P2P金融安全之卡得万利某处命令执行影响多台重要服务器（自带nmap威胁内网安全）

admin

140534
文章

117
评论

2017年5月3日12:24:12评论1,838 views字数 232阅读0分46秒阅读模式

摘要

2016-03-20：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-05-04：厂商已经主动忽略漏洞，细节向公众公开

漏洞概要关注数(2) 关注此漏洞

缺陷编号： WooYun-2016-186380

漏洞标题： P2P金融安全之卡得万利某处命令执行影响多台重要服务器（自带nmap威胁内网安全）

漏洞作者：镱鍚

提交时间： 2016-03-20 23:31

公开时间： 2016-05-04 23:31

漏洞类型：服务弱口令

危害等级：高

自评Rank： 20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：第三方框架

1人收藏

漏洞详情

披露状态：

2016-03-20：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-05-04：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

涉及微信服务器、邮件服务器、监控服务器、多台路由设备等，自带nmap，可直接探测内网

详细说明：

code 区域

URL：http://220.248.19.22:80/

zabbix弱口令：admin zabbix

可直接登陆

看下它上面涉及的服务器，都挺重要的

从脚本中可以看到，服务器上安装了nmap的，可以直接探测内网，我这里加了个脚本，看了下ip信息

这里用nmap它自带的nmap脚本探测了一下各个服务器的端口，如下：

从中还是得到不少信息

jenkins项目平台

code 区域

http://220.248.19.21:8088/

邮件系统

code 区域

http://211.95.2.35/

直接探测c段，得到的结果如下：

code 区域

"test"的结果
 
 Starting Nmap 5.51 ( http://nmap.org ) at 2016-03-18 20:58 CST
 Nmap scan report for 192.168.0.1
 Host is up (0.00073s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 53/tcp   open  domain
 687/tcp  open  asipregistry
 1723/tcp open  pptp
 1900/tcp open  upnp
 8080/tcp open  http-proxy
 MAC Address: 00:0D:88:11:29:88 (D-Link)
 
 Nmap scan report for 192.168.0.2
 Host is up (0.00048s latency).
 Not shown: 996 filtered ports
 PORT     STATE  SERVICE
 23/tcp   open   telnet
 80/tcp   open   http
 443/tcp  open   https
 5431/tcp closed park-agent
 MAC Address: 3C:8C:40:CA:F9:F8 (Unknown)
 
 Nmap scan report for 192.168.0.3
 Host is up (0.00038s latency).
 Not shown: 989 filtered ports
 PORT     STATE  SERVICE
 22/tcp   closed ssh
 80/tcp   open   http
 88/tcp   open   kerberos-sec
 389/tcp  open   ldap
 443/tcp  open   https
 514/tcp  open   shell
 636/tcp  open   ldapssl
 902/tcp  closed iss-realsecure
 2020/tcp open   xinupageserver
 6502/tcp closed netop-rc
 8010/tcp closed xmpp
 MAC Address: 00:0C:29:51:D0:69 (VMware)
 
 Nmap scan report for 192.168.0.4
 Host is up (0.00033s latency).
 Not shown: 989 filtered ports
 PORT     STATE  SERVICE
 22/tcp   closed ssh
 80/tcp   open   http
 427/tcp  open   svrloc
 443/tcp  open   https
 902/tcp  open   iss-realsecure
 5988/tcp closed wbem-http
 5989/tcp open   wbem-https
 8000/tcp open   http-alt
 8080/tcp closed http-proxy
 8100/tcp open   xprint-server
 8300/tcp open   tmi
 MAC Address: 14:18:77:32:F1:AE (Unknown)
 
 Nmap scan report for 192.168.0.5
 Host is up (0.00018s latency).
 Not shown: 989 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 80/tcp   open   http
 427/tcp  open   svrloc
 443/tcp  open   https
 902/tcp  open   iss-realsecure
 5988/tcp closed wbem-http
 5989/tcp open   wbem-https
 8000/tcp open   http-alt
 8080/tcp closed http-proxy
 8100/tcp open   xprint-server
 8300/tcp open   tmi
 MAC Address: B0:83:FE:E5:A8:4D (Unknown)
 
 Nmap scan report for 192.168.0.8
 Host is up (0.00089s latency).
 Not shown: 991 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 80/tcp   closed http
 81/tcp   open   hosts2-ns
 3306/tcp open   mysql
 3690/tcp open   svn
 8080/tcp closed http-proxy
 8081/tcp open   blackice-icecap
 8090/tcp open   unknown
 9000/tcp open   cslistener
 MAC Address: 6C:F0:49:46:1A:FC (Giga-byte Technology Co.)
 
 Nmap scan report for 192.168.0.9
 Host is up (0.0047s latency).
 Not shown: 983 filtered ports
 PORT      STATE SERVICE
 53/tcp    open  domain
 80/tcp    open  http
 88/tcp    open  kerberos-sec
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 389/tcp   open  ldap
 445/tcp   open  microsoft-ds
 464/tcp   open  kpasswd5
 593/tcp   open  http-rpc-epmap
 636/tcp   open  ldapssl
 3268/tcp  open  globalcatLDAP
 3269/tcp  open  globalcatLDAPssl
 8800/tcp  open  sunwebadmin
 49154/tcp open  unknown
 49155/tcp open  unknown
 49157/tcp open  unknown
 49158/tcp open  unknown
 MAC Address: 00:0C:29:C1:AF:0D (VMware)
 
 Nmap scan report for 192.168.0.10
 Host is up (0.00012s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 81/tcp   open  hosts2-ns
 631/tcp  open  ipp
 3306/tcp open  mysql
 MAC Address: 00:0C:29:C1:5B:A3 (VMware)
 
 Nmap scan report for 192.168.0.11
 Host is up (0.00012s latency).
 Not shown: 996 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 3306/tcp open  mysql
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 MAC Address: 00:0C:29:A8:25:5B (VMware)
 
