中国南方电网getshell到内网漫游

admin
admin
admin
141399
文章
117
评论
2017年3月26日00:16:13评论440 views字数 210阅读0分42秒阅读模式
摘要

2016-03-21: 细节已通知厂商并且等待厂商处理中
2016-03-21: 厂商已经确认,细节仅向厂商公开
2016-03-31: 细节向核心白帽子及相关领域专家公开
2016-04-10: 细节向普通白帽子公开
2016-04-20: 细节向实习白帽子公开
2016-05-05: 细节向公众公开

漏洞概要 关注数(18) 关注此漏洞

缺陷编号: WooYun-2016-187216

漏洞标题: 中国南方电网getshell到内网漫游

相关厂商: 中国南方电网

漏洞作者: 镱鍚

提交时间: 2016-03-21 11:52

公开时间: 2016-05-05 15:43

漏洞类型: 服务弱口令

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 内网 getshell

3人收藏

漏洞详情

披露状态:

2016-03-21: 细节已通知厂商并且等待厂商处理中
2016-03-21: 厂商已经确认,细节仅向厂商公开
2016-03-31: 细节向核心白帽子及相关领域专家公开
2016-04-10: 细节向普通白帽子公开
2016-04-20: 细节向实习白帽子公开
2016-05-05: 细节向公众公开

简要描述:

RT

详细说明:

(PS:能给高rank吗??^_^)

code 区域 
http://116.55.241.7:9091/manager/html
 tomcat弱口令:both  tomcat

中国南方电网getshell到内网漫游

简单部署,getshell

code 区域 
http://116.55.241.7:9091/job/index.jsp

中国南方电网getshell到内网漫游

简单看了下,发现是内网机器,权限还是多高的

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

然后就开始内网漫游啦,这里首先给厂商说下抱歉,不知道怎么的,搞的你们的站点有时都不能访问了,就只是简单探测了一下,不敢再深入了

内网开放的web服务:

code 区域 
http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
 http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
 http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
 http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
 http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
 http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
 http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
 http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
 http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
 http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
 http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

