当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159769

漏洞标题:某市科学技术局某平台getshell

相关厂商:cncert国家互联网应急中心

漏洞作者: 朱元璋

提交时间:2015-12-10 17:44

修复时间:2016-01-25 18:01

公开时间:2016-01-25 18:01

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-10: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-25: 细节向公众公开

简要描述:

RT

详细说明:

0.png


地址http://**.**.**.**/hhsi/allusermanager.action?action=inPlatintruduction存在命令执行漏洞

1.png


直接getshell服务器

2.png

漏洞证明:

net user

\\LENOVO-CNB6X70U ?????
-------------------------------------------------------------------------------
Administrator adminx ASPNET
Guest IUSR_LENOVO-CNB6X70U IWAM_LENOVO-CNB6X70U
SUPPORT_388945a0
???????


net  start
?????? Windows ??:
360 ??????????
Application Experience Lookup Service
Application Layer Gateway Service
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
DNS Client
Event Log
Logical Disk Manager
Network Connections
Network Location Awareness (NLA)
NT LM Security Support Provider
Plug and Play
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SQL Server (MSSQLSERVER)
SQL Server Agent (MSSQLSERVER)
SQL Server Browser
SQL Server FullText Search (MSSQLSERVER)
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Windows Firewall/Internet Connection Sharing (ICS)
Windows Management Instrumentation
Wireless Configuration
Workstation
????
???????


netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP **.**.**.**:80 **.**.**.**:0 LISTENING 8912
TCP **.**.**.**:135 **.**.**.**:0 LISTENING 700
TCP **.**.**.**:445 **.**.**.**:0 LISTENING 4
TCP **.**.**.**:1025 **.**.**.**:0 LISTENING 464
TCP **.**.**.**:1433 **.**.**.**:0 LISTENING 1196
TCP **.**.**.**:3389 **.**.**.**:0 LISTENING 1612
TCP **.**.**.**:8009 **.**.**.**:0 LISTENING 8912
TCP **.**.**.**:8090 **.**.**.**:0 LISTENING 5188
TCP **.**.**.**:9112 **.**.**.**:0 LISTENING 5188
TCP **.**.**.**:1026 **.**.**.**:0 LISTENING 1732
TCP **.**.**.**:1433 **.**.**.**:1715 ESTABLISHED 1196
TCP **.**.**.**:1433 **.**.**.**:1918 ESTABLISHED 1196
TCP **.**.**.**:1433 **.**.**.**:2192 ESTABLISHED 1196
TCP **.**.**.**:1434 **.**.**.**:0 LISTENING 1196
TCP **.**.**.**:1715 **.**.**.**:1433 ESTABLISHED 5188
TCP **.**.**.**:1918 **.**.**.**:1433 ESTABLISHED 5188
TCP **.**.**.**:2192 **.**.**.**:1433 ESTABLISHED 5188
TCP **.**.**.**:8005 **.**.**.**:0 LISTENING 8912
TCP **.**.**.**:8112 **.**.**.**:0 LISTENING 5188
TCP **.**.**.**:10101 **.**.**.**:0 LISTENING 836
TCP **.**.**.**:80 **.**.**.**:14514 TIME_WAIT 0
TCP **.**.**.**:80 **.**.**.**:14524 FIN_WAIT_2 8912
TCP **.**.**.**:80 **.**.**.**:14566 ESTABLISHED 8912
TCP **.**.**.**:139 **.**.**.**:0 LISTENING 4
TCP **.**.**.**:1084 **.**.**.**:80 CLOSE_WAIT 836
TCP **.**.**.**:1433 **.**.**.**:2755 ESTABLISHED 1196
TCP **.**.**.**:1433 **.**.**.**:2758 ESTABLISHED 1196
TCP **.**.**.**:1433 **.**.**.**:4141 ESTABLISHED 1196
TCP **.**.**.**:1433 **.**.**.**:4314 ESTABLISHED 1196
TCP **.**.**.**:1438 **.**.**.**:80 CLOSE_WAIT 836
TCP **.**.**.**:1465 **.**.**.**:80 CLOSE_WAIT 836
TCP **.**.**.**:1708 **.**.**.**:0 LISTENING 5188
TCP **.**.**.**:1881 **.**.**.**:80 CLOSE_WAIT 836
TCP **.**.**.**:1885 **.**.**.**:80 CLOSE_WAIT 836
TCP **.**.**.**:2172 **.**.**.**:80 CLOSE_WAIT 6268
TCP **.**.**.**:2480 **.**.**.**:80 CLOSE_WAIT 4476
TCP **.**.**.**:2755 **.**.**.**:1433 ESTABLISHED 8912
TCP **.**.**.**:2758 **.**.**.**:1433 ESTABLISHED 8912
TCP **.**.**.**:3138 **.**.**.**:80 CLOSE_WAIT 836
TCP **.**.**.**:3139 **.**.**.**:80 CLOSE_WAIT 836
TCP **.**.**.**:4141 **.**.**.**:1433 ESTABLISHED 8912
TCP **.**.**.**:4314 **.**.**.**:1433 ESTABLISHED 8912
TCP **.**.**.**:4790 **.**.**.**:80 ESTABLISHED 592
UDP **.**.**.**:445 *:* 4
UDP **.**.**.**:1031 *:* 592
UDP **.**.**.**:1048 *:* 2204
UDP **.**.**.**:1049 *:* 2204
UDP **.**.**.**:1051 *:* 2204
UDP **.**.**.**:1110 *:* 2204
UDP **.**.**.**:1125 *:* 4084
UDP **.**.**.**:1128 *:* 2204
UDP **.**.**.**:1129 *:* 2204
UDP **.**.**.**:1158 *:* 836
UDP **.**.**.**:1159 *:* 836
UDP **.**.**.**:1160 *:* 836
UDP **.**.**.**:1161 *:* 836
UDP **.**.**.**:1162 *:* 836
UDP **.**.**.**:1173 *:* 836
UDP **.**.**.**:1434 *:* 1272
UDP **.**.**.**:1877 *:* 836
UDP **.**.**.**:3600 *:* 592
UDP **.**.**.**:3626 *:* 2204
UDP **.**.**.**:3890 *:* 2204
UDP **.**.**.**:3930 *:* 4084
UDP **.**.**.**:4000 *:* 836
UDP **.**.**.**:4398 *:* 2204
UDP **.**.**.**:4399 *:* 2204
UDP **.**.**.**:7500 *:* 5188
UDP **.**.**.**:45566 *:* 5188
UDP **.**.**.**:1414 *:* 836
UDP **.**.**.**:1465 *:* 592
UDP **.**.**.**:137 *:* 4
UDP **.**.**.**:138 *:* 4
UDP **.**.**.**:1707 *:* 5188


