中国南方电网getshell到内网漫游 | wooyun-2016-0187216| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0187216

漏洞标题：中国南方电网getshell到内网漫游

漏洞作者：镱鍚

提交时间：2016-03-21 11:52

修复时间：2016-05-05 15:43

公开时间：2016-05-05 15:43

漏洞类型：服务弱口令

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-03-21：细节已通知厂商并且等待厂商处理中
2016-03-21：厂商已经确认，细节仅向厂商公开
2016-03-31：细节向核心白帽子及相关领域专家公开
2016-04-10：细节向普通白帽子公开
2016-04-20：细节向实习白帽子公开
2016-05-05：细节向公众公开

简要描述：

详细说明：

（PS：能给高rank吗？？^_^）

http://116.55.241.7:9091/manager/html
tomcat弱口令：both  tomcat

简单部署，getshell

http://116.55.241.7:9091/job/index.jsp

简单看了下，发现是内网机器，权限还是多高的

然后就开始内网漫游啦，这里首先给厂商说下抱歉，不知道怎么的，搞的你们的站点有时都不能访问了，就只是简单探测了一下，不敢再深入了
内网开放的web服务：

http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success

内网开放端口

10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open
10.180.201.250:21 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:21 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open

就不继续了，危害还是多大的，望尽快修复^_^

漏洞证明：

（PS：能给高rank吗？？^_^）

http://116.55.241.7:9091/manager/html
tomcat弱口令：both  tomcat

简单部署，getshell

http://116.55.241.7:9091/job/index.jsp

简单看了下，发现是内网机器，权限还是多高的

http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success

内网开放端口

10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open
10.180.201.250:21 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:21 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open

就不继续了，危害还是多大的，望尽快修复^_^

修复方案：

版权声明：转载请注明来源镱鍚@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2016-03-21 15:43

厂商回复：

感谢关注。

漏洞评价：

评价

2016-03-21 13:23 | 晓庄 ( 路人 | Rank:29 漏洞数:7 | Make money.)

大兄弟我要充电费
2016-03-21 14:59 | 绝对领域 ( 路人 | Rank:27 漏洞数:3 | 大穴码农网管)

我也要充电费
2016-03-21 16:40 | 镱鍚 ( 普通白帽子 | Rank:235 漏洞数:32 | 。。！)

@中国南方电网你们就不能多给点么。。
2016-03-21 16:47 | 暴走 ( 普通白帽子 | Rank:611 漏洞数:106 | 专心补刀。)

@镱鍚确实太少！给的少就是管理员给你说，兄弟啊，别提交了我们的洞了，我的日子刚好过几天，你就来给我难堪！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0187216

漏洞标题：中国南方电网getshell到内网漫游

相关厂商：中国南方电网

漏洞作者：镱鍚

提交时间：2016-03-21 11:52

修复时间：2016-05-05 15:43

公开时间：2016-05-05 15:43

漏洞类型：服务弱口令

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源镱鍚@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0187216

漏洞标题：中国南方电网getshell到内网漫游

相关厂商：中国南方电网

漏洞作者： 镱鍚

提交时间：2016-03-21 11:52

修复时间：2016-05-05 15:43

公开时间：2016-05-05 15:43

漏洞类型：服务弱口令

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0187216"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 镱鍚@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：镱鍚

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源镱鍚@乌云