内网开放端口

code 区域 
10.180.201.161:135 >>> Open
 10.180.201.161:3389 >>> Open
 10.180.201.163:1521 >>> Open
 10.180.201.170:3389 >>> Open
 10.180.201.161:135 >>> Open
 10.180.201.161:3389 >>> Open
 10.180.201.163:1521 >>> Open
 10.180.201.170:3389 >>> Open
 10.180.201.225:135 >>> Open
 10.180.201.225:3389 >>> Open
 10.180.201.226:135 >>> Open
 10.180.201.226:3389 >>> Open
 10.180.201.228:135 >>> Open
 10.180.201.228:3389 >>> Open
 10.180.201.228:8080 >>> Open
 10.180.201.229:135 >>> Open
 10.180.201.229:3389 >>> Open
 10.180.201.230:21 >>> Open
 10.180.201.230:1521 >>> Open
 10.180.201.231:21 >>> Open
 10.180.201.231:1521 >>> Open
 10.180.201.232:21 >>> Open
 10.180.201.232:1521 >>> Open
 10.180.201.233:21 >>> Open
 10.180.201.233:1521 >>> Open
 10.180.201.234:21 >>> Open
 10.180.201.234:1521 >>> Open
 10.180.201.235:80 >>> Open
 10.180.201.235:443 >>> Open
 10.180.201.238:135 >>> Open
 10.180.201.238:3389 >>> Open
 10.180.201.240:80 >>> Open
 10.180.201.241:80 >>> Open
 10.180.201.241:443 >>> Open
 10.180.201.241:135 >>> Open
 10.180.201.241:3389 >>> Open
 10.180.201.242:80 >>> Open
 10.180.201.242:135 >>> Open
 10.180.201.242:3389 >>> Open
 10.180.201.243:443 >>> Open
 10.180.201.243:80 >>> Open
 10.180.201.243:135 >>> Open
 10.180.201.243:3389 >>> Open
 10.180.201.244:135 >>> Open
 10.180.201.244:3389 >>> Open
 10.180.201.245:21 >>> Open
 10.180.201.245:80 >>> Open
 10.180.201.245:135 >>> Open
 10.180.201.245:3389 >>> Open
 10.180.201.246:80 >>> Open
 10.180.201.246:135 >>> Open
 10.180.201.246:443 >>> Open
 10.180.201.246:1521 >>> Open
 10.180.201.246:3389 >>> Open
 10.180.201.247:21 >>> Open
 10.180.201.247:135 >>> Open
 10.180.201.247:3389 >>> Open
 10.180.201.248:135 >>> Open
 10.180.201.248:3389 >>> Open
 10.180.201.249:135 >>> Open
 10.180.201.249:443 >>> Open
 10.180.201.249:1521 >>> Open
 10.180.201.249:3389 >>> Open
 10.180.201.250:1521 >>> Open
 10.180.201.251:135 >>> Open
 10.180.201.251:3389 >>> Open
 10.180.201.252:21 >>> Open
 10.180.201.253:80 >>> Open
 10.180.201.250:21 >>> Open
 10.180.201.225:135 >>> Open
 10.180.201.225:3389 >>> Open
 10.180.201.226:135 >>> Open
 10.180.201.226:3389 >>> Open
 10.180.201.228:135 >>> Open
 10.180.201.228:3389 >>> Open
 10.180.201.228:8080 >>> Open
 10.180.201.229:135 >>> Open
 10.180.201.229:3389 >>> Open
 10.180.201.230:21 >>> Open
 10.180.201.230:1521 >>> Open
 10.180.201.231:21 >>> Open
 10.180.201.231:1521 >>> Open
 10.180.201.232:21 >>> Open
 10.180.201.232:1521 >>> Open
 10.180.201.233:21 >>> Open
 10.180.201.233:1521 >>> Open
 10.180.201.234:21 >>> Open
 10.180.201.234:1521 >>> Open
 10.180.201.235:80 >>> Open
 10.180.201.235:443 >>> Open
 10.180.201.238:135 >>> Open
 10.180.201.238:3389 >>> Open
 10.180.201.240:80 >>> Open
 10.180.201.241:135 >>> Open
 10.180.201.241:443 >>> Open
 10.180.201.241:80 >>> Open
 10.180.201.241:3389 >>> Open
 10.180.201.242:80 >>> Open
 10.180.201.242:135 >>> Open
 10.180.201.242:3389 >>> Open
 10.180.201.243:80 >>> Open
 10.180.201.243:135 >>> Open
 10.180.201.243:443 >>> Open
 10.180.201.243:3389 >>> Open
 10.180.201.244:135 >>> Open
 10.180.201.244:3389 >>> Open
 10.180.201.245:21 >>> Open
 10.180.201.245:80 >>> Open
 10.180.201.245:135 >>> Open
 10.180.201.245:3389 >>> Open
 10.180.201.246:80 >>> Open
 10.180.201.246:135 >>> Open
 10.180.201.246:443 >>> Open
 10.180.201.246:1521 >>> Open
 10.180.201.246:3389 >>> Open
 10.180.201.247:21 >>> Open
 10.180.201.247:135 >>> Open
 10.180.201.247:3389 >>> Open
 10.180.201.248:135 >>> Open
 10.180.201.248:3389 >>> Open
 10.180.201.249:135 >>> Open
 10.180.201.249:443 >>> Open
 10.180.201.249:1521 >>> Open
 10.180.201.249:3389 >>> Open
 10.180.201.250:21 >>> Open
 10.180.201.250:1521 >>> Open
 10.180.201.251:135 >>> Open
 10.180.201.251:3389 >>> Open
 10.180.201.252:21 >>> Open
 10.180.201.253:80 >>> Open

就不继续了,危害还是多大的,望尽快修复^_^

漏洞证明:

(PS:能给高rank吗??^_^)

code 区域 
http://116.55.241.7:9091/manager/html
 tomcat弱口令:both  tomcat

中国南方电网getshell到内网漫游

简单部署,getshell

code 区域 
http://116.55.241.7:9091/job/index.jsp

中国南方电网getshell到内网漫游

简单看了下,发现是内网机器,权限还是多高的

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

然后就开始内网漫游啦,这里首先给厂商说下抱歉,不知道怎么的,搞的你们的站点有时都不能访问了,就只是简单探测了一下,不敢再深入了

内网开放的web服务:

code 区域 
http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
 http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
 http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
 http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
 http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
 http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
 http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
 http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
 http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
 http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
 http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

中国南方电网getshell到内网漫游

内网开放端口

code 区域 
10.180.201.161:135 >>> Open
 10.180.201.161:3389 >>> Open
 10.180.201.163:1521 >>> Open
 10.180.201.170:3389 >>> Open
 10.180.201.161:135 >>> Open
 10.180.201.161:3389 >>> Open
 10.180.201.163:1521 >>> Open
 10.180.201.170:3389 >>> Open
 10.180.201.225:135 >>> Open
 10.180.201.225:3389 >>> Open
 10.180.201.226:135 >>> Open
 10.180.201.226:3389 >>> Open
 10.180.201.228:135 >>> Open
 10.180.201.228:3389 >>> Open
 10.180.201.228:8080 >>> Open
 10.180.201.229:135 >>> Open
 10.180.201.229:3389 >>> Open
 10.180.201.230:21 >>> Open
 10.180.201.230:1521 >>> Open
 10.180.201.231:21 >>> Open
 10.180.201.231:1521 >>> Open
 10.180.201.232:21 >>> Open
 10.180.201.232:1521 >>> Open
 10.180.201.233:21 >>> Open
 10.180.201.233:1521 >>> Open
 10.180.201.234:21 >>> Open
 10.180.201.234:1521 >>> Open
 10.180.201.235:80 >>> Open
 10.180.201.235:443 >>> Open
 10.180.201.238:135 >>> Open
 10.180.201.238:3389 >>> Open
 10.180.201.240:80 >>> Open
 10.180.201.241:80 >>> Open
 10.180.201.241:443 >>> Open
 10.180.201.241:135 >>> Open
 10.180.201.241:3389 >>> Open
 10.180.201.242:80 >>> Open
 10.180.201.242:135 >>> Open
 10.180.201.242:3389 >>> Open
 10.180.201.243:443 >>> Open
 10.180.201.243:80 >>> Open
 10.180.201.243:135 >>> Open
 10.180.201.243:3389 >>> Open
 10.180.201.244:135 >>> Open
 10.180.201.244:3389 >>> Open
 10.180.201.245:21 >>> Open
 10.180.201.245:80 >>> Open
 10.180.201.245:135 >>> Open
 10.180.201.245:3389 >>> Open
 10.180.201.246:80 >>> Open
 10.180.201.246:135 >>> Open
 10.180.201.246:443 >>> Open
 10.180.201.246:1521 >>> Open
 10.180.201.246:3389 >>> Open
 10.180.201.247:21 >>> Open
 10.180.201.247:135 >>> Open
 10.180.201.247:3389 >>> Open
 10.180.201.248:135 >>> Open
 10.180.201.248:3389 >>> Open
 10.180.201.249:135 >>> Open
 10.180.201.249:443 >>> Open
 10.180.201.249:1521 >>> Open
 10.180.201.249:3389 >>> Open
 10.180.201.250:1521 >>> Open
 10.180.201.251:135 >>> Open
 10.180.201.251:3389 >>> Open
 10.180.201.252:21 >>> Open
 10.180.201.253:80 >>> Open
 10.180.201.250:21 >>> Open
 10.180.201.225:135 >>> Open
 10.180.201.225:3389 >>> Open
 10.180.201.226:135 >>> Open
 10.180.201.226:3389 >>> Open
 10.180.201.228:135 >>> Open
 10.180.201.228:3389 >>> Open
 10.180.201.228:8080 >>> Open
 10.180.201.229:135 >>> Open
 10.180.201.229:3389 >>> Open
 10.180.201.230:21 >>> Open
 10.180.201.230:1521 >>> Open
 10.180.201.231:21 >>> Open
 10.180.201.231:1521 >>> Open
 10.180.201.232:21 >>> Open
 10.180.201.232:1521 >>> Open
 10.180.201.233:21 >>> Open
 10.180.201.233:1521 >>> Open
 10.180.201.234:21 >>> Open
 10.180.201.234:1521 >>> Open
 10.180.201.235:80 >>> Open
 10.180.201.235:443 >>> Open
 10.180.201.238:135 >>> Open
 10.180.201.238:3389 >>> Open
 10.180.201.240:80 >>> Open
 10.180.201.241:135 >>> Open
 10.180.201.241:443 >>> Open
 10.180.201.241:80 >>> Open
 10.180.201.241:3389 >>> Open
 10.180.201.242:80 >>> Open
 10.180.201.242:135 >>> Open
 10.180.201.242:3389 >>> Open
 10.180.201.243:80 >>> Open
 10.180.201.243:135 >>> Open
 10.180.201.243:443 >>> Open
 10.180.201.243:3389 >>> Open
 10.180.201.244:135 >>> Open
 10.180.201.244:3389 >>> Open
 10.180.201.245:21 >>> Open
 10.180.201.245:80 >>> Open
 10.180.201.245:135 >>> Open
 10.180.201.245:3389 >>> Open
 10.180.201.246:80 >>> Open
 10.180.201.246:135 >>> Open
 10.180.201.246:443 >>> Open
 10.180.201.246:1521 >>> Open
 10.180.201.246:3389 >>> Open
 10.180.201.247:21 >>> Open
 10.180.201.247:135 >>> Open
 10.180.201.247:3389 >>> Open
 10.180.201.248:135 >>> Open
 10.180.201.248:3389 >>> Open
 10.180.201.249:135 >>> Open
 10.180.201.249:443 >>> Open
 10.180.201.249:1521 >>> Open
 10.180.201.249:3389 >>> Open
 10.180.201.250:21 >>> Open
 10.180.201.250:1521 >>> Open
 10.180.201.251:135 >>> Open
 10.180.201.251:3389 >>> Open
 10.180.201.252:21 >>> Open
 10.180.201.253:80 >>> Open

