当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165002

漏洞标题:国家电网公司某站点存在命令执行(可getshell可影响内网十几台机器)

相关厂商:国家电网公司

漏洞作者: 路人甲

提交时间:2015-12-26 21:33

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-26: 细节已通知厂商并且等待厂商处理中
2015-12-27: 厂商已经确认,细节仅向厂商公开
2016-01-06: 细节向核心白帽子及相关领域专家公开
2016-01-16: 细节向普通白帽子公开
2016-01-26: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

国家电网 第二弹

详细说明:

国家电网公司
http://111.203.3.94
存在weblogic的反序列化漏洞
可执行任意命令
root权限

1.jpg


查看下内网

3.jpg


localhost (172.16.3.238) at <incomplete> on eth1
localhost (172.16.3.62) at 00:0c:29:32:ee:26 [ether] on eth1
localhost (172.16.3.253) at e4:68:a3:ab:2c:de [ether] on eth1
localhost (172.16.3.219) at <incomplete> on eth1
localhost (172.16.3.129) at <incomplete> on eth1
localhost (172.16.3.64) at 00:0c:29:54:a6:71 [ether] on eth1
localhost (172.16.3.204) at <incomplete> on eth1
localhost (172.16.3.4) at <incomplete> on eth1
localhost (172.16.3.31) at 00:0c:29:7d:9b:b4 [ether] on eth1
localhost (172.16.3.114) at <incomplete> on eth1
localhost (172.16.3.242) at <incomplete> on eth1
localhost (172.16.3.236) at <incomplete> on eth1
localhost (172.16.3.148) at <incomplete> on eth1
localhost (172.16.3.60) at 00:0c:29:4d:11:21 [ether] on eth1
localhost (172.16.3.27) at <incomplete> on eth1
localhost (172.16.3.189) at <incomplete> on eth1
localhost (172.16.3.178) at <incomplete> on eth1
localhost (172.16.3.100) at 00:0c:29:c2:1d:d2 [ether] on eth1
localhost (172.16.3.78) at <incomplete> on eth1
localhost (172.16.3.192) at <incomplete> on eth1
localhost (172.16.3.35) at 00:0c:29:9b:e0:92 [ether] on eth1
localhost (172.16.3.195) at <incomplete> on eth1
localhost (172.16.3.228) at <incomplete> on eth1
localhost (172.16.3.200) at <incomplete> on eth1
localhost (172.16.3.146) at <incomplete> on eth1
localhost (172.16.3.232) at <incomplete> on eth1
localhost (172.16.3.41) at <incomplete> on eth1
localhost (172.16.3.92) at 00:50:56:a1:37:bb [ether] on eth1
localhost (172.16.3.32) at 00:0c:29:cd:26:5f [ether] on eth1
localhost (172.16.3.144) at <incomplete> on eth1
localhost (172.16.3.186) at <incomplete> on eth1
localhost (172.16.3.140) at <incomplete> on eth1
localhost (172.16.3.133) at <incomplete> on eth1
localhost (172.16.3.57) at <incomplete> on eth1
localhost (172.16.3.247) at <incomplete> on eth1
localhost (172.16.3.132) at <incomplete> on eth1
localhost (172.16.3.84) at <incomplete> on eth1
localhost (172.16.3.184) at <incomplete> on eth1
localhost (172.16.3.76) at <incomplete> on eth1
localhost (172.16.3.202) at <incomplete> on eth1
localhost (172.16.3.70) at 00:0c:29:4f:74:45 [ether] on eth1
localhost (172.16.3.52) at <incomplete> on eth1
localhost (172.16.3.150) at <incomplete> on eth1
localhost (172.16.3.91) at 00:90:0b:2e:9d:88 [ether] on eth1
localhost (172.16.3.160) at <incomplete> on eth1
localhost (172.16.3.138) at <incomplete> on eth1
localhost (172.16.3.135) at <incomplete> on eth1
localhost (172.16.3.193) at <incomplete> on eth1
localhost (172.16.3.61) at 00:0c:29:f0:23:d7 [ether] on eth1
localhost (172.16.3.59) at <incomplete> on eth1
localhost (172.16.3.170) at <incomplete> on eth1
localhost (172.16.3.131) at <incomplete> on eth1
localhost (172.16.3.5) at <incomplete> on eth1
localhost (172.16.3.167) at <incomplete> on eth1
localhost (172.16.3.153) at <incomplete> on eth1
localhost (172.16.3.158) at <incomplete> on eth1
localhost (172.16.3.40) at <incomplete> on eth1
localhost (172.16.3.141) at <incomplete> on eth1
localhost (172.16.3.56) at <incomplete> on eth1
localhost (172.16.3.82) at <incomplete> on eth1
localhost (172.16.3.66) at 00:0c:29:73:fe:97 [ether] on eth1
localhost (172.16.3.181) at <incomplete> on eth1
localhost (172.16.3.8) at <incomplete> on eth1
localhost (172.16.3.211) at <incomplete> on eth1
localhost (172.16.3.17) at 00:23:7d:5c:5f:5e [ether] on eth1
