当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0187216

漏洞标题:中国南方电网getshell到内网漫游

相关厂商:中国南方电网

漏洞作者: 镱鍚

提交时间:2016-03-21 11:52

修复时间:2016-05-05 15:43

公开时间:2016-05-05 15:43

漏洞类型:服务弱口令

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-21: 细节已通知厂商并且等待厂商处理中
2016-03-21: 厂商已经确认,细节仅向厂商公开
2016-03-31: 细节向核心白帽子及相关领域专家公开
2016-04-10: 细节向普通白帽子公开
2016-04-20: 细节向实习白帽子公开
2016-05-05: 细节向公众公开

简要描述:

RT

详细说明:

(PS:能给高rank吗??^_^)

http://116.55.241.7:9091/manager/html
tomcat弱口令:both tomcat


1.png


简单部署,getshell

http://116.55.241.7:9091/job/index.jsp


2.png


简单看了下,发现是内网机器,权限还是多高的

3.png


4.png


5.png


然后就开始内网漫游啦,这里首先给厂商说下抱歉,不知道怎么的,搞的你们的站点有时都不能访问了,就只是简单探测了一下,不敢再深入了
内网开放的web服务:

http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success


6.png


7.png


8.png


9.png


内网开放端口

10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open
10.180.201.250:21 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:21 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open


就不继续了,危害还是多大的,望尽快修复^_^

漏洞证明:

(PS:能给高rank吗??^_^)

http://116.55.241.7:9091/manager/html
tomcat弱口令:both tomcat


1.png


简单部署,getshell

http://116.55.241.7:9091/job/index.jsp


2.png


简单看了下,发现是内网机器,权限还是多高的

3.png


4.png


5.png


然后就开始内网漫游啦,这里首先给厂商说下抱歉,不知道怎么的,搞的你们的站点有时都不能访问了,就只是简单探测了一下,不敢再深入了
内网开放的web服务:

http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success


6.png


7.png


8.png


9.png


内网开放端口

10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open
10.180.201.250:21 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:21 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open


就不继续了,危害还是多大的,望尽快修复^_^

修复方案:

..

版权声明:转载请注明来源 镱鍚@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-03-21 15:43

厂商回复:

感谢关注。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-03-21 13:23 | 晓庄 ( 路人 | Rank:29 漏洞数:7 | Make money.)

    大兄弟 我要充电费

  2. 2016-03-21 14:59 | 绝对领域 ( 路人 | Rank:27 漏洞数:3 | 大穴码农网管)

    我也要充电费

  3. 2016-03-21 16:40 | 镱鍚 ( 普通白帽子 | Rank:235 漏洞数:32 | 。。!)

    @中国南方电网 你们就不能多给点么。。

  4. 2016-03-21 16:47 | 暴走 ( 普通白帽子 | Rank:611 漏洞数:106 | 专心补刀。)

    @镱鍚 确实太少!给的少就是管理员给你说,兄弟啊,别提交了我们的洞了,我的日子刚好过几天,你就来给我难堪!