 Nmap scan report for 192.168.0.13
 Host is up (0.00021s latency).
 Not shown: 980 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 443/tcp   open  https
 445/tcp   open  microsoft-ds
 2179/tcp  open  vmrdp
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 6059/tcp  open  X11:59
 8009/tcp  open  ajp13
 8080/tcp  open  http-proxy
 8888/tcp  open  sun-answerbook
 9009/tcp  open  pichat
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 49157/tcp open  unknown
 49158/tcp open  unknown
 49159/tcp open  unknown
 MAC Address: F0:1F:AF:D2:A1:F0 (Unknown)
 
 Nmap scan report for 192.168.0.14
 Host is up (0.00040s latency).
 Not shown: 996 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 3306/tcp open  mysql
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 MAC Address: 8C:DC:D4:49:15:50 (Unknown)
 
 Nmap scan report for 192.168.0.15
 Host is up (0.00027s latency).
 Not shown: 997 filtered ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 3000/tcp open  ppp
 8080/tcp open  http-proxy
 MAC Address: 00:0C:29:47:B9:4F (VMware)
 
 Nmap scan report for 192.168.0.16
 Host is up (0.00024s latency).
 Not shown: 997 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 161/tcp  closed snmp
 3306/tcp open   mysql
 MAC Address: 00:0C:29:99:4E:37 (VMware)
 
 Nmap scan report for 192.168.0.17
 Host is up (0.000020s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 3306/tcp open  mysql
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 
 Nmap scan report for 192.168.0.18
 Host is up (0.00055s latency).
 Not shown: 997 filtered ports
 PORT    STATE SERVICE
 22/tcp  open  ssh
 80/tcp  open  http
 443/tcp open  https
 MAC Address: 00:0C:29:23:B0:42 (VMware)
 
 Nmap scan report for 192.168.0.19
 Host is up (0.00033s latency).
 Not shown: 996 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 3306/tcp open  mysql
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 MAC Address: 00:0C:29:1B:DA:41 (VMware)
 
 Nmap scan report for 192.168.0.21
 Host is up (0.00055s latency).
 Not shown: 996 filtered ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 22/tcp   open  ssh
 80/tcp   open  http
 8080/tcp open  http-proxy
 MAC Address: 00:0C:29:C5:B0:A2 (VMware)
 
 Nmap scan report for 192.168.0.22
 Host is up (0.00088s latency).
 Not shown: 990 closed ports
 PORT     STATE SERVICE
 80/tcp   open  http
 135/tcp  open  msrpc
 139/tcp  open  netbios-ssn
 443/tcp  open  https
 445/tcp  open  microsoft-ds
 1029/tcp open  ms-lsa
 3389/tcp open  ms-term-serv
 4899/tcp open  radmin
 5800/tcp open  vnc-http
 5900/tcp open  vnc
 MAC Address: 00:E0:4C:35:17:56 (Realtek Semiconductor)
 
 Nmap scan report for 192.168.0.23
 Host is up (0.00055s latency).
 Not shown: 999 filtered ports
 PORT   STATE SERVICE
 22/tcp open  ssh
 MAC Address: 00:50:56:88:6C:4E (VMware)
 
 Nmap scan report for 192.168.0.24
 Host is up (0.00048s latency).
 Not shown: 999 filtered ports
 PORT   STATE SERVICE
 22/tcp open  ssh
 MAC Address: 00:50:56:88:36:6F (VMware)
 
 Nmap scan report for 192.168.0.25
 Host is up (0.00027s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 443/tcp  open  https
 8009/tcp open  ajp13
 8888/tcp open  sun-answerbook
 MAC Address: 00:50:56:88:C7:DA (VMware)
 
 Nmap scan report for 192.168.0.26
 Host is up (0.00026s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 22/tcp   open  ssh
 80/tcp   open  http
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 MAC Address: 00:50:56:88:B5:C8 (VMware)
 
 Nmap scan report for 192.168.0.50
 Host is up (0.00062s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:40:23:E2 (Grandstream Networks)
 
 Nmap scan report for 192.168.0.53
 Host is up (0.00059s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:40:24:F8 (Grandstream Networks)
 
 Nmap scan report for 192.168.0.55
 Host is up (0.00054s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:40:25:4F (Grandstream Networks)
 
 Nmap scan report for 192.168.0.56
 Host is up (0.00057s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:3B:47:FC (Grandstream Networks)
 
 Nmap scan report for 192.168.0.57
 Host is up (0.00057s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:40:25:6D (Grandstream Networks)
 
 Nmap scan report for 192.168.0.63
 Host is up (0.00050s latency).
 Not shown: 992 filtered ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 1433/tcp  open  ms-sql-s
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 49154/tcp open  unknown
 MAC Address: 90:E6:BA:DB:79:62 (Asustek Computer)
 
 Nmap scan report for 192.168.0.76
 Host is up (0.00030s latency).
 Not shown: 989 closed ports
 PORT      STATE SERVICE
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 1521/tcp  open  oracle
 3389/tcp  open  ms-term-serv
 5357/tcp  open  wsdapi
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 49158/tcp open  unknown
 MAC Address: 74:86:7A:F0:CF:AC (Unknown)
 
 Nmap scan report for 192.168.0.89
 Host is up (0.00050s latency).
 Not shown: 993 filtered ports
 PORT     STATE  SERVICE
 21/tcp   open   ftp
 22/tcp   open   ssh
 80/tcp   open   http
 3306/tcp open   mysql
 8009/tcp closed ajp13
 8080/tcp closed http-proxy
 8888/tcp open   sun-answerbook
 MAC Address: C8:1F:66:E5:3C:4F (Unknown)
 