net view
????? ??
-------------------------------------------------------------------------------
\\BMWEB
\\DB
\\FFF-B12D30F08FC
\\HHTJ
\\HP
\\HP-48D3C5720D43
\\HPA3-07
\\JIABINFANGTAN
\\LENOVO-CNB6X70U
\\LENOVO-E17A58F7
\\MICROSOF-9E7086
\\PC-20141106XVNS
\\SVCTAG-94MG72X
\\WEB2
\\WENGUANGXINJU
\\WIN-6DD7LF36HS3
\\WIN-73HF7DLU0UJ
\\XP-201009241646
\\XP-201009241718
\\XPT
???????


net  share
??? ?? ??
-------------------------------------------------------------------------------
IPC$ ?? IPC
upload E:\upload
???????


ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : lenovo-cnb6x70u
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter ????:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2
Physical Address. . . . . . . . . : 00-E0-81-DD-00-88
Ethernet adapter ???? 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-E0-81-DD-00-87
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : **.**.**.**
Subnet Mask . . . . . . . . . . . : **.**.**.**
Default Gateway . . . . . . . . . : **.**.**.**
DNS Servers . . . . . . . . . . . : **.**.**.**
**.**.**.**


systeminfo
???: LENOVO-CNB6X70U
OS ??: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS ??: 5.2.3790 Service Pack 2 Build 3790
OS ???: Microsoft Corporation
OS ??: ?????
OS ????: Multiprocessor Free
??????: lx
?????:
?? ID: 69813-640-7145452-45532
??????: 2012-12-8, 15:27:34
??????: 112 ? 3 ?? 38 ? 39 ?
?????: Lenovo
????: Lenovo WQ R520 G7
????: X86-based PC
???: ??? 4 ?????
[01]: x86 Family 6 Model 44 Stepping 2 GenuineIntel ~2133 Mhz
[02]: x86 Family 6 Model 44 Stepping 2 GenuineIntel ~2133 Mhz
[03]: x86 Family 6 Model 44 Stepping 2 GenuineIntel ~2133 Mhz
[04]: x86 Family 6 Model 44 Stepping 2 GenuineIntel ~2133 Mhz
BIOS ??: LENOVO - 20111129
Windows ??: C:\WINDOWS
????: C:\WINDOWS\system32
????: \Device\HarddiskVolume1
??????: zh-cn;??(??)
???????: zh-cn;??(??)
??: (GMT+08:00) ??????????????????
??????: 4,087 MB
???????: 2,214 MB
????: ???: 5,964 MB
????: ??: 3,396 MB
????: ???: 2,568 MB
??????: C:\pagefile.sys
?: WORKGROUP
?????: \\LENOVO-CNB6X70U
????: ??? 496 ??????
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: File 1
[97]: File 1
[98]: File 1
[99]: File 1
[100]: File 1
[101]: File 1
[102]: File 1
[103]: File 1
[104]: File 1
[105]: File 1
[106]: File 1
[107]: File 1
[108]: File 1
[109]: File 1
[110]: File 1
[111]: File 1
[112]: File 1
[113]: File 1
[114]: File 1
[115]: File 1
[116]: File 1
[117]: File 1
[118]: File 1
[119]: File 1
[120]: File 1
[121]: File 1
[122]: File 1
[123]: File 1
[124]: File 1
[125]: File 1
[126]: File 1
[127]: File 1
[128]: File 1
[129]: File 1
[130]: File 1
[131]: File 1
[132]: File 1
[133]: File 1
[134]: File 1
[135]: File 1
