当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163716

漏洞标题:海尔旗下日日顺某分站存在JAVA反序列化漏洞涉及百万信息(可内网渗透73台机器/几乎所有系统都涉及到)

相关厂商:海尔集团

漏洞作者: 路人甲

提交时间:2015-12-22 23:14

修复时间:2016-02-06 10:45

公开时间:2016-02-06 10:45

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-22: 细节已通知厂商并且等待厂商处理中
2015-12-24: 厂商已经确认,细节仅向厂商公开
2016-01-03: 细节向核心白帽子及相关领域专家公开
2016-01-13: 细节向普通白帽子公开
2016-01-23: 细节向实习白帽子公开
2016-02-06: 细节向公众公开

简要描述:

日、日、顺

详细说明:

http://27.223.70.33:7003/rrs/security/loginInit.action
存在JAVA反序列化漏洞
直接反弹shell

1.jpg


看下配置信息

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
  <name>base_domain</name>
  <domain-version>10.3.6.0</domain-version>
  <security-configuration>
    <name>base_domain</name>
    <realm>
      <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
        <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
      <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
      <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
        <sec:name>SystemPasswordValidator</sec:name>
        <pas:min-password-length>8</pas:min-password-length>
        <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
      </sec:password-validator>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}vnP4/v2+QTzCHCq3aKp4hYWbpz719KHjLu7bi74B5zq9G+UqH6NpDD1jVw1ygwWMfQeGiIEUTEjY9wJKm6VGGsfK5adawjQqCJTIYb36+szO/Fz1n9UO024mpfHdyIj0</credential-encrypted>
    <node-manager-username>sWAiVNQfUO</node-manager-username>
    <node-manager-password-encrypted>{AES}mRKFKdf3X5FKaHtTjQVbUowc0tizbLMiJT3t9VxjeVQ=</node-manager-password-encrypted>
  </security-configuration>
  <server>
    <name>Adminserver1</name>
    <listen-address>10.135.108.127</listen-address>
  </server>
  <server>
    <name>Mserver1</name>
    <listen-port>7003</listen-port>
    <cluster>cluster1</cluster>
    <listen-address>10.135.108.127</listen-address>
    <jta-migratable-target>
      <name>Mserver1</name>
      <user-preferred-server>Mserver1</user-preferred-server>
      <cluster>cluster1</cluster>
    </jta-migratable-target>
  </server>
  <server>
    <name>Mserver2</name>
    <listen-port>7003</listen-port>
    <cluster>cluster1</cluster>
    <listen-address>10.135.108.128</listen-address>
    <jta-migratable-target>
      <name>Mserver2</name>
      <user-preferred-server>Mserver2</user-preferred-server>
      <cluster>cluster1</cluster>
    </jta-migratable-target>
  </server>
  <server>
    <name>Proxy_server1</name>
    <listen-port>8080</listen-port>
    <listen-address>10.135.108.127</listen-address>
  </server>
  <cluster>
    <name>cluster1</name>
    <multicast-address>239.192.0.0</multicast-address>
    <cluster-messaging-mode>multicast</cluster-messaging-mode>
  </cluster>
  <production-mode-enabled>true</production-mode-enabled>
  <embedded-ldap>
    <name>base_domain</name>
    <credential-encrypted>{AES}5tlDvl1s6m4LmZQhdW5GBKekLeyI/nLJuTe6+g67ntI59lm8YMkrf2e4o5TE8Kr7</credential-encrypted>
  </embedded-ldap>
  <configuration-version>10.3.6.0</configuration-version>
  <app-deployment>
    <name>pr</name>
    <target>Proxy_server1</target>
    <module-type>war</module-type>
    <source-path>rrs.war</source-path>
    <security-dd-model>Advanced</security-dd-model>
  </app-deployment>
  <app-deployment>
    <name>rrs</name>
    <target>Mserver2,Mserver1</target>
    <module-type>war</module-type>
    <source-path>/weblogic/deploywar/rrs.war</source-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <migratable-target>
    <name>Mserver1 (migratable)</name>
    <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
    <user-preferred-server>Mserver1</user-preferred-server>
    <cluster>cluster1</cluster>
  </migratable-target>
  <migratable-target>
    <name>Mserver2 (migratable)</name>
    <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
    <user-preferred-server>Mserver2</user-preferred-server>
    <cluster>cluster1</cluster>
  </migratable-target>
  <admin-server-name>Adminserver1</admin-server-name>
  <jdbc-system-resource>
    <name>rrswlportal</name>
    <target>cluster1</target>
    <descriptor-file-name>jdbc/rrswlportal-jdbc.xml</descriptor-file-name>
  </jdbc-system-resource>
</domain>