 Nmap scan report for 192.168.0.98
 Host is up (0.00060s latency).
 Not shown: 984 closed ports
 PORT      STATE SERVICE
 81/tcp    open  hosts2-ns
 90/tcp    open  dnsix
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 443/tcp   open  https
 445/tcp   open  microsoft-ds
 2383/tcp  open  ms-olap4
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 9000/tcp  open  cslistener
 9001/tcp  open  tor-orport
 27000/tcp open  flexlm0
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 MAC Address: 40:A8:F0:5E:B4:A4 (Unknown)
 
 Nmap scan report for 192.168.0.101
 Host is up (0.00072s latency).
 Not shown: 998 filtered ports
 PORT     STATE SERVICE
 2869/tcp open  icslap
 3306/tcp open  mysql
 MAC Address: B0:83:FE:BB:BB:D2 (Unknown)
 
 Nmap scan report for 192.168.0.103
 Host is up (0.00056s latency).
 Not shown: 990 closed ports
 PORT     STATE SERVICE
 80/tcp   open  http
 135/tcp  open  msrpc
 139/tcp  open  netbios-ssn
 445/tcp  open  microsoft-ds
 1801/tcp open  msmq
 2103/tcp open  zephyr-clt
 2105/tcp open  eklogin
 2107/tcp open  msmq-mgmt
 2869/tcp open  icslap
 3306/tcp open  mysql
 MAC Address: B0:83:FE:77:C6:9C (Unknown)
 
 Nmap scan report for 192.168.0.111
 Host is up (0.00020s latency).
 Not shown: 986 closed ports
 PORT     STATE SERVICE
 80/tcp   open  http
 81/tcp   open  hosts2-ns
 135/tcp  open  msrpc
 139/tcp  open  netbios-ssn
 445/tcp  open  microsoft-ds
 1025/tcp open  NFS-or-IIS
 1026/tcp open  LSA-or-nterm
 1723/tcp open  pptp
 3306/tcp open  mysql
 3389/tcp open  ms-term-serv
 6666/tcp open  irc
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 8088/tcp open  radan-http
 MAC Address: 6C:F0:49:4E:88:94 (Giga-byte Technology Co.)
 
 Nmap scan report for 192.168.0.120
 Host is up (0.00044s latency).
 Not shown: 996 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 443/tcp  open  https
 5900/tcp open  vnc
 MAC Address: 00:26:B9:5C:9B:55 (Dell)
 
 Nmap scan report for 192.168.0.125
 Host is up (0.00036s latency).
 Not shown: 989 closed ports
 PORT      STATE SERVICE
 21/tcp    open  ftp
 80/tcp    open  http
 139/tcp   open  netbios-ssn
 427/tcp   open  svrloc
 443/tcp   open  https
 445/tcp   open  microsoft-ds
 515/tcp   open  printer
 631/tcp   open  ipp
 843/tcp   open  unknown
 9100/tcp  open  jetdirect
 50001/tcp open  unknown
 MAC Address: 00:20:6B:91:E8:7A (Konica Minolta Holdings)
 
 Nmap scan report for 192.168.0.126
 Host is up (0.00046s latency).
 Not shown: 998 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 50002/tcp open  iiimsf
 MAC Address: 00:0E:3A:14:A5:76 (Cirrus Logic)
 
 Nmap scan report for 192.168.0.127
 Host is up (0.00048s latency).
 Not shown: 994 closed ports
 PORT     STATE SERVICE
 23/tcp   open  telnet
 80/tcp   open  http
 515/tcp  open  printer
 631/tcp  open  ipp
 8080/tcp open  http-proxy
 9100/tcp open  jetdirect
 MAC Address: 3C:4A:92:BB:E8:C9 (Unknown)
 
 Nmap scan report for 192.168.0.128
 Host is up (0.00031s latency).
 Not shown: 987 closed ports
 PORT     STATE SERVICE
 80/tcp   open  http
 81/tcp   open  hosts2-ns
 82/tcp   open  xfer
 83/tcp   open  mit-ml-dev
 443/tcp  open  https
 515/tcp  open  printer
 631/tcp  open  ipp
 5222/tcp open  xmpp-client
 8080/tcp open  http-proxy
 8291/tcp open  unknown
 8292/tcp open  blp3
 8888/tcp open  sun-answerbook
 9100/tcp open  jetdirect
 MAC Address: A0:B3:CC:9E:1F:39 (Unknown)
 
 Nmap scan report for 192.168.0.130
 Host is up (0.00058s latency).
 Not shown: 994 filtered ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 445/tcp   open  microsoft-ds
 1433/tcp  open  ms-sql-s
 3306/tcp  open  mysql
 49154/tcp open  unknown
 MAC Address: 90:E6:BA:DB:79:62 (Asustek Computer)
 
 Nmap scan report for 192.168.0.131
 Host is up (0.00055s latency).
 Not shown: 994 filtered ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 445/tcp   open  microsoft-ds
 1433/tcp  open  ms-sql-s
 3306/tcp  open  mysql
 49154/tcp open  unknown
 MAC Address: 90:E6:BA:DB:79:62 (Asustek Computer)
 
 Nmap scan report for 192.168.0.165
 Host is up (0.00021s latency).
 Not shown: 988 closed ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 25/tcp   open  smtp
 110/tcp  open  pop3
 135/tcp  open  msrpc
 139/tcp  open  netbios-ssn
 143/tcp  open  imap
 443/tcp  open  https
 445/tcp  open  microsoft-ds
 587/tcp  open  submission
 1433/tcp open  ms-sql-s
 3306/tcp open  mysql
 3389/tcp open  ms-term-serv
 MAC Address: 6C:F0:49:46:F5:B1 (Giga-byte Technology Co.)
 
