乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-14: 细节已通知厂商并且等待厂商处理中 2015-12-18: 厂商已经确认,细节仅向厂商公开 2015-12-28: 细节向核心白帽子及相关领域专家公开 2016-01-07: 细节向普通白帽子公开 2016-01-17: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
系统地址http://**.**.**.**:8080/welcome.action存在命令执行漏洞
直接上传木马到服务器
[*] 磁盘列表 [ C:D:E:F:G: ]D:\jksoa\web\> whoamisvctag-2kx2q2x\administratorD:\jksoa\web\> netstat -anoActive Connections Proto Local Address Foreign Address State PID TCP **.**.**.**:80 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:135 **.**.**.**:0 LISTENING 712 TCP **.**.**.**:445 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:800 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:1025 **.**.**.**:0 LISTENING 456 TCP **.**.**.**:1290 **.**.**.**:0 LISTENING 2600 TCP **.**.**.**:1433 **.**.**.**:0 LISTENING 1612 TCP **.**.**.**:7323 **.**.**.**:0 LISTENING 1432 TCP **.**.**.**:8080 **.**.**.**:0 LISTENING 2600 TCP **.**.**.**:1026 **.**.**.**:0 LISTENING 2528 TCP **.**.**.**:1035 **.**.**.**:1036 ESTABLISHED 688 TCP **.**.**.**:1036 **.**.**.**:1035 ESTABLISHED 688 TCP **.**.**.**:1289 **.**.**.**:1291 ESTABLISHED 2980 TCP **.**.**.**:1291 **.**.**.**:1289 ESTABLISHED 2600 TCP **.**.**.**:1433 **.**.**.**:42311 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42826 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42827 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42828 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42829 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42830 ESTABLISHED 1612 TCP **.**.**.**:6802 **.**.**.**:0 LISTENING 2600 TCP **.**.**.**:8005 **.**.**.**:0 LISTENING 1468 TCP **.**.**.**:42311 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42826 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42827 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42828 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42829 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42830 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:139 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:1433 **.**.**.**:3801 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42597 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42831 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42832 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42833 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42834 ESTABLISHED 1612 TCP **.**.**.**:1433 **.**.**.**:42835 ESTABLISHED 1612 TCP **.**.**.**:8080 **.**.**.**:56898 CLOSE_WAIT 2600 TCP **.**.**.**:8080 **.**.**.**:60092 CLOSE_WAIT 2600 TCP **.**.**.**:8080 **.**.**.**:4279 ESTABLISHED 2600 TCP **.**.**.**:8080 **.**.**.**:4280 ESTABLISHED 2600 TCP **.**.**.**:8080 **.**.**.**:4281 ESTABLISHED 2600 TCP **.**.**.**:8080 **.**.**.**:3418 ESTABLISHED 2600 TCP **.**.**.**:8080 **.**.**.**:4382 ESTABLISHED 2600 TCP **.**.**.**:8080 **.**.**.**:4383 ESTABLISHED 2600 TCP **.**.**.**:8080 **.**.**.