当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0164891

漏洞标题:海尔集团某站点存在存在命令执行(可导致大量订单信息泄漏/可内网渗透78台机器)

相关厂商:海尔集团

漏洞作者: 路人甲

提交时间:2015-12-26 19:52

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-26: 细节已通知厂商并且等待厂商处理中
2015-12-29: 厂商已经确认,细节仅向厂商公开
2016-01-08: 细节向核心白帽子及相关领域专家公开
2016-01-18: 细节向普通白帽子公开
2016-01-28: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

这次是78台 之前是73台 看来又上新业务了~

详细说明:

海尔集团
http://58.56.128.98:7003/
JAVA反序列化的命令执行
可执行任意命令

1.jpg


root权限
拿到shell
http://58.56.128.98:7003/uddiexplorer/33ss.jsp

2.jpg


先连接数据库看下

3.jpg


看下订单详情

4.jpg


5.jpg


探测下内网
这次是78台 之前是73台 看来又上新业务了~

6.jpg


http://10.135.108.94 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.95 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.93 >> 海尔微信公众号后台管理系统>>nginx/1.7.9 >>Success
http://10.135.108.107 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Success
http://10.135.108.117 >> >>Apache/2.2.21 (Unix) >>Success
http://10.135.108.110 >> �����׼��Ϣ����ϵͳ>>Microsoft-IIS/6.0 >>Success
http://10.135.108.102 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1c mod_jk/1.2.37 >>Success
http://10.135.108.35 >> >>Jetty(8.1.15.v20140411) >>Success
http://10.135.108.29 >> nginx>>nginx >>Success
http://10.135.108.37 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.38 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.40 >> 海尔B2B首页>>Apache-Coyote/1.1 >>Success
http://10.135.108.16 >> 海尔翻译管理平台>>Apache-Coyote/1.1 >>Success
http://10.135.108.64 >> Welcome to nginx!>>nginx/1.8.0 >>Success
http://10.135.108.65 >> Welcome to nginx!>>nginx/1.8.0 >>Success
http://10.135.108.21 >> >>Apache/2.2.22 (Win32) mod_jk/1.2.30 >>Success
http://10.135.108.135 >> >>unknow >>Success
http://10.135.108.158 >> Welcome to nginx!>>nginx/1.5.13 >>Success
http://10.135.108.159 >> >>nginx/1.2.7 >>Success
http://10.135.108.157 >> 移动办公平台 >>MAM Server 1.0 >>Success
http://10.135.108.160 >> HOPE>>nginx >>Success
http://10.135.108.49 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Success
http://10.135.108.140 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.22 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.55 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.132 >> 运行时错误>>Microsoft-IIS/7.0 >>Success
http://10.135.108.178 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.126 >> 云菜网云菜网>>null >>Success
http://10.135.108.12 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.50 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Success
http://10.135.108.162 >> 登录>>Apache-Coyote/1.1 >>Success
http://10.135.108.155 >> 海尔工业品商城>>Apache/2.4.6 (Unix) OpenSSL/1.0.1c mod_jk/1.2.37 >>Success
http://10.135.108.179 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.36 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.198 >> SCRM应用平台导航页>>nginx/1.4.4 >>Success
http://10.135.108.197 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.200 >> 海尔互联网网站建设服务版块>>Apache-Coyote/1.1 >>Success
http://10.135.108.199 >> ��ӭʹ���Ű�����Ӧ�ð�ȫ���>>Apache Coyote/1.0 >>Success
http://10.135.108.204 >> Welcome to nginx!>>nginx/1.6.1 >>Success
http://10.135.108.208 >> Login>>Lotus-Domino >>Success
http://10.135.108.14 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Success
http://10.135.108.13 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Success
http://10.135.108.201 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.146 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.81 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.231 >> 海尔人才雷达:人才搜索>>Apache-Coyote/1.1 >>Success
http://10.135.108.232 >> 海客会-海尔·智慧社区生活服务平台>>null >>Success
http://10.135.108.215 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.62 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.235 >> WebSphere Application Server Version V8.5 Liberty Profile200 OK>>nginx/1.6.1 >>Success
http://10.135.108.180 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.241 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Success
http://10.135.108.221 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.20 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.209 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.206 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.249 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.19 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.250 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.252 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.18 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.211 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache-Coyote/1.1 >>Success
http://10.135.108.246 >> >>nginx/1.6.0 >>Success
http://10.135.108.17 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.188 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.87 >> haier>>Microsoft-IIS/6.0 >>Success
http://10.135.108.212 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache/2.4.7 (Unix) PHP/5.3.27 >>Success
http://10.135.108.181 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.138 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.10 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.118 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.61 >> M-lab创客实验室beta版>>Microsoft-IIS/7.5 >>Success
http://10.135.108.90 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.11 >> 首页 - 海尔文化交互平台>>Microsoft-IIS/7.0 >>Success
http://10.135.108.133 >> 海尔二维码管理平台>>Microsoft-IIS/7.0 >>Success
http://10.135.108.169 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.148 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.113 >> >>Microsoft-IIS/7.5 >>Success

漏洞证明:

连接几个看下

5.jpg


6.jpg

修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-29 10:34

厂商回复:

感谢白帽子的测试与提醒,已安排人员进行处理

最新状态:

暂无

漏洞评价:

评价

  1. 2015-12-26 22:02 | 进击的zjx ( 普通白帽子 | Rank:1465 漏洞数:179 | 1000rank目标达成!撒花……)

    @Martial Martial牛发飙了