 Nmap scan report for 192.168.0.199
 Host is up (0.00045s latency).
 Not shown: 997 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 80/tcp   closed http
 5432/tcp open   postgresql
 MAC Address: 00:0C:29:30:3F:34 (VMware)
 
 Nmap scan report for 192.168.0.200
 Host is up (0.0019s latency).
 Not shown: 998 closed ports
 PORT     STATE SERVICE
 23/tcp   open  telnet
 5003/tcp open  filemaker
 MAC Address: 3C:D1:6E:01:A4:99 (Unknown)
 
 Nmap scan report for 192.168.0.201
 Host is up (0.00038s latency).
 Not shown: 992 closed ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 22/tcp   open  ssh
 80/tcp   open  http
 111/tcp  open  rpcbind
 139/tcp  open  netbios-ssn
 445/tcp  open  microsoft-ds
 873/tcp  open  rsync
 2049/tcp open  nfs
 MAC Address: 8C:DC:D4:43:9C:91 (Unknown)
 
 Nmap scan report for 192.168.0.203
 Host is up (0.00038s latency).
 Not shown: 988 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 25/tcp   open   smtp
 80/tcp   open   http
 110/tcp  open   pop3
 143/tcp  open   imap
 389/tcp  open   ldap
 443/tcp  closed https
 465/tcp  open   smtps
 873/tcp  closed rsync
 993/tcp  open   imaps
 995/tcp  open   pop3s
 5222/tcp closed xmpp-client
 MAC Address: A4:BA:DB:26:45:4F (Dell)
 
 Nmap scan report for 192.168.0.208
 Host is up (0.00049s latency).
 Not shown: 988 filtered ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 81/tcp   open  hosts2-ns
 3306/tcp open  mysql
 8081/tcp open  blackice-icecap
 8082/tcp open  blackice-alerts
 8084/tcp open  unknown
 8085/tcp open  unknown
 8086/tcp open  d-s-n
 8088/tcp open  radan-http
 9000/tcp open  cslistener
 9002/tcp open  dynamid
 MAC Address: 00:24:1D:99:7F:0B (Giga-byte Technology Co.)
 
 Nmap scan report for 192.168.0.209
 Host is up (0.00043s latency).
 Not shown: 985 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 80/tcp   open   http
 111/tcp  open   rpcbind
 443/tcp  open   https
 5989/tcp open   wbem-https
 8009/tcp open   ajp13
 8080/tcp open   http-proxy
 8081/tcp open   blackice-icecap
 8088/tcp open   radan-http
 8089/tcp open   unknown
 8090/tcp open   unknown
 9009/tcp open   pichat
 9080/tcp open   glrpc
 9081/tcp closed unknown
 9090/tcp closed zeus-admin
 MAC Address: C8:1F:66:DE:7D:F8 (Unknown)
 
 Nmap scan report for 192.168.0.225
 Host is up (0.00015s latency).
 Not shown: 998 closed ports
 PORT    STATE SERVICE
 22/tcp  open  ssh
 443/tcp open  https
 MAC Address: 00:50:56:88:54:53 (VMware)
 
 Nmap scan report for 192.168.0.239
 Host is up (0.00023s latency).
 Not shown: 984 closed ports
 PORT      STATE SERVICE
 21/tcp    open  ftp
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 1433/tcp  open  ms-sql-s
 1521/tcp  open  oracle
 2383/tcp  open  ms-olap4
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 49156/tcp open  unknown
 49167/tcp open  unknown
 MAC Address: 74:86:7A:EA:10:B4 (Unknown)
 
 Nmap scan report for 192.168.0.244
 Host is up (0.00030s latency).
 Not shown: 988 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 8009/tcp  open  ajp13
 8080/tcp  open  http-proxy
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49156/tcp open  unknown
 MAC Address: 74:86:7A:F0:DE:75 (Unknown)
 
 Nmap scan report for 192.168.0.249
 Host is up (0.00027s latency).
 Not shown: 984 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 443/tcp   open  https
 445/tcp   open  microsoft-ds
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 8009/tcp  open  ajp13
 8080/tcp  open  http-proxy
 8089/tcp  open  unknown
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 49156/tcp open  unknown
 49157/tcp open  unknown
 MAC Address: F8:BC:12:4D:52:A0 (Unknown)
 
 Nmap scan report for 192.168.0.253
 Host is up (0.00040s latency).
 Not shown: 990 filtered ports
 PORT     STATE  SERVICE
 21/tcp   open   ftp
 22/tcp   open   ssh
 80/tcp   open   http
 81/tcp   open   hosts2-ns
 443/tcp  closed https
 631/tcp  closed ipp
 3306/tcp open   mysql
 8000/tcp open   http-alt
 8080/tcp open   http-proxy
 8088/tcp closed radan-http
 MAC Address: 00:26:B9:5C:9B:53 (Dell)
 
 Nmap done: 256 IP addresses (53 hosts up) scanned in 47.40 seconds

可以看到，还是有很多东西的。就不深入了，危害太大了

漏洞证明：

code 区域

URL：http://220.248.19.22:80/

zabbix弱口令：admin zabbix

可直接登陆

看下它上面涉及的服务器，都挺重要的

从脚本中可以看到，服务器上安装了nmap的，可以直接探测内网，我这里加了个脚本，看了下ip信息

这里用nmap它自带的nmap脚本探测了一下各个服务器的端口，如下：

从中还是得到不少信息

jenkins项目平台

code 区域

http://220.248.19.21:8088/

邮件系统

code 区域

http://211.95.2.35/

直接探测c段，得到的结果如下：

code 区域

"test"的结果
 
 Starting Nmap 5.51 ( http://nmap.org ) at 2016-03-18 20:58 CST
 Nmap scan report for 192.168.0.1
 Host is up (0.00073s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 53/tcp   open  domain
 687/tcp  open  asipregistry
 1723/tcp open  pptp
 1900/tcp open  upnp
 8080/tcp open  http-proxy
 MAC Address: 00:0D:88:11:29:88 (D-Link)
 
