当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163061

漏洞标题:国家电网某站命令执行之二

相关厂商:国家电网公司

漏洞作者: 路人甲

提交时间:2015-12-21 09:45

修复时间:2016-02-01 10:51

公开时间:2016-02-01 10:51

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-21: 细节已通知厂商并且等待厂商处理中
2015-12-21: 厂商已经确认,细节仅向厂商公开
2015-12-31: 细节向核心白帽子及相关领域专家公开
2016-01-10: 细节向普通白帽子公开
2016-01-20: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

rt

详细说明:

点到为止,那个shell丢了,有意思~,ps 我半夜找漏洞不易求高rank,这可以拿下内网的。看了开各种redis 什么memcached 呀

http://210.77.177.13:8000/sgcis/
ls
AdminServer
cisw6-1
cisw6-2
cisw6-3
cisw6-4
cisw6-ims
domain_bak
find -name web.xml
./cisw6-4/tmp/_WL_internal/bea_wls9_async_response/yzwasd/war/WEB-INF/web.xml
./cisw6-4/tmp/_WL_internal/bea_wls_deployment_internal/8hvydj/war/WEB-INF/web.xml
./cisw6-4/tmp/_WL_internal/uddiexplorer/ylpoel/war/WEB-INF/web.xml
./cisw6-4/tmp/_WL_internal/bea_wls_diagnostics/twylgj/war/WEB-INF/web.xml
./cisw6-4/tmp/_WL_internal/wls-wsat/lzzykz/war/WEB-INF/web.xml
./cisw6-4/tmp/_WL_internal/bea_wls_internal/y85b9p/war/WEB-INF/web.xml
./cisw6-4/tmp/_WL_internal/bea_wls_cluster_internal/52khlf/war/WEB-INF/web.xml
./cisw6-4/tmp/_WL_internal/uddi/snp3tf/war/WEB-INF/web.xml
./cisw6-1/tmp/_WL_internal/bea_wls9_async_response/bj384m/war/WEB-INF/web.xml
./cisw6-1/tmp/_WL_internal/bea_wls_deployment_internal/ln4yfe/war/WEB-INF/web.xml
./cisw6-1/tmp/_WL_internal/uddiexplorer/h753ii/war/WEB-INF/web.xml
./cisw6-1/tmp/_WL_internal/bea_wls_diagnostics/rrj78g/war/WEB-INF/web.xml
./cisw6-1/tmp/_WL_internal/wls-wsat/cq6rva/war/WEB-INF/web.xml
./cisw6-1/tmp/_WL_internal/bea_wls_internal/8z26x6/war/WEB-INF/web.xml
./cisw6-1/tmp/_WL_internal/bea_wls_cluster_internal/vk24oa/war/WEB-INF/web.xml
./cisw6-1/tmp/_WL_internal/uddi/wf993q/war/WEB-INF/web.xml
./cisw6-2/tmp/_WL_internal/bea_wls9_async_response/rnlyu3/war/WEB-INF/web.xml
./cisw6-2/tmp/_WL_internal/bea_wls_deployment_internal/u3cqwn/war/WEB-INF/web.xml
./cisw6-2/tmp/_WL_internal/uddiexplorer/mzzyh7/war/WEB-INF/web.xml
./cisw6-2/tmp/_WL_internal/bea_wls_diagnostics/f502zl/war/WEB-INF/web.xml
./cisw6-2/tmp/_WL_internal/wls-wsat/7uwujv/war/WEB-INF/web.xml
./cisw6-2/tmp/_WL_internal/bea_wls_internal/6aa4ad/war/WEB-INF/web.xml
./cisw6-2/tmp/_WL_internal/bea_wls_cluster_internal/s0842d/war/WEB-INF/web.xml
./cisw6-2/tmp/_WL_internal/uddi/7hp6ol/war/WEB-INF/web.xml
./cisw6-3/tmp/_WL_internal/bea_wls9_async_response/46sw6c/war/WEB-INF/web.xml
./cisw6-3/tmp/_WL_internal/bea_wls_deployment_internal/asqe9k/war/WEB-INF/web.xml
./cisw6-3/tmp/_WL_internal/uddiexplorer/ssutfw/war/WEB-INF/web.xml
./cisw6-3/tmp/_WL_internal/bea_wls_diagnostics/czkori/war/WEB-INF/web.xml
./cisw6-3/tmp/_WL_internal/wls-wsat/sg0gz0/war/WEB-INF/web.xml
./cisw6-3/tmp/_WL_internal/bea_wls_internal/ljmfhw/war/WEB-INF/web.xml
./cisw6-3/tmp/_WL_internal/bea_wls_cluster_internal/gjeatw/war/WEB-INF/web.xml
./cisw6-3/tmp/_WL_internal/uddi/hfuvqk/war/WEB-INF/web.xml
./cisw6-ims/tmp/_WL_internal/bea_wls9_async_response/24dpfc/war/WEB-INF/web.xml
./cisw6-ims/tmp/_WL_internal/bea_wls_deployment_internal/mj3o9g/war/WEB-INF/web.xml
./cisw6-ims/tmp/_WL_internal/uddiexplorer/dhbkbc/war/WEB-INF/web.xml
./cisw6-ims/tmp/_WL_internal/bea_wls_diagnostics/z11u2q/war/WEB-INF/web.xml
./cisw6-ims/tmp/_WL_internal/wls-wsat/epzu88/war/WEB-INF/web.xml
./cisw6-ims/tmp/_WL_internal/bea_wls_internal/e1ju3c/war/WEB-INF/web.xml
./cisw6-ims/tmp/_WL_internal/bea_wls_cluster_internal/ad7onc/war/WEB-INF/web.xml
./cisw6-ims/tmp/_WL_internal/uddi/no4r20/war/WEB-INF/web.xml
ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:A9:4F:BF
inet addr:10.2.150.134 Bcast:10.2.150.191 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4048849086 errors:0 dropped:20 overruns:0 frame:0
TX packets:3822598125 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2119249195745 (1.9 TiB) TX bytes:1197123975404 (1.0 TiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:19720685 errors:0 dropped:0 overruns:0 frame:0
TX packets:19720685 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3937611985 (3.6 GiB) TX bytes:3937611985 (3.6 GiB)

