当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0166208

漏洞标题:比亚迪某站命令执行已getshell影响内网48台主机安全

相关厂商:bydauto.com.cn

漏洞作者: 路人甲

提交时间:2015-12-31 10:44

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-31: 细节已通知厂商并且等待厂商处理中
2016-01-04: 厂商已经确认,细节仅向厂商公开
2016-01-14: 细节向核心白帽子及相关领域专家公开
2016-01-24: 细节向普通白帽子公开
2016-02-03: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

20rank还是值得!

详细说明:

http://113.106.76.91/

10.png


jboss配置不当,存在JAVA反序列化命令执行漏洞!
ipconfig显示内网!可进行内网探测

11.png


net view
四十几台主机!

服务器名称            注释
-------------------------------------------------------------------------------
\\AUTOFTP
\\BID
\\BYD-ASN
\\BYD-BSP
\\BYD-FC
\\BYD-PO
\\BYD-SCMASN
\\BYD-SCMFC
\\BYD-SCMPO
\\BYDPOWER
\\DLY-FUTIAN-001
\\DLY-FUTIAN-002
\\EDGE
\\EDI1 EDI1
\\EDI5
\\LED-EIP
\\NWCP
\\PS-CC-SMS1
\\PS-CC4-ELECINTE
\\PS-CC4-SFTP2
\\PS-DIV1-FORKLIF
\\PS-DIV5-FTP02
\\PS-DLKX-BMAS01
\\PS-DMSCS-WEB1
\\PS-DMSPRD-EXCH
\\PS-DMSPRD-WEB
\\PS-DMSPRD-WEB01
\\PS-EDI-PROD2
\\PS-EDI-TEST02
\\PS-EDI-TEST03
\\PS-EDI-TEST04
\\PS-ERP-MDMFTP
\\PS-ERP-MDMWEB2
\\PS-ERP-MDMWEB3
\\PS-IPRL-PATENT
\\PS-MDM-APACHE
\\PS-SALES-MAS
\\PS-SAP-SAPROUTE
\\PS-SRM-APS01
\\PS-ZCB-YKTDB01
\\SFTP SFTP
\\SPECIAL
\\SVCTAG-DQ4KQ2X
\\WIN-4APDCGTCQRC
\\XUNIJIIIS
命令成功完成。


直接写shell拿下服务器
http://113.106.76.91/she11.jsp

12.png


因为是内网,可以对内网进行探测,多个内网系统安全受影响

http://10.9.33.19 >> >>httpd >>Success
http://10.9.33.80 >> >>Apache >>Success
http://10.9.33.73 >> ��ʾ��Ϣ - Powered by PHPWind>>nginx >>Success
http://10.9.33.32 >> >>Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server >>Success
http://10.9.33.100 >> >>nginx >>Success
http://10.9.33.87 >> message>>Apache-Coyote/1.1 >>Success
http://10.9.33.101 >> >>nginx/1.4.4 >>Success
http://10.9.33.102 >> >>nginx/1.8.0 >>Success
http://10.9.33.96 >> Index of />>Apache >>Success
http://10.9.33.72 >> >>Apache/2.2.25 (Win32) >>Success
http://10.9.33.99 >> >>nginx >>Success
http://10.9.33.11 >> Login>>Virata-EmWeb/R6_0_1 >>Success
http://10.9.33.7 >> >>Microsoft-IIS/6.0 >>Success
http://10.9.33.63 >> >>Apache/2.2.25 (Win32) PHP/5.3.5 >>Success
http://10.9.33.64 >> 比亚迪叉车官网>>Apache-Coyote/1.1 >>Success
http://10.9.33.109 >> >>HP-iLO-Server/1.30 >>Success
http://10.9.33.55 >> ����ƺɽ�����ϵͳ-WEB��>>Apache-Coyote/1.1 >>Success
http://10.9.33.114 >> Index of />>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips PHP/5.3.27 >>Success
http://10.9.33.67 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.9.33.65 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.9.33.90 >> >>Microsoft-IIS/6.0 >>Success
http://10.9.33.144 >> >>nginx/1.9.5 >>Success
http://10.9.33.155 >> >>Apache >>Success
http://10.9.33.154 >> 比亚迪供应商门户>>nginx/1.9.3 >>Success
http://10.9.33.178 >> >>Microsoft-IIS/7.5 >>Success
http://10.9.33.177 >> >>Apache/2.2.25 (Win32) >>Success
http://10.9.33.193 >> >>Apache/2.2.15 (Win32) mod_jk/1.2.28 >>Success
http://10.9.33.185 >> >>httpd >>Success
http://10.9.33.189 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.195 >> >>Apache-Coyote/1.1 >>Success
http://10.9.33.194 >> >>Apache/2.2.15 (Win32) mod_jk/1.2.28 >>Success
http://10.9.33.176 >> >>Apache/2.2.25 (Win32) >>Success
http://10.9.33.198 >> >>nginx/0.9.5 >>Success
http://10.9.33.192 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.180 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.183 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.191 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.218 >> developer.bydauto.com.cn>>Apache >>Success
http://10.9.33.221 >> >>nginx/1.7.7.1 WhiteRabbit >>Success
http://10.9.33.201 >> >>nginx >>Success
http://10.9.33.179 >> >>Serv-U/10.0.0.3 >>Success
http://10.9.33.199 >> >>Microsoft-IIS/7.5 >>Success
http://10.9.33.222 >> IIS Windows Server>>Microsoft-IIS/8.5 >>Success
http://10.9.33.242 >> Web user login>>Switch >>Success
http://10.9.33.241 >> Web user login>>Switch >>Success
http://10.9.33.243 >> Web user login>>Switch >>Success
http://10.9.33.213 >> >>Microsoft-IIS/7.5 >>Success
http://10.9.33.224 >> IIS7>>Microsoft-IIS/7.5 >>Success


48台内网主机系统可进一步深入漫游!!

漏洞证明:

修复方案:

求20rank!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-04 08:38

厂商回复:

正在处理,感谢您的报告。

最新状态:

暂无


漏洞评价:

评价