 Nmap scan report for 192.168.0.2
 Host is up (0.00048s latency).
 Not shown: 996 filtered ports
 PORT     STATE  SERVICE
 23/tcp   open   telnet
 80/tcp   open   http
 443/tcp  open   https
 5431/tcp closed park-agent
 MAC Address: 3C:8C:40:CA:F9:F8 (Unknown)
 
 Nmap scan report for 192.168.0.3
 Host is up (0.00038s latency).
 Not shown: 989 filtered ports
 PORT     STATE  SERVICE
 22/tcp   closed ssh
 80/tcp   open   http
 88/tcp   open   kerberos-sec
 389/tcp  open   ldap
 443/tcp  open   https
 514/tcp  open   shell
 636/tcp  open   ldapssl
 902/tcp  closed iss-realsecure
 2020/tcp open   xinupageserver
 6502/tcp closed netop-rc
 8010/tcp closed xmpp
 MAC Address: 00:0C:29:51:D0:69 (VMware)
 
 Nmap scan report for 192.168.0.4
 Host is up (0.00033s latency).
 Not shown: 989 filtered ports
 PORT     STATE  SERVICE
 22/tcp   closed ssh
 80/tcp   open   http
 427/tcp  open   svrloc
 443/tcp  open   https
 902/tcp  open   iss-realsecure
 5988/tcp closed wbem-http
 5989/tcp open   wbem-https
 8000/tcp open   http-alt
 8080/tcp closed http-proxy
 8100/tcp open   xprint-server
 8300/tcp open   tmi
 MAC Address: 14:18:77:32:F1:AE (Unknown)
 
 Nmap scan report for 192.168.0.5
 Host is up (0.00018s latency).
 Not shown: 989 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 80/tcp   open   http
 427/tcp  open   svrloc
 443/tcp  open   https
 902/tcp  open   iss-realsecure
 5988/tcp closed wbem-http
 5989/tcp open   wbem-https
 8000/tcp open   http-alt
 8080/tcp closed http-proxy
 8100/tcp open   xprint-server
 8300/tcp open   tmi
 MAC Address: B0:83:FE:E5:A8:4D (Unknown)
 
 Nmap scan report for 192.168.0.8
 Host is up (0.00089s latency).
 Not shown: 991 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 80/tcp   closed http
 81/tcp   open   hosts2-ns
 3306/tcp open   mysql
 3690/tcp open   svn
 8080/tcp closed http-proxy
 8081/tcp open   blackice-icecap
 8090/tcp open   unknown
 9000/tcp open   cslistener
 MAC Address: 6C:F0:49:46:1A:FC (Giga-byte Technology Co.)
 
 Nmap scan report for 192.168.0.9
 Host is up (0.0047s latency).
 Not shown: 983 filtered ports
 PORT      STATE SERVICE
 53/tcp    open  domain
 80/tcp    open  http
 88/tcp    open  kerberos-sec
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 389/tcp   open  ldap
 445/tcp   open  microsoft-ds
 464/tcp   open  kpasswd5
 593/tcp   open  http-rpc-epmap
 636/tcp   open  ldapssl
 3268/tcp  open  globalcatLDAP
 3269/tcp  open  globalcatLDAPssl
 8800/tcp  open  sunwebadmin
 49154/tcp open  unknown
 49155/tcp open  unknown
 49157/tcp open  unknown
 49158/tcp open  unknown
 MAC Address: 00:0C:29:C1:AF:0D (VMware)
 
 Nmap scan report for 192.168.0.10
 Host is up (0.00012s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 81/tcp   open  hosts2-ns
 631/tcp  open  ipp
 3306/tcp open  mysql
 MAC Address: 00:0C:29:C1:5B:A3 (VMware)
 
 Nmap scan report for 192.168.0.11
 Host is up (0.00012s latency).
 Not shown: 996 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 3306/tcp open  mysql
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 MAC Address: 00:0C:29:A8:25:5B (VMware)
 
 Nmap scan report for 192.168.0.13
 Host is up (0.00021s latency).
 Not shown: 980 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 443/tcp   open  https
 445/tcp   open  microsoft-ds
 2179/tcp  open  vmrdp
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 6059/tcp  open  X11:59
 8009/tcp  open  ajp13
 8080/tcp  open  http-proxy
 8888/tcp  open  sun-answerbook
 9009/tcp  open  pichat
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 49157/tcp open  unknown
 49158/tcp open  unknown
 49159/tcp open  unknown
 MAC Address: F0:1F:AF:D2:A1:F0 (Unknown)
 
 Nmap scan report for 192.168.0.14
 Host is up (0.00040s latency).
 Not shown: 996 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 3306/tcp open  mysql
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 MAC Address: 8C:DC:D4:49:15:50 (Unknown)
 
 Nmap scan report for 192.168.0.15
 Host is up (0.00027s latency).
 Not shown: 997 filtered ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 3000/tcp open  ppp
 8080/tcp open  http-proxy
 MAC Address: 00:0C:29:47:B9:4F (VMware)
 
 Nmap scan report for 192.168.0.16
 Host is up (0.00024s latency).
 Not shown: 997 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 161/tcp  closed snmp
 3306/tcp open   mysql
 MAC Address: 00:0C:29:99:4E:37 (VMware)
 
 Nmap scan report for 192.168.0.17
 Host is up (0.000020s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 3306/tcp open  mysql
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 
 Nmap scan report for 192.168.0.18
 Host is up (0.00055s latency).
 Not shown: 997 filtered ports
 PORT    STATE SERVICE
 22/tcp  open  ssh
 80/tcp  open  http
 443/tcp open  https
 MAC Address: 00:0C:29:23:B0:42 (VMware)
 
 Nmap scan report for 192.168.0.19
 Host is up (0.00033s latency).
 Not shown: 996 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 3306/tcp open  mysql
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 MAC Address: 00:0C:29:1B:DA:41 (VMware)
 
