Firewall/Internet Connection Sharing (ICS) Windows Internet Name Service (WINS) Windows Management Instrumentation Windows Time Wireless Configuration Workstation World Wide Web Publishing Service 主动防御 自动更新命令成功完成。C:\Program Files\Apache Software Foundation\Tomcat 6.0\> ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : nx-lwdxpt007 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter 本地连接: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet Physical Address. . . . . . . . . : D4-AE-52-BC-DA-1E DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : **.**.**.** Subnet Mask . . . . . . . . . . . : **.**.**.** Default Gateway . . . . . . . . . : **.**.**.**C:\Program Files\Apache Software Foundation\Tomcat 6.0\> systeminfo主机名: NX-LWDXPT007OS 名称: Microsoft(R) Windows(R) Server 2003, Standard EditionOS 版本: 5.2.3790 Service Pack 2 Build 3790OS 制造商: Microsoft CorporationOS 配置: 独立服务器OS 构件类型: Multiprocessor Free注册的所有人: lw-zf-t注册的组织: nx-lw-zf-t产品 ID: 69819-640-5729676-45468初始安装日期: 2012-11-30, 10:09:57系统启动时间: 13 天 16 小时 14 分 47 秒系统制造商: Dell Inc.系统型号: PowerEdge T110 II系统类型: X86-based PC处理器: 安装了 4 个处理器。 [01]: x86 Family 6 Model 42 Stepping 7 GenuineIntel ~3093 Mhz [02]: x86 Family 6 Model 42 Stepping 7 GenuineIntel ~3092 Mhz [03]: x86 Family 6 Model 42 Stepping 7 GenuineIntel ~3092 Mhz [04]: x86 Family 6 Model 42 Stepping 7 GenuineIntel ~3093 MhzBIOS 版本: DELL - 1Windows 目录: C:\WINDOWS系统目录: C:\WINDOWS\system32启动设备: \Device\HarddiskVolume1系统区域设置: zh-cn;中文(中国)输入法区域设置: 暂缺时区: (GMT+08:00) 北京,重庆,香港特别行政区,乌鲁木齐物理内存总量: 2,038 MB可用的物理内存: 1,564 MB页面文件: 最大值: 3,936 MB页面文件: 可用: 3,523 MB页面文件: 使用中: 413 MB页面文件位置: C:\pagefile.sys域: WORKGROUP登录服务器: 暂缺修补程序: 安装了 255 个修补程序。 [01]: File 1 [02]: File 1 [03]: File 1 [04]: File 1 [05]: File 1 [06]: File 1 [07]: File 1 [08]: File 1 [09]: File 1 [10]: File 1 [11]: File 1 [12]: File 1 [13]: File 1 [14]: File 1 [15]: File 1 [16]: File 1 [17]: File 1 [18]: File 1 [19]: File 1 [20]: File 1 [21]: File 1 [22]: File 1 [23]: File 1 [24]: File 1 [25]: File 1 [26]: File 1 [27]: File 1 [28]: File 1 [29]: File 1 [30]: File 1 [31]: File 1 [32]: File 1 [33]: File 1 [34]: File 1 [35]: File 1 [36]: File 1 [37]: File 1 [38]: File 1 [39]: File 1 [40]: File 1 [41]: File 1 [42]: File 1 [43]: File 1 [44]: File 1 [45]: File 1 [46]: File 1 [47]: File 1 [48]: File 1 [49]: File 1 [50]: File 1 [51]: File 1 [52]: File 1 [53]: File 1 [54]: File 1 [55]: File 1 [56]: File 1 [57]: File 1 [58]: File 1 [59]: File 1 [60]: File 1 [61]: File 1 [62]: File 1 [63]: File 1 [64]: File 1 [65]: File 1 [66]: File 1 [67]: File 1 [68]: File 1 [69]: File 1 [70]: File 1 [71]: File 1 [72]: File 1 [73]: File 1 [74]: File 1 [75]: File 1 [76]: File 1 [77]: File 1 [78]: File 1 [79]: File 1 [80]: File 1 [81]: File 1 [82]: File 1 [83]: File 1 [84]: File 1 [85]: File 1 [86]: File 1 [87]: File 1 [88]: File 1 [89]: File 1 [90]: File 1 [91]: File 1 [92]: File 1 [93]: File 1 [94]: File 1 [95]: File 1 [96]: File 1 [97]: File 1 [98]: File 1 [99]: File 1 [100]: File 1 [101]: File 1 [102]: File 1 [103]: File 1 [104]: File 1 [105]: File 1 [106]: File 1 [107]: File 1 [108]: File 1 [109]: File 1 [110]: File 1 [111]: File 1 [112]: File 1 [113]: File 1 [114]: File 1 [115]: File 1 [116]: File 1 [117]: File 1 [118]: File 1 [119]: File 1 [120]: File 1 [121]: File 1 [122]: File 1 [123]: File 1 [124]: File 1 [125]: File 1 [126]: File 1 [127]: File 1 [128]: File 1 [129]: File 1 [130]: File 1 [131]: File 1 [132]: File 1 [133]: Q147222 [134]: KB2604078 - QFE [135]: KB2656358 - QFE [136]: KB2656376-v2 - QFE [137]: KB2698032 - QFE [138]: KB933854 - QFE [139]: KB979907 - QFE [140]: KB975558_WM8 [141]: KB925398_WMP64 [142]: KB2564958 - Update [143]: KB2115168 - Update [144]: KB2229593 - Update [145]: KB2296011 - Update [146]: KB2347290 - Update [147]: KB2360937 - Update [148]: KB2378111 - Update [149]: KB2387149 - Update [150]: KB2419635 - Update [151]: KB2423089 - Update [152]: KB2440591 - Update [153]: KB2443105 - Update [154]: KB2476490 - Update [155]: KB2478960 - Update [156]: KB2478971 - Update [157]: KB2483185 - Update [158]: KB2485663 - Update [159]: KB2506212 - Update [160]: KB2507618 - Update [161]: KB2507938 - Update [162]: KB2508429 - Update [163]: KB2509553 - Update [164]: KB2510587 - Update [165]: KB2535512 - Update [166]: KB2536276-v2 - Update [167]: KB2544521 - Update [168]: KB2544893-v2 - Update [169]: KB2566454 - Update [170]: KB2570947 - Update [171]: KB2584146 - Update [172]: KB2598479 - Update [173]: KB2603381 - Update [174]: KB2604078 - Update [175]: KB2620712 - Update [176]: KB2624667 - Update [177]: KB2631813 - Update [178]: KB2638806 - Update [179]: KB2641690-v2 - Update [180]: KB2644615 - Update [181]: KB2646524 - Update [182]: KB2653956 - Update [183]: KB2655992 - Update [184]: KB2656358 - Update [185]: KB2656376-v2 - Update [186]: KB2659262 - Update [187]: KB2676562 - Update [188]: KB2685939 - Update [189]: KB2691442 - Update [190]: KB2698032 - Update [191]: KB2698365 - Update [192]: KB2705219-v2 - Update [193]: KB2712808 - Update [194]: KB2718704 - Update [195]: KB2719985 - Update [196]: KB2724197 - Update [197]: KB2727528 - Update [198]: KB2736233 - Update [199]: KB2744842 - Update [200]: KB2761226 - Update [201]: KB923561 - Update [202]: KB924667-v2 - Update [203]: KB932716-v2 - Update [204]: KB939653 - Update [205]: KB944653 - Update [206]: KB946026 - Update [207]: KB948496 - Update [208]: KB950224-v3 - Update [209]: KB950762 - Update [210]: KB950974 - Update [211]: KB951748 - Update [212]: KB952004 - Update [213]: KB952954 - Update [214]: KB954155 - Update [215]: KB956802 - Update [216]: KB956844 - Update [217]: KB958752 - Update [218]: KB959426 - Update [219]: KB960803 - Update [220]: KB960859 - Update [221]: KB967715 - Update [222]: KB969059 - Update [223]: KB971029 - Update [2网卡: 安装了 1 个 NIC。 [01]: Broadcom NetXtreme Gigabit Ethernet 连接名: 本地连接 启用 DHCP: 否 IP 地址 [01]: **.**.**.**C:\Program Files\Apache Software Foundation\Tomcat 6.0\>
加强安全意识
危害等级:高
漏洞Rank:12
确认时间:2015-11-20 17:51
CNVD确认并复现所述情况,已经转由CNCERT下发给宁夏分中心,由其后续协调网站管理单位处置。
暂无