[136]: File 1
[137]: File 1
[138]: File 1
[139]: File 1
[140]: File 1
[141]: File 1
[142]: File 1
[143]: File 1
[144]: File 1
[145]: File 1
[146]: File 1
[147]: File 1
[148]: File 1
[149]: File 1
[150]: File 1
[151]: File 1
[152]: File 1
[153]: File 1
[154]: File 1
[155]: File 1
[156]: File 1
[157]: File 1
[158]: File 1
[159]: File 1
[160]: File 1
[161]: File 1
[162]: File 1
[163]: File 1
[164]: File 1
[165]: File 1
[166]: File 1
[167]: File 1
[168]: File 1
[169]: File 1
[170]: File 1
[171]: File 1
[172]: File 1
[173]: File 1
[174]: File 1
[175]: File 1
[176]: File 1
[177]: File 1
[178]: File 1
[179]: File 1
[180]: File 1
[181]: File 1
[182]: File 1
[183]: File 1
[184]: File 1
[185]: File 1
[186]: File 1
[187]: File 1
[188]: File 1
[189]: File 1
[190]: File 1
[191]: File 1
[192]: File 1
[193]: File 1
[194]: File 1
[195]: File 1
[196]: File 1
[197]: File 1
[198]: File 1
[199]: File 1
[200]: File 1
[201]: File 1
[202]: File 1
[203]: File 1
[204]: File 1
[205]: File 1
[206]: File 1
[207]: File 1
[208]: File 1
[209]: File 1
[210]: File 1
[211]: File 1
[212]: File 1
[213]: File 1
[214]: File 1
[215]: File 1
[216]: File 1
[217]: File 1
[218]: File 1
[219]: File 1
[220]: File 1
[221]: File 1
[222]: File 1
[223]: File 1
[224]: File 1
[225]: File 1
[226]: File 1
[227]: File 1
[228]: File 1
[229]: File 1
[230]: File 1
[231]: File 1
[232]: File 1
[233]: File 1
[234]: File 1
[235]: File 1
[236]: File 1
[237]: File 1
[238]: File 1
[239]: File 1
[240]: File 1
[241]: File 1
[242]: File 1
[243]: Q147222
[244]: KB2604078 - QFE
[245]: KB2656358 - QFE
[246]: KB2656376-v2 - QFE
[247]: KB2698032 - QFE
[248]: KB2742604 - QFE
[249]: KB2901115 - QFE
[250]: KB2972207 - QFE
[251]: KB933854 - QFE
[252]: KB979907 - QFE
[253]: KB975558_WM8
[254]: KB925398_WMP64
[255]: KB2510531-IE8 - Update
[256]: KB2909210-IE8 - Update
[257]: KB2987107-IE8 - Update
[258]: KB3003057-IE8 - Update
[259]: KB3008923-IE8 - Update
[260]: KB3012176-IE8 - Update
[261]: KB3021952-IE8 - Update
[262]: KB3032359-IE8 - Update
[263]: KB3038314-IE8 - Update
[264]: KB3049563-IE8 - Update
[265]: KB3058515-IE8 - Update
[266]: KB3065822-IE8 - Update
[267]: KB3074886-IE8 - Update
[268]: KB2564958 - Update
[269]: KB2115168 - Update
[270]: KB2124261 - Update
[271]: KB2229593 - Update
[272]: KB2296011 - Update
[273]:
??: ??? 2 ? NIC?
[01]: Intel(R) 82574L Gigabit Network Connection
???: ???? 2
?? DHCP: ?
IP ??
[01]: **.**.**.**
[02]: Intel(R) 82574L Gigabit Network Connection
???: ????
??: ???????

修复方案:

加强安全意识

版权声明:转载请注明来源 朱元璋@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-12-14 16:47

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给湖南分中心,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评价