 Nmap scan report for 192.168.0.21
 Host is up (0.00055s latency).
 Not shown: 996 filtered ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 22/tcp   open  ssh
 80/tcp   open  http
 8080/tcp open  http-proxy
 MAC Address: 00:0C:29:C5:B0:A2 (VMware)
 
 Nmap scan report for 192.168.0.22
 Host is up (0.00088s latency).
 Not shown: 990 closed ports
 PORT     STATE SERVICE
 80/tcp   open  http
 135/tcp  open  msrpc
 139/tcp  open  netbios-ssn
 443/tcp  open  https
 445/tcp  open  microsoft-ds
 1029/tcp open  ms-lsa
 3389/tcp open  ms-term-serv
 4899/tcp open  radmin
 5800/tcp open  vnc-http
 5900/tcp open  vnc
 MAC Address: 00:E0:4C:35:17:56 (Realtek Semiconductor)
 
 Nmap scan report for 192.168.0.23
 Host is up (0.00055s latency).
 Not shown: 999 filtered ports
 PORT   STATE SERVICE
 22/tcp open  ssh
 MAC Address: 00:50:56:88:6C:4E (VMware)
 
 Nmap scan report for 192.168.0.24
 Host is up (0.00048s latency).
 Not shown: 999 filtered ports
 PORT   STATE SERVICE
 22/tcp open  ssh
 MAC Address: 00:50:56:88:36:6F (VMware)
 
 Nmap scan report for 192.168.0.25
 Host is up (0.00027s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 443/tcp  open  https
 8009/tcp open  ajp13
 8888/tcp open  sun-answerbook
 MAC Address: 00:50:56:88:C7:DA (VMware)
 
 Nmap scan report for 192.168.0.26
 Host is up (0.00026s latency).
 Not shown: 995 closed ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 22/tcp   open  ssh
 80/tcp   open  http
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 MAC Address: 00:50:56:88:B5:C8 (VMware)
 
 Nmap scan report for 192.168.0.50
 Host is up (0.00062s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:40:23:E2 (Grandstream Networks)
 
 Nmap scan report for 192.168.0.53
 Host is up (0.00059s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:40:24:F8 (Grandstream Networks)
 
 Nmap scan report for 192.168.0.55
 Host is up (0.00054s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:40:25:4F (Grandstream Networks)
 
 Nmap scan report for 192.168.0.56
 Host is up (0.00057s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:3B:47:FC (Grandstream Networks)
 
 Nmap scan report for 192.168.0.57
 Host is up (0.00057s latency).
 Not shown: 997 closed ports
 PORT    STATE SERVICE
 23/tcp  open  telnet
 80/tcp  open  http
 554/tcp open  rtsp
 MAC Address: 00:0B:82:40:25:6D (Grandstream Networks)
 
 Nmap scan report for 192.168.0.63
 Host is up (0.00050s latency).
 Not shown: 992 filtered ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 1433/tcp  open  ms-sql-s
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 49154/tcp open  unknown
 MAC Address: 90:E6:BA:DB:79:62 (Asustek Computer)
 
 Nmap scan report for 192.168.0.76
 Host is up (0.00030s latency).
 Not shown: 989 closed ports
 PORT      STATE SERVICE
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 1521/tcp  open  oracle
 3389/tcp  open  ms-term-serv
 5357/tcp  open  wsdapi
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 49158/tcp open  unknown
 MAC Address: 74:86:7A:F0:CF:AC (Unknown)
 
 Nmap scan report for 192.168.0.89
 Host is up (0.00050s latency).
 Not shown: 993 filtered ports
 PORT     STATE  SERVICE
 21/tcp   open   ftp
 22/tcp   open   ssh
 80/tcp   open   http
 3306/tcp open   mysql
 8009/tcp closed ajp13
 8080/tcp closed http-proxy
 8888/tcp open   sun-answerbook
 MAC Address: C8:1F:66:E5:3C:4F (Unknown)
 
 Nmap scan report for 192.168.0.98
 Host is up (0.00060s latency).
 Not shown: 984 closed ports
 PORT      STATE SERVICE
 81/tcp    open  hosts2-ns
 90/tcp    open  dnsix
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 443/tcp   open  https
 445/tcp   open  microsoft-ds
 2383/tcp  open  ms-olap4
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 9000/tcp  open  cslistener
 9001/tcp  open  tor-orport
 27000/tcp open  flexlm0
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 MAC Address: 40:A8:F0:5E:B4:A4 (Unknown)
 
 Nmap scan report for 192.168.0.101
 Host is up (0.00072s latency).
 Not shown: 998 filtered ports
 PORT     STATE SERVICE
 2869/tcp open  icslap
 3306/tcp open  mysql
 MAC Address: B0:83:FE:BB:BB:D2 (Unknown)
 
 Nmap scan report for 192.168.0.103
 Host is up (0.00056s latency).
 Not shown: 990 closed ports
 PORT     STATE SERVICE
 80/tcp   open  http
 135/tcp  open  msrpc
 139/tcp  open  netbios-ssn
 445/tcp  open  microsoft-ds
 1801/tcp open  msmq
 2103/tcp open  zephyr-clt
 2105/tcp open  eklogin
 2107/tcp open  msmq-mgmt
 2869/tcp open  icslap
 3306/tcp open  mysql
 MAC Address: B0:83:FE:77:C6:9C (Unknown)
 
 Nmap scan report for 192.168.0.111
 Host is up (0.00020s latency).
 Not shown: 986 closed ports
 PORT     STATE SERVICE
 80/tcp   open  http
 81/tcp   open  hosts2-ns
 135/tcp  open  msrpc
 139/tcp  open  netbios-ssn
 445/tcp  open  microsoft-ds
 1025/tcp open  NFS-or-IIS
 1026/tcp open  LSA-or-nterm
 1723/tcp open  pptp
 3306/tcp open  mysql
 3389/tcp open  ms-term-serv
 6666/tcp open  irc
 8009/tcp open  ajp13
 8080/tcp open  http-proxy
 8088/tcp open  radan-http
 MAC Address: 6C:F0:49:4E:88:94 (Giga-byte Technology Co.)
 