localhost (172.16.3.245) at <incomplete> on eth1
localhost (172.16.3.240) at <incomplete> on eth1
localhost (172.16.3.149) at <incomplete> on eth1
localhost (172.16.3.21) at 00:e0:ed:24:9c:9a [ether] on eth1
localhost (172.16.3.191) at <incomplete> on eth1
localhost (172.16.3.175) at <incomplete> on eth1
localhost (172.16.3.45) at 00:0c:29:3e:ba:ce [ether] on eth1
localhost (172.16.3.220) at <incomplete> on eth1
localhost (172.16.3.188) at <incomplete> on eth1
localhost (172.16.3.154) at <incomplete> on eth1
localhost (172.16.3.106) at 00:50:56:95:67:68 [ether] on eth1
localhost (172.16.3.110) at <incomplete> on eth1
localhost (172.16.3.37) at 00:0c:29:19:6b:db [ether] on eth1
localhost (172.16.3.29) at <incomplete> on eth1
localhost (172.16.3.63) at 00:0c:29:cc:e7:83 [ether] on eth1
localhost (172.16.3.173) at <incomplete> on eth1
localhost (172.16.3.44) at 00:0c:29:34:21:3a [ether] on eth1
localhost (172.16.3.36) at 00:0c:29:c4:2c:ed [ether] on eth1
localhost (172.16.3.19) at <incomplete> on eth1
localhost (172.16.3.126) at <incomplete> on eth1
localhost (172.16.3.11) at <incomplete> on eth1
localhost (172.16.3.246) at <incomplete> on eth1
localhost (172.16.3.179) at <incomplete> on eth1
localhost (172.16.3.171) at <incomplete> on eth1
localhost (172.16.3.215) at <incomplete> on eth1
localhost (172.16.3.22) at <incomplete> on eth1
localhost (172.16.3.90) at 00:90:0b:2e:9d:88 [ether] on eth1
localhost (172.16.3.216) at <incomplete> on eth1
localhost (172.16.3.227) at <incomplete> on eth1
localhost (172.16.3.207) at <incomplete> on eth1
localhost (172.16.3.124) at <incomplete> on eth1
localhost (172.16.3.15) at <incomplete> on eth1
localhost (172.16.3.103) at 00:50:56:95:7a:ed [ether] on eth1
localhost (172.16.3.143) at <incomplete> on eth1
localhost (172.16.3.3) at <incomplete> on eth1
localhost (172.16.3.198) at <incomplete> on eth1
localhost (172.16.3.120) at <incomplete> on eth1
localhost (172.16.3.201) at <incomplete> on eth1
localhost (172.16.3.230) at <incomplete> on eth1
localhost (172.16.3.48) at 00:50:56:a1:79:06 [ether] on eth1
localhost (172.16.3.222) at <incomplete> on eth1
localhost (172.16.3.122) at 00:50:56:95:76:b9 [ether] on eth1
localhost (172.16.3.152) at <incomplete> on eth1
localhost (172.16.3.77) at <incomplete> on eth1
localhost (172.16.3.25) at <incomplete> on eth1
localhost (172.16.3.248) at <incomplete> on eth1
localhost (172.16.3.49) at <incomplete> on eth1
localhost (172.16.3.80) at 00:1b:21:97:0e:d8 [ether] on eth1
localhost (172.16.3.58) at <incomplete> on eth1
localhost (172.16.3.102) at 00:50:56:95:68:92 [ether] on eth1
localhost (172.16.3.252) at e4:68:a3:ab:90:4e [ether] on eth1
localhost (172.16.3.233) at <incomplete> on eth1
localhost (172.16.3.73) at <incomplete> on eth1
localhost (172.16.3.217) at <incomplete> on eth1
localhost (172.16.3.28) at <incomplete> on eth1
localhost (172.16.3.13) at 68:05:ca:05:9e:26 [ether] on eth1
localhost (172.16.3.16) at <incomplete> on eth1
localhost (172.16.3.85) at <incomplete> on eth1
localhost (172.16.3.65) at 00:0c:29:72:bc:7b [ether] on eth1
localhost (172.16.3.136) at <incomplete> on eth1
localhost (172.16.3.68) at 00:0c:29:5d:6b:83 [ether] on eth1
localhost (172.16.3.97) at <incomplete> on eth1
localhost (172.16.3.43) at 00:0c:29:05:57:b6 [ether] on eth1
localhost (172.16.3.235) at <incomplete> on eth1
localhost (172.16.3.108) at 00:50:56:95:7a:19 [ether] on eth1
localhost (172.16.3.121) at 00:50:56:95:7b:6a [ether] on eth1
localhost (172.16.3.104) at 00:50:56:95:51:1d [ether] on eth1
localhost (172.16.3.161) at <incomplete> on eth1
localhost (172.16.3.20) at 00:e0:ed:24:9c:b2 [ether] on eth1
localhost (172.16.3.123) at <incomplete> on eth1
localhost (172.16.3.118) at <incomplete> on eth1
localhost (172.16.3.7) at <incomplete> on eth1
localhost (172.16.3.23) at <incomplete> on eth1
localhost (172.16.3.172) at <incomplete> on eth1
localhost (172.16.3.243) at <incomplete> on eth1
localhost (172.16.3.95) at 00:50:56:95:44:4a [ether] on eth1
localhost (172.16.3.194) at <incomplete> on eth1
localhost (172.16.3.168) at <incomplete> on eth1
localhost (172.16.3.164) at <incomplete> on eth1
localhost (172.16.3.99) at <incomplete> on eth1
localhost (172.16.3.24) at 00:11:0a:60:1e:18 [ether] on eth1
localhost (172.16.3.214) at <incomplete> on eth1
localhost (172.16.3.74) at <incomplete> on eth1
localhost (172.16.3.239) at <incomplete> on eth1
localhost (172.16.3.119) at <incomplete> on eth1
localhost (172.16.3.109) at 00:50:56:95:43:0b [ether] on eth1
localhost (172.16.3.210) at <incomplete> on eth1
localhost (172.16.3.10) at <incomplete> on eth1
localhost (172.16.3.86) at <incomplete> on eth1
localhost (172.16.3.187) at <incomplete> on eth1
localhost (172.16.3.176) at <incomplete> on eth1
localhost (172.16.3.223) at <incomplete> on eth1
localhost (172.16.3.182) at <incomplete> on eth1
localhost (172.16.3.251) at <incomplete> on eth1
localhost (172.16.3.209) at <incomplete> on eth1
localhost (172.16.3.180) at <incomplete> on eth1
localhost (172.16.3.125) at <incomplete> on eth1
localhost (172.16.3.244) at <incomplete> on eth1
localhost (172.16.3.213) at <incomplete> on eth1
localhost (172.16.3.134) at <incomplete> on eth1
localhost (172.16.3.237) at <incomplete> on eth1
localhost (172.16.3.139) at <incomplete> on eth1
localhost (172.16.3.185) at <incomplete> on eth1
localhost (172.16.3.183) at <incomplete> on eth1
localhost (172.16.3.39) at <incomplete> on eth1
localhost (172.16.3.89) at <incomplete> on eth1
localhost (172.16.3.254) at 00:00:5e:00:01:67 [ether] on eth1
localhost (172.16.3.34) at 00:0c:29:de:56:20 [ether] on eth1
localhost (172.16.3.55) at <incomplete> on eth1
localhost (172.16.3.225) at <incomplete> on eth1
localhost (172.16.3.30) at <incomplete> on eth1
localhost (172.16.3.250) at 00:07:0c:ff:aa:ee [ether] on eth1
localhost (172.16.3.157) at <incomplete> on eth1
localhost (172.16.3.53) at <incomplete> on eth1
localhost (172.16.3.163) at <incomplete> on eth1
localhost (172.16.3.147) at <incomplete> on eth1
localhost (172.16.3.26) at <incomplete> on eth1
localhost (172.16.3.128) at <incomplete> on eth1
localhost (172.16.3.196) at <incomplete> on eth1
localhost (172.16.3.142) at <incomplete> on eth1
localhost (172.16.3.81) at <incomplete> on eth1
localhost (172.16.3.111) at <incomplete> on eth1
localhost (172.16.3.221) at <incomplete> on eth1
localhost (172.16.3.226) at <incomplete> on eth1
localhost (172.16.3.234) at <incomplete> on eth1
localhost (172.16.3.107) at 00:50:56:95:72:60 [ether] on eth1
localhost (172.16.3.46) at 00:0c:29:d8:85:fe [ether] on eth1
localhost (172.16.3.12) at 00:13:32:ac:25:8c [ether] on eth1
localhost (172.16.3.101) at 00:50:56:95:2c:ca [ether] on eth1
localhost (172.16.3.42) at 00:0c:29:02:09:4d [ether] on eth1
localhost (172.16.3.137) at <incomplete> on eth1
localhost (172.16.3.33) at 00:0c:29:3c:80:f2 [ether] on eth1
localhost (172.16.3.83) at <incomplete> on eth1
localhost (172.16.3.50) at <incomplete> on eth1
localhost (172.16.3.67) at 00:15:17:8f:d3:b5 [ether] on eth1
localhost (172.16.3.1) at <incomplete> on eth1
localhost (172.16.3.218) at <incomplete> on eth1
localhost (172.16.3.112) at <incomplete> on eth1
localhost (172.16.3.79) at <incomplete> on eth1
localhost (172.16.3.38) at <incomplete> on eth1
成功拿到shell
http://111.203.3.94/uddiexplorer/33ss.jsp

5.jpg


探测内网
http://111.203.3.94/uddiexplorer/out.jsp
先看下
172.16.1.X

2.jpg


172.16.2.X

3.jpg


172.16.3.X

4.jpg

漏洞证明:

172.16.1.X

2.jpg


172.16.2.X

3.jpg


172.16.3.X

4.jpg

修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-12-27 10:32

厂商回复:

感谢提交

最新状态:

暂无


漏洞评价:

评价