ls
AdminServer
cisw6-1
cisw6-2
cisw6-3
cisw6-4
cisw6-ims
domain_bak
arp -a
? (10.2.150.130) at 00:50:56:A9:18:BF [ether] on eth0
? (10.2.150.169) at 00:01:D7:E0:4A:0B [ether] on eth0
? (10.2.150.139) at 00:50:56:A9:7F:6F [ether] on eth0
? (10.2.150.136) at 00:50:56:A9:4D:7A [ether] on eth0
? (10.2.150.140) at 00:50:56:A9:1E:8E [ether] on eth0
? (10.2.150.137) at 00:50:56:A9:6C:8B [ether] on eth0
? (10.2.150.132) at 00:50:56:A9:6C:B3 [ether] on eth0
? (10.2.150.143) at 00:15:1A:6E:36:2C [ether] on eth0
? (10.2.150.131) at 00:50:56:A9:55:9D [ether] on eth0
? (10.2.150.189) at 00:01:D7:E0:4A:0B [ether] on eth0
? (10.2.150.190) at 38:22:D6:9D:B5:70 [ether] on eth0
? (10.2.150.133) at 00:50:56:A9:3D:FD [ether] on eth0
? (10.2.150.138) at 00:50:56:A9:2B:C2 [ether] on eth0
? (10.2.150.135) at 00:50:56:A9:4A:6A [ether] on eth0
? (10.2.150.188) at 00:01:D7:E0:2B:0B [ether] on eth0
? (10.2.150.129) at 00:50:56:A9:4B:25 [ether] on eth0
uname -a
Linux CISW06 2.6.18-308.el5 #1 SMP Fri Jan 27 17:17:51 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
++++++++++++++++++++++++++++++++++++++
find -name sgcis
./sgcis_domain/config/deployments/sgcis
./sgcis_domain/opt/bea/user_projects/domains/sgcis_domain/servers/cisw1-1/tmp/_WL_user/sgcis
./sgcis_domain/opt/bea/user_projects/domains/sgcis_domain/servers/cisw1-3/tmp/_WL_user/sgcis
./sgcis_domain/opt/bea/user_projects/domains/sgcis_domain/servers/cisw1-4/tmp/_WL_user/sgcis
./sgcis_domain/opt/bea/user_projects/domains/sgcis_domain/servers/cisw1-2/tmp/_WL_user/sgcis
./sgcis_domain/servers/cisw1-1/tmp/_WL_user/sgcis
./sgcis_domain/servers/cisw1-3/tmp/_WL_user/sgcis
./sgcis_domain/servers/cisw1-4/tmp/_WL_user/sgcis
./sgcis_domain/servers/cisw1-2/tmp/_WL_user/sgcis

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-21 11:23

厂商回复:

感谢提交

最新状态:

2015-12-31:感谢帮助,请联系厂商获取礼品。


漏洞评价:

评价

  1. 2015-12-31 14:29 | 国家电网公司(乌云厂商)

    感谢帮助,请联系厂商获取礼品。

  2. 2015-12-31 14:51 | 心云 ( 普通白帽子 | Rank:184 漏洞数:57 | Rank:200 漏洞数:55 | Rank:300 漏洞数:70 ...)

    @国家电网公司 厂商给力