当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165255

漏洞标题:北京外企人力资源服务有限公司某站点命令执行(可getshell影响多个系统,可影响内网多台机器)

相关厂商:北京外企人力资源服务有限公司

漏洞作者: Martial

提交时间:2015-12-28 10:06

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-28: 细节已通知厂商并且等待厂商处理中
2015-12-30: 厂商已经确认,细节仅向厂商公开
2016-01-09: 细节向核心白帽子及相关领域专家公开
2016-01-19: 细节向普通白帽子公开
2016-01-29: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

FESCO

详细说明:

北京外企人力资源服务有限公司
http://114.242.218.150/
存在JAVA反序列化漏洞
可执行任意命令
whoami
root权限

4.jpg


写入shell
http://114.242.218.150/uddiexplorer/ss.jsp
存在多个系统

1.jpg


探测下内网
这个探测的只是80端口的

3.jpg


看下内网之间的通讯 很多

5.jpg


? (172.28.1.128) at <incomplete> on eth0
? (172.28.1.135) at <incomplete> on eth0
? (172.28.1.48) at <incomplete> on eth0
? (172.28.1.125) at <incomplete> on eth0
? (172.28.1.181) at <incomplete> on eth0
? (172.28.1.205) at <incomplete> on eth0
? (172.28.1.63) at <incomplete> on eth0
? (172.28.1.211) at <incomplete> on eth0
? (172.28.1.54) at <incomplete> on eth0
? (172.28.1.158) at <incomplete> on eth0
? (172.28.1.41) at <incomplete> on eth0
? (172.28.1.202) at <incomplete> on eth0
? (172.28.1.180) at <incomplete> on eth0
? (172.28.1.252) at <incomplete> on eth0
? (172.28.1.96) at <incomplete> on eth0
? (172.28.1.159) at <incomplete> on eth0
? (172.28.1.193) at <incomplete> on eth0
? (172.28.1.70) at <incomplete> on eth0
? (172.28.1.13) at 00:16:3e:ea:20:34 [ether] on eth0
? (172.28.1.107) at <incomplete> on eth0
? (172.28.1.204) at <incomplete> on eth0
? (172.28.1.132) at <incomplete> on eth0
? (172.28.1.76) at <incomplete> on eth0
? (172.28.1.1) at 08:19:a6:9a:48:8c [ether] on eth0
? (172.28.1.219) at <incomplete> on eth0
? (172.28.1.178) at <incomplete> on eth0
? (172.28.1.250) at <incomplete> on eth0
? (172.28.1.245) at <incomplete> on eth0
? (172.28.1.126) at <incomplete> on eth0
? (172.28.1.239) at <incomplete> on eth0
? (172.28.1.183) at <incomplete> on eth0
? (172.28.1.123) at <incomplete> on eth0
? (172.28.1.67) at <incomplete> on eth0
? (172.28.1.91) at <incomplete> on eth0
? (172.28.1.88) at <incomplete> on eth0
? (172.28.1.226) at <incomplete> on eth0
? (172.28.1.57) at <incomplete> on eth0
? (172.28.1.241) at <incomplete> on eth0
? (172.28.1.97) at <incomplete> on eth0
? (172.28.1.227) at <incomplete> on eth0
? (172.28.1.92) at <incomplete> on eth0
? (172.28.1.161) at <incomplete> on eth0
? (172.28.1.228) at <incomplete> on eth0
? (172.28.1.165) at <incomplete> on eth0
? (172.28.1.172) at <incomplete> on eth0
? (172.28.1.95) at <incomplete> on eth0
? (172.28.1.247) at <incomplete> on eth0
? (172.28.1.223) at <incomplete> on eth0
? (172.28.1.113) at <incomplete> on eth0
? (172.28.1.134) at <incomplete> on eth0
? (172.28.1.8) at <incomplete> on eth0
? (172.28.1.203) at <incomplete> on eth0
? (172.28.1.44) at <incomplete> on eth0
? (172.28.1.50) at <incomplete> on eth0
? (172.28.1.166) at <incomplete> on eth0
? (172.28.1.224) at <incomplete> on eth0
? (172.28.1.60) at <incomplete> on eth0
? (172.28.1.146) at <incomplete> on eth0
? (172.28.1.190) at <incomplete> on eth0
? (172.28.1.251) at <incomplete> on eth0
? (172.28.1.7) at <incomplete> on eth0
? (172.28.1.124) at <incomplete> on eth0
? (172.28.1.213) at <incomplete> on eth0
? (172.28.1.208) at <incomplete> on eth0
? (172.28.1.148) at <incomplete> on eth0
? (172.28.1.5) at <incomplete> on eth0
? (172.28.1.119) at <incomplete> on eth0
? (172.28.1.229) at <incomplete> on eth0
? (172.28.1.19) at <incomplete> on eth0
? (172.28.1.18) at <incomplete> on eth0
? (172.28.1.103) at <incomplete> on eth0
? (172.28.1.89) at <incomplete> on eth0
? (172.28.1.222) at <incomplete> on eth0
? (172.28.1.253) at <incomplete> on eth0
? (172.28.1.156) at <incomplete> on eth0
? (172.28.1.233) at <incomplete> on eth0
? (172.28.1.12) at 00:16:3e:24:c1:fe [ether] on eth0
? (172.28.1.105) at <incomplete> on eth0
? (172.28.1.138) at <incomplete> on eth0
? (172.28.1.36) at <incomplete> on eth0
? (172.28.1.32) at <incomplete> on eth0
? (172.28.1.116) at <incomplete> on eth0
? (172.28.1.129) at <incomplete> on eth0
? (172.28.1.87) at <incomplete> on eth0
? (172.28.1.173) at <incomplete> on eth0
? (172.28.1.56) at <incomplete> on eth0
? (172.28.1.182) at <incomplete> on eth0
? (172.28.1.49) at <incomplete> on eth0
? (172.28.1.136) at <incomplete> on eth0
? (172.28.1.22) at <incomplete> on eth0
? (172.28.1.15) at 00:16:3e:5c:72:87 [ether] on eth0
? (172.28.1.221) at <incomplete> on eth0
? (172.28.1.216) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0
? (172.28.1.149) at <incomplete> on eth0

漏洞证明:

存在多个系统

1.jpg

修复方案:

升级

版权声明:转载请注明来源 Martial@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-12-30 16:36

厂商回复:

感谢白帽子的发现!

最新状态:

暂无

漏洞评价:

评价