 Nmap scan report for 192.168.0.120
 Host is up (0.00044s latency).
 Not shown: 996 closed ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 443/tcp  open  https
 5900/tcp open  vnc
 MAC Address: 00:26:B9:5C:9B:55 (Dell)
 
 Nmap scan report for 192.168.0.125
 Host is up (0.00036s latency).
 Not shown: 989 closed ports
 PORT      STATE SERVICE
 21/tcp    open  ftp
 80/tcp    open  http
 139/tcp   open  netbios-ssn
 427/tcp   open  svrloc
 443/tcp   open  https
 445/tcp   open  microsoft-ds
 515/tcp   open  printer
 631/tcp   open  ipp
 843/tcp   open  unknown
 9100/tcp  open  jetdirect
 50001/tcp open  unknown
 MAC Address: 00:20:6B:91:E8:7A (Konica Minolta Holdings)
 
 Nmap scan report for 192.168.0.126
 Host is up (0.00046s latency).
 Not shown: 998 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 50002/tcp open  iiimsf
 MAC Address: 00:0E:3A:14:A5:76 (Cirrus Logic)
 
 Nmap scan report for 192.168.0.127
 Host is up (0.00048s latency).
 Not shown: 994 closed ports
 PORT     STATE SERVICE
 23/tcp   open  telnet
 80/tcp   open  http
 515/tcp  open  printer
 631/tcp  open  ipp
 8080/tcp open  http-proxy
 9100/tcp open  jetdirect
 MAC Address: 3C:4A:92:BB:E8:C9 (Unknown)
 
 Nmap scan report for 192.168.0.128
 Host is up (0.00031s latency).
 Not shown: 987 closed ports
 PORT     STATE SERVICE
 80/tcp   open  http
 81/tcp   open  hosts2-ns
 82/tcp   open  xfer
 83/tcp   open  mit-ml-dev
 443/tcp  open  https
 515/tcp  open  printer
 631/tcp  open  ipp
 5222/tcp open  xmpp-client
 8080/tcp open  http-proxy
 8291/tcp open  unknown
 8292/tcp open  blp3
 8888/tcp open  sun-answerbook
 9100/tcp open  jetdirect
 MAC Address: A0:B3:CC:9E:1F:39 (Unknown)
 
 Nmap scan report for 192.168.0.130
 Host is up (0.00058s latency).
 Not shown: 994 filtered ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 445/tcp   open  microsoft-ds
 1433/tcp  open  ms-sql-s
 3306/tcp  open  mysql
 49154/tcp open  unknown
 MAC Address: 90:E6:BA:DB:79:62 (Asustek Computer)
 
 Nmap scan report for 192.168.0.131
 Host is up (0.00055s latency).
 Not shown: 994 filtered ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 445/tcp   open  microsoft-ds
 1433/tcp  open  ms-sql-s
 3306/tcp  open  mysql
 49154/tcp open  unknown
 MAC Address: 90:E6:BA:DB:79:62 (Asustek Computer)
 
 Nmap scan report for 192.168.0.165
 Host is up (0.00021s latency).
 Not shown: 988 closed ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 25/tcp   open  smtp
 110/tcp  open  pop3
 135/tcp  open  msrpc
 139/tcp  open  netbios-ssn
 143/tcp  open  imap
 443/tcp  open  https
 445/tcp  open  microsoft-ds
 587/tcp  open  submission
 1433/tcp open  ms-sql-s
 3306/tcp open  mysql
 3389/tcp open  ms-term-serv
 MAC Address: 6C:F0:49:46:F5:B1 (Giga-byte Technology Co.)
 
 Nmap scan report for 192.168.0.199
 Host is up (0.00045s latency).
 Not shown: 997 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 80/tcp   closed http
 5432/tcp open   postgresql
 MAC Address: 00:0C:29:30:3F:34 (VMware)
 
 Nmap scan report for 192.168.0.200
 Host is up (0.0019s latency).
 Not shown: 998 closed ports
 PORT     STATE SERVICE
 23/tcp   open  telnet
 5003/tcp open  filemaker
 MAC Address: 3C:D1:6E:01:A4:99 (Unknown)
 
 Nmap scan report for 192.168.0.201
 Host is up (0.00038s latency).
 Not shown: 992 closed ports
 PORT     STATE SERVICE
 21/tcp   open  ftp
 22/tcp   open  ssh
 80/tcp   open  http
 111/tcp  open  rpcbind
 139/tcp  open  netbios-ssn
 445/tcp  open  microsoft-ds
 873/tcp  open  rsync
 2049/tcp open  nfs
 MAC Address: 8C:DC:D4:43:9C:91 (Unknown)
 
 Nmap scan report for 192.168.0.203
 Host is up (0.00038s latency).
 Not shown: 988 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 25/tcp   open   smtp
 80/tcp   open   http
 110/tcp  open   pop3
 143/tcp  open   imap
 389/tcp  open   ldap
 443/tcp  closed https
 465/tcp  open   smtps
 873/tcp  closed rsync
 993/tcp  open   imaps
 995/tcp  open   pop3s
 5222/tcp closed xmpp-client
 MAC Address: A4:BA:DB:26:45:4F (Dell)
 
 Nmap scan report for 192.168.0.208
 Host is up (0.00049s latency).
 Not shown: 988 filtered ports
 PORT     STATE SERVICE
 22/tcp   open  ssh
 80/tcp   open  http
 81/tcp   open  hosts2-ns
 3306/tcp open  mysql
 8081/tcp open  blackice-icecap
 8082/tcp open  blackice-alerts
 8084/tcp open  unknown
 8085/tcp open  unknown
 8086/tcp open  d-s-n
 8088/tcp open  radan-http
 9000/tcp open  cslistener
 9002/tcp open  dynamid
 MAC Address: 00:24:1D:99:7F:0B (Giga-byte Technology Co.)
 