找到了网站目录
/weblogic/deploywar/rrs.war
拿到shell
http://27.223.70.33:7003/uddiexplorer/sss.jsp

3.jpg


6.jpg


5.jpg


探测下内网
http://27.223.70.33:7003/uddiexplorer/out.jsp

7.jpg


http://10.135.108.21 >> >>Apache/2.2.22 (Win32) mod_jk/1.2.30 >>Success
http://10.135.108.16 >> 海尔翻译管理平台>>Apache-Coyote/1.1 >>Success
http://10.135.108.29 >> nginx>>nginx >>Success
http://10.135.108.12 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.65 >> Welcome to nginx!>>nginx/1.8.0 >>Success
http://10.135.108.64 >> Welcome to nginx!>>nginx/1.8.0 >>Success
http://10.135.108.117 >> >>Apache/2.2.21 (Unix) >>Success
http://10.135.108.37 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.38 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.94 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.36 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.95 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.93 >> 海尔微信公众号后台管理系统>>nginx/1.7.9 >>Success
http://10.135.108.40 >> 海尔B2B首页>>Apache-Coyote/1.1 >>Success
http://10.135.108.135 >> >>unknow >>Success
http://10.135.108.158 >> Welcome to nginx!>>nginx/1.5.13 >>Success
http://10.135.108.107 >> SAP J2EE Engine Start Page>>SAP J2EE Engine/7.00 >>Success
http://10.135.108.160 >> HOPE>>nginx >>Success
http://10.135.108.159 >> >>nginx/1.2.7 >>Success
http://10.135.108.157 >> 移动办公平台 >>MAM Server 1.0 >>Success
http://10.135.108.162 >> 登录>>Apache-Coyote/1.1 >>Success
http://10.135.108.50 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Success
http://10.135.108.14 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Success
http://10.135.108.179 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.140 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.126 >> 云菜网云菜网>>null >>Success
http://10.135.108.18 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.178 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.155 >> 海尔工业品商城>>Apache/2.4.6 (Unix) OpenSSL/1.0.1c mod_jk/1.2.37 >>Success
http://10.135.108.55 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.197 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.198 >> SCRM应用平台导航页>>nginx/1.4.4 >>Success
http://10.135.108.200 >> 海尔互联网网站建设服务版块>>Apache-Coyote/1.1 >>Success
http://10.135.108.199 >> ��ӭʹ���Ű�����Ӧ�ð�ȫ���>>Apache Coyote/1.0 >>Success
http://10.135.108.13 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Success
http://10.135.108.188 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.208 >> Login>>Lotus-Domino >>Success
http://10.135.108.11 >> 首页 - 海尔文化交互平台>>Microsoft-IIS/7.0 >>Success
http://10.135.108.49 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Success
http://10.135.108.204 >> Welcome to nginx!>>nginx/1.6.1 >>Success
http://10.135.108.201 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.110 >> �����׼��Ϣ����ϵͳ>>Microsoft-IIS/6.0 >>Success
http://10.135.108.132 >> 运行时错误>>Microsoft-IIS/7.0 >>Success
http://10.135.108.35 >> >>Jetty(8.1.15.v20140411) >>Success
http://10.135.108.231 >> 海尔人才雷达:人才搜索>>Apache-Coyote/1.1 >>Success
http://10.135.108.102 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1c mod_jk/1.2.37 >>Success
http://10.135.108.19 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.20 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.232 >> 海客会-海尔·智慧社区生活服务平台>>null >>Success
http://10.135.108.22 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.235 >> WebSphere Application Server Version V8.5 Liberty Profile200 OK>>nginx/1.6.1 >>Success
http://10.135.108.211 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache-Coyote/1.1 >>Success
http://10.135.108.138 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.17 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.249 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.241 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Success
http://10.135.108.250 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.252 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.246 >> >>nginx/1.6.0 >>Success
http://10.135.108.206 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.180 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.146 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.81 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.215 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.87 >> haier>>Microsoft-IIS/6.0 >>Success
http://10.135.108.10 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.209 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.221 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.212 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache/2.4.7 (Unix) PHP/5.3.27 >>Success
http://10.135.108.61 >> M-lab创客实验室beta版>>Microsoft-IIS/7.5 >>Success
http://10.135.108.118 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.90 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.62 >> IIS7>>Microsoft-IIS/7.5 >>Success

漏洞证明:

8.jpg


10.jpg


我就不一一列举了

修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-24 09:08

厂商回复:

感谢白帽子的测试与提醒,已安排人员进行处理。

最新状态:

暂无

漏洞评价:

评价