**:44953 CLOSE_WAIT 2600 TCP **.**.**.**:8080 **.**.**.**:44961 CLOSE_WAIT 2600 TCP **.**.**.**:8080 **.**.**.**:9268 ESTABLISHED 2600 TCP **.**.**.**:8080 **.**.**.**:9281 ESTABLISHED 2600 TCP **.**.**.**:8080 **.**.**.**:2374 CLOSE_WAIT 2600 TCP **.**.**.**:13734 **.**.**.**:80 ESTABLISHED 1724 TCP **.**.**.**:40171 **.**.**.**:80 ESTABLISHED 1724 TCP **.**.**.**:42597 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42831 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42832 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42833 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42834 **.**.**.**:1433 ESTABLISHED 2600 TCP **.**.**.**:42835 **.**.**.**:1433 ESTABLISHED 2600 UDP **.**.**.**:161 *:* 1644 UDP **.**.**.**:445 *:* 4 UDP **.**.**.**:1045 *:* 1432 UDP **.**.**.**:1295 *:* 1724 UDP **.**.**.**:1319 *:* 2564 UDP **.**.**.**:1320 *:* 2564 UDP **.**.**.**:1322 *:* 2564 UDP **.**.**.**:1434 *:* 1612 UDP **.**.**.**:3600 *:* 1724 UDP **.**.**.**:7323 *:* 1432 UDP **.**.**.**:8153 *:* 2564 UDP **.**.**.**:123 *:* 860 UDP **.**.**.**:1027 *:* 860 UDP **.**.**.**:1410 *:* 1724 UDP **.**.**.**:123 *:* 860 UDP **.**.**.**:137 *:* 4 UDP **.**.**.**:138 *:* 4D:\jksoa\web\> tasklist /svc映像名称 PID 服务 ========================= ======== ============================================System Idle Process 0 暂缺 System 4 暂缺 smss.exe 324 暂缺 csrss.exe 372 暂缺 winlogon.exe 396 暂缺 services.exe 444 Eventlog, PlugPlay lsass.exe 456 HTTPFilter, ProtectedStorage, SamSs svchost.exe 608 DcomLaunch BaiduProtect.exe 688 BDSGRTP svchost.exe 712 RpcSs svchost.exe 824 Dhcp, Dnscache svchost.exe 860 LmHosts, W32Time svchost.exe 888 AeLookupSvc, AudioSrv, BITS, Browser, CryptSvc, dmserver, EventSystem, HidServ, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, winmgmt, wuauserv, WZCSVC ZhuDongFangYu.exe 916 ZhuDongFangYu spoolsv.exe 1368 Spooler srvany.exe 1392 360杀毒升级 360Upd.exe 1432 暂缺 tomcat6.exe 1468 chineseallTomcat inetinfo.exe 1588 IISADMIN sqlservr.exe 1612 MSSQLSERVER snmp.exe 1644 SNMP svchost.exe 2068 W3SVC svchost.exe 2392 TermService alg.exe 2528 ALG wmiprvse.exe 2568 暂缺 MinerWatch.exe 2712 暂缺 wmiprvse.exe 2732 暂缺 svchost.exe 3208 TapiSrv explorer.exe 2024 暂缺 360rp.exe 2564 暂缺 MtxHotPlugService.exe 560 暂缺 360tray.exe 1724 暂缺 ctfmon.exe 2724 暂缺 360sd.exe 2812 暂缺 sqlmangr.exe 2872 暂缺 httpd.exe 2164 暂缺 conime.exe 2932 暂缺 java.exe 2980 暂缺 javaw.exe 2600 暂缺 logon.scr 2028 暂缺 SDIS.exe 348 暂缺 cmd.exe 10376 暂缺 ftp.exe 10412 暂缺 cmd.exe 10592 暂缺 ftp.exe 10772 暂缺 cmd.exe 15132 暂缺 ftp.exe 15264 暂缺 cmd.exe 11848 暂缺 ftp.exe 14656 暂缺 cmd.exe 16304 暂缺 ftp.exe 15200 暂缺 cmd.exe 23544 暂缺 ftp.exe 23572 暂缺 cmd.exe 28324 暂缺 ftp.exe 28292 暂缺 cmd.exe 27528 暂缺 ftp.exe 27360 暂缺 cmd.exe 27392 暂缺 ftp.exe 27888 暂缺 cmd.exe 28336 暂缺 ftp.exe 27768 暂缺 cmd.exe 27172 暂缺 tasklist.exe 27240 暂缺 D:\jksoa\web\> ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : svctag-2kx2q2x Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter 本地连接: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) Physical Address. . . . . . . . . : 00-26-B9-29-A5-CDEthernet adapter 本地连接 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #2 Physical Address. . . . . . . . . : 00-26-B9-29-A5-CC DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : **.**.**.** Subnet Mask . . . . . . . . . . . : **.**.**.** Default Gateway . . . . . . . . . : **.**.**.** DNS Servers . . . . . . . . . . . : **.**.**.** **.**.**.**D:\jksoa\web\> systeminfo主机名: SVCTAG-2KX2Q2XOS 名称: Microsoft(R) Windows(R) Server 2003, Standard EditionOS 版本: 5.2.3790 Service Pack 2 Build 3790OS 制造商: Microsoft CorporationOS 配置: 独立服务器OS 构件类型: Multiprocessor Free注册的所有人: scjks注册的组织: scjks产品 ID: 69819-640-9086892-45385初始安装日期: 2013-8-6, 10:15:11系统启动时间: 20 天 3 小时 39 分 2 秒系统制造商: Dell Inc.系统型号: PowerEdge R410系统类型: X86-based PC处理器: 安装了 4 个处理器。 [01]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~1995 Mhz [02]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~1995 Mhz [03]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~1995 Mhz [04]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~1995 MhzBIOS 版本: DELL - 1Windows 目录: C:\WINDOWS系统目录: C:\WINDOWS\system32启动设备: \Device\HarddiskVolume1系统区域设置: zh-cn;中文(中国)输入法区域设置: zh-cn;中文(中国)时区: (GMT+08:00) 北京,重庆,香港特别行政区,乌鲁木齐物理内存总量: 2,038 MB可用的物理内存: 66 MB页面文件: 最大值: 3,937 MB页面文件: 可用: 1,459 MB页面文件: 使用中: 2,478 MB页面文件位置: C:\pagefile.sys域: WORKGROUP登录服务器: \\SVCTAG-2KX2Q2X修补程序: 安装了 549 个修补程序。 [01]: File 1 [02]: File 1 [03]: File 1 [04]: File 1 [05]: File 1 [06]: File 1 [07]: File 1 [08]: File 1 [09]: File 1 [10]: File 1 [11]: File 1 [12]: File 1 [13]: File 1 [14]: File 1 [15]: File 1 [16]: File 1 [17]: File 1 [18]: File 1 [19]: File 1 [20]: File 1 [21]: File 1 [22]: File 1 [23]: File 1 [24]: File 1 [25]: File 1 [26]: File 1 [27]: File 1 [28]: File 1 [29]: File 1 [30]: File 1 [31]: File 1 [32]: File 1 [33]: File 1 [34]: File 1 [35]: File 1 [36]: File 1 [37]: File 1 [38]: File 1 [39]: File 1 [40]: File 1 [41]: File 1 [42]: File 1 [43]: File 1 [44]: File 1 [45]: File 1 [46]: File 1 [47]: File 1 [48]: File 1 [49]: File 1 [50]: File 1 [51]: File 1 [52]: File 1 [53]: File 1 [54]: File 1 [55]: File 1 [56]: File 1 [57]: File 1 [58]: File 1 [59]: File 1 [60]: File 1 [61]: File 1 [62]: File 1 [63]: File 1 [64]: File 1 [65]: File 1 [66]: File 1 [67]: File 1 [68]: File 1 [69]: File 1 [70]: File 1 [71]: File 1 [72]: File 1 [73]: File 1 [74]: File 1 [75]: File 1 [76]: File 1 [77]: File 1 [78]: File 1 [79]: File 1 [80]: File 1 [81]: File 1 [82]: File 1 [83]: File 1 [84]: File 1 [85]: File 1 [86]: File 1 [87]: File 1 [88]: File 1 [89]: File 1 [90]: File 1 [91]: File 1 [92]: File 1 [93]: File 1 [94]: File 1 [95]: File 1 [96]: File 1 [97]: File 1 [98]: File 1 [99]: File 1 [100]: File 1 [101]: File 1 [102]: File 1 [103]: File 1 [104]: File 1 [105]: File 1 [106]: File 1 [107]: File 1 [108]: File 1 [109]: File 1 [110]: File 1 [111]: File 1 [112]: File 1 [113]: File 1 [114]: File 1 [115]: File 1 [116]: File 1 [117]: File 1 [118]: File 1 [119]: File 1 [120]: File 1 [121]: File 1 [122]: File 1 [123]: File 1 [124]: File 1 [125]: File 1 [126]: File 1 [127]: File 1 [128]: File 1 [129]: File 1 [130]: File 1 [131]: File 1 [132]: File 1 [133]: File 1 [134]: File 1 [135]: File 1 [136]: File 1 [137]: File 1 [138]: File 1 [139]: File 1 [140]: File 1 [141]: File 1 [142]: File 1 [143]: File 1 [144]: File 1 [145]: File 1 [146]: File 1 [147]: File 1 [148]: File 1 [149]: File 1 [150]: File 1 [151]: File 1 [152]: File 1 [153]: File 1 [154]: File 1 [155]: File 1 [156]: File 1 [157]: File 1 [158]: File 1 [159]: File 1 [160]: File 1 [161]: File 1 [162]: File 1 [163]: File 1 [164]: File 1 [165]: File 1 [166]: File 1 [167]: File 1 [168]: File 1 [169]: File 1 [170]: File 1 [171]: File 1 [172]: File 1 [173]: File 1 [174]: File 1 [175]: File 1 [176]: File 1 [177]: File 1 [178]: File 1 [179]: File 1 [180]: File 1 [181]: File 1 [182]: File 1 [183]: File 1 [184]: File 1 [185]: File 1 [186]: File 1 [187]: File 1 [188]: File 1 [189]: File 1 [190]: File 1 [191]: File 1 [192]: File 1 [193]: File 1 [194]: File 1 [195]: File 1 [196]: File 1 [197]: File 1 [198]: File 1 [199]: File 1 [200]: File 1 [201]: File 1 [202]: File 1 [203]: File 1 [204]: File 1 [205]: File 1 [206]: File 1 [207]: File 1 [208]: File 1 [209]: File 1 [210]: File 1 [211]: File 1 [212]: File 1 [213]: File 1 [214]: File 1 [215]: File 1 [216]: File 1 [217]: File 1 [218]: File 1 [219]: File 1 [220]: File 1 [221]: File 1 [222]: File 1 [223]: File 1 [224]: File 1 [225]: File 1 [226]: File 1 [227]: File 1 [228]: File 1 [229]: File 1 [230]: File 1 [231]: File 1 [232]: File 1 [233]: File 1 [234]: File 1 [235]: File 1 [236]: File 1 [237]: File 1 [238]: File 1 [239]: File 1 [240]: File 1 [241]: File 1 [242]: File 1 [243]: File 1 [244]: File 1 [245]: File 1 [246]: File 1 [247]: File 1 [248]: File 1 [249]: File 1 [250]: File 1 [251]: File 1 [252]: File 1 [253]: File 1 [254]: File 1 [255]: File 1 [256]: File 1 [257]: File 1 [258]: File 1 [259]: File 1 [260]: File 1 [261]: File 1 [262]: File 1 [263]: File 1 [264]: File 1 [265]: File 1 [266]: File 1 [267]: File 1 [268]: Q147222 [269]: KB2656358 - QFE [270]: KB2742604 - QFE [271]: KB2894845 - QFE [272]: KB2898860 - QFE [273]: KB2901115 - QFE [274]: KB2931352 - QFE [275]: KB2972207 - QFE [276]: KB2978114 - QFE [277]: KB3023211 - QFE [278]: KB3037572 - QFE [279]: KB933854 - QFE [280]: KB979907 - QFE [281]: KB975558_WM8 [282]: KB925398_WMP64 [283]: KB2510531-IE8 - Update [284]: KB2909210-IE8 - Update [285]: KB2962872-IE8 - Update [286]: KB2976627-IE8网卡: 安装了 2 个 NIC。 [01]: Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) 连接名: 本地连接 状态: 媒体连接已中断 [02]: Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) 连接名: 本地连接 2 启用 DHCP: 否 IP 地址 [01]: **.**.**.**D:\jksoa\web\>
加强安全意识
危害等级:高
漏洞Rank:10
确认时间:2015-12-18 15:32
CNVD确认并复现所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置。
暂无