 Nmap scan report for 192.168.0.209
 Host is up (0.00043s latency).
 Not shown: 985 filtered ports
 PORT     STATE  SERVICE
 22/tcp   open   ssh
 80/tcp   open   http
 111/tcp  open   rpcbind
 443/tcp  open   https
 5989/tcp open   wbem-https
 8009/tcp open   ajp13
 8080/tcp open   http-proxy
 8081/tcp open   blackice-icecap
 8088/tcp open   radan-http
 8089/tcp open   unknown
 8090/tcp open   unknown
 9009/tcp open   pichat
 9080/tcp open   glrpc
 9081/tcp closed unknown
 9090/tcp closed zeus-admin
 MAC Address: C8:1F:66:DE:7D:F8 (Unknown)
 
 Nmap scan report for 192.168.0.225
 Host is up (0.00015s latency).
 Not shown: 998 closed ports
 PORT    STATE SERVICE
 22/tcp  open  ssh
 443/tcp open  https
 MAC Address: 00:50:56:88:54:53 (VMware)
 
 Nmap scan report for 192.168.0.239
 Host is up (0.00023s latency).
 Not shown: 984 closed ports
 PORT      STATE SERVICE
 21/tcp    open  ftp
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 1433/tcp  open  ms-sql-s
 1521/tcp  open  oracle
 2383/tcp  open  ms-olap4
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 49156/tcp open  unknown
 49167/tcp open  unknown
 MAC Address: 74:86:7A:EA:10:B4 (Unknown)
 
 Nmap scan report for 192.168.0.244
 Host is up (0.00030s latency).
 Not shown: 988 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 445/tcp   open  microsoft-ds
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 8009/tcp  open  ajp13
 8080/tcp  open  http-proxy
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49156/tcp open  unknown
 MAC Address: 74:86:7A:F0:DE:75 (Unknown)
 
 Nmap scan report for 192.168.0.249
 Host is up (0.00027s latency).
 Not shown: 984 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 135/tcp   open  msrpc
 139/tcp   open  netbios-ssn
 443/tcp   open  https
 445/tcp   open  microsoft-ds
 3306/tcp  open  mysql
 3389/tcp  open  ms-term-serv
 8009/tcp  open  ajp13
 8080/tcp  open  http-proxy
 8089/tcp  open  unknown
 49152/tcp open  unknown
 49153/tcp open  unknown
 49154/tcp open  unknown
 49155/tcp open  unknown
 49156/tcp open  unknown
 49157/tcp open  unknown
 MAC Address: F8:BC:12:4D:52:A0 (Unknown)
 
 Nmap scan report for 192.168.0.253
 Host is up (0.00040s latency).
 Not shown: 990 filtered ports
 PORT     STATE  SERVICE
 21/tcp   open   ftp
 22/tcp   open   ssh
 80/tcp   open   http
 81/tcp   open   hosts2-ns
 443/tcp  closed https
 631/tcp  closed ipp
 3306/tcp open   mysql
 8000/tcp open   http-alt
 8080/tcp open   http-proxy
 8088/tcp closed radan-http
 MAC Address: 00:26:B9:5C:9B:53 (Dell)
 
 Nmap done: 256 IP addresses (53 hosts up) scanned in 47.40 seconds

可以看到，还是有很多东西的。就不深入了，危害太大了

修复方案：

。。

版权声明：转载请注明来源镱鍚@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

P2P金融安全之卡得万利某处命令执行影响多台重要服务器（自带nmap威胁内网安全）

漏洞概要关注数(2) 关注此漏洞

缺陷编号： WooYun-2016-186380

漏洞标题： P2P金融安全之卡得万利某处命令执行影响多台重要服务器（自带nmap威胁内网安全）

相关厂商：卡得万利

漏洞作者：镱鍚

提交时间： 2016-03-20 23:31

公开时间： 2016-05-04 23:31

漏洞类型：服务弱口令

危害等级：高

自评Rank： 20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：第三方框架

1人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源镱鍚@乌云

漏洞回应

厂商回应：

漏洞评价：

漏洞评价(共0人评价):

登陆后才能进行评分

评价

WooYun.org-优酷多个分站存在SSRF漏洞大礼包

WooYun.org-优特捷某内部邮箱账户外泄涉及大量敏感信息(多家合作单位躺枪)

WooYun.org-某网平行权限漏洞（影响所有使用用户）

Bypass分享 | 形而上学，不行退学的一句话

格兰仕千万数据库信息泄露

3399游戏源码下载

WEFANS喂饭后台弱口令

国家电网某充电APP系统Getshell涉及大量用户敏感信息

威锋网游戏站存在SQL注入（含多重绕过+编码）

APP安全之三维度从一个毫无用处的xss到获取大量身份证信息图片(包括李刚身份证)

发表评论

在线咨询

微信

漏洞概要 关注数(2) 关注此漏洞

缺陷编号： WooYun-2016-186380

漏洞标题： P2P金融安全之卡得万利某处命令执行影响多台重要服务器（自带nmap威胁内网安全）

相关厂商： 卡得万利

漏洞作者： 镱鍚

提交时间： 2016-03-20 23:31

公开时间： 2016-05-04 23:31

漏洞类型： 服务弱口令

危害等级： 高

自评Rank： 20

漏洞状态： 未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 第三方框架

1人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 镱鍚@乌云

漏洞回应

厂商回应：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(2) 关注此漏洞

相关厂商：卡得万利

漏洞作者：镱鍚

漏洞类型：服务弱口令

危害等级：高

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签：第三方框架

版权声明：转载请注明来源镱鍚@乌云

漏洞评价(共0人评价):

登陆后才能进行评分