就不继续了,危害还是多大的,望尽快修复^_^

修复方案:

..

版权声明:转载请注明来源 镱鍚@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-03-21 15:43

厂商回复:

感谢关注。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-03-21 13:23 | 晓庄 ( 路人 | Rank:29 漏洞数:7 | Make money.)

    1

    大兄弟 我要充电费

  2. 2016-03-21 14:59 | 绝对领域 ( 路人 | Rank:27 漏洞数:3 | 大穴码农网管)

    1

    我也要充电费

  3. 2016-03-21 16:40 | 镱鍚 ( 普通白帽子 | Rank:302 漏洞数:42 | 执手岁月留香,唱曲往事飞扬...)

    1

    @中国南方电网 你们就不能多给点么。。

  4. 2016-03-21 16:47 | 暴走 ( 普通白帽子 | Rank:615 漏洞数:107 | 专心补刀。)

    1

    @镱鍚 确实太少!给的少就是管理员给你说,兄弟啊,别提交了我们的洞了,我的日子刚好过几天,你就来给我难堪!

  5. 2016-05-27 11:39 | 灰黑化肥会挥发 ( 路人 | Rank:0 漏洞数:1 | 嗨)

    0

    mark 我要充电费 哈哈

  6. 2016-05-27 11:42 | 灰黑化肥会挥发 ( 路人 | Rank:0 漏洞数:1 | 嗨)

    0

    这个批量获取banner的是什么软件啊 @镱鍚

  7. 2016-05-27 12:22 | 镱鍚 ( 普通白帽子 | Rank:302 漏洞数:42 | 执手岁月留香,唱曲往事飞扬...)

    0

    @灰黑化肥会挥发 就是社区里面一个探测内网的脚本啊

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin