乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-27: 细节已通知厂商并且等待厂商处理中 2015-12-31: 厂商已经确认,细节仅向厂商公开 2016-01-10: 细节向核心白帽子及相关领域专家公开 2016-01-20: 细节向普通白帽子公开 2016-01-30: 细节向实习白帽子公开 2016-02-12: 细节向公众公开
某自治区财政厅某服务器Java反序列化漏洞,并getshell
地址**.**.**.**:7028/存在Java反序列化漏洞
直接上传木马到服务器中
**.**.**.**:7028/Kjbm/baoming/page.jsp密码123
net user\\WIN-8SNLBR6ADUN 的用户帐户-------------------------------------------------------------------------------Administrator Guest 命令成功完成。net start已经启动以下 Windows 服务: Base Filtering Engine COM+ Event System Cryptographic Services DCOM Server Process Launcher Desktop Window Manager Session Manager DHCP Client Diagnostic Policy Service Distributed Link Tracking Client Distributed Transaction Coordinator DNS Client Group Policy Client HP ProLiant Agentless Management Service HP ProLiant Health Monitor Service HP ProLiant System Shutdown Service HP Smart Array SAS/SATA Event Notification Service HP System Management Homepage HP Version Control Agent HP WMI Storage Providers IKE and AuthIP IPsec Keying Modules IP Helper IPsec Policy Agent Network Connections Network List Service Network Location Awareness Network Store Interface Service OracleMTSRecoveryService OracleOraDb11g_home1TNSListener OracleServiceNXCZG OracleServiceORCL Plug and Play Power Print Spooler QPCore Service QQPCMgr RTP Service Remote Procedure Call (RPC) Remote Registry RPC Endpoint Mapper Secondary Logon Security Accounts Manager Server Shell Hardware Detection System Event Notification Service Task Scheduler TCP/IP NetBIOS Helper TeamViewer 10 User Profile Service Windows Event Log Windows Firewall Windows Management Instrumentation Windows Remote Management (WS-Management) Windows Update Workstation 主动防御命令成功完成。net share共享名 资源 注解-------------------------------------------------------------------------------C$ C:\ 默认共享 D$ D:\ 默认共享 E$ E:\ 默认共享 F$ F:\ 默认共享 IPC$ 远程 IPC ADMIN$ C:\Windows 远程管理 命令成功完成。netstat -ano活动连接 协议 本地地址 外部地址 状态 PID TCP **.**.**.**:135 **.**.**.**:0 LISTENING 1004 TCP **.**.**.**:445 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:1158 **.**.**.**:0 LISTENING 5008 TCP **.**.**.**:1521 **.**.**.**:0 LISTENING 2188 TCP **.**.**.**:2301 **.**.**.**:0 LISTENING 2800 TCP **.**.**.**:2381 **.**.**.**:0 LISTENING 2800 TCP **.**.**.**:3938 **.**.**.**:0 LISTENING 4508 TCP **.**.**.**:5520 **.**.**.**:0 LISTENING 5008 TCP **.**.**.**:47001 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:49152 **.**.**.**:0 LISTENING 584 TCP **.**.**.**:49153 **.**.**.**:0 LISTENING 452 TCP **.**.**.**:49156 **.**.**.**:0 LISTENING 568 TCP **.**.**.**:49157 **.**.**.**:0 LISTENING 684 TCP **.**.**.**:49182 **.**.**.**:0 LISTENING 2224 TCP **.**.**.**:49183 **.**.**.**:0 LISTENING 2256 TCP **.**.**.**:50939 **.**.**.**:0 LISTENING 672 TCP **.**.**.**:50941 **.**.**.**:0 LISTENING 5460 TCP **.**.**.**:5939 **.**.**.**:0 LISTENING 1588 TCP **.**.**.**:5939 **.**.**.**:55850 ESTABLISHED 1588 TCP **.**.**.**:7028 **.**.**.**:0 LISTENING 6460 TCP **.**.**.**:10000 **.**.**.**:0 LISTENING 4508 TCP **.**.**.**:49160 **.**.**.**:0 LISTENING 2188 TCP **.**.**.**:49278 **.**.**.**:49279 ESTABLISHED 5008 TCP **.**.**.**:49279 **.**.**.**:49278 ESTABLISHED 5008 TCP **.**.**.**:55850 **.**.**.**:5939 ESTABLISHED 14344 TCP **.**.**.**:139 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:1521 **.**.**.**:49332 ESTABLISHED 2188 TCP **.**.**.**:1521 **.**.**.**:49337 ESTABLISHED 2188 TCP **.**.**.**:1521 **.**.**.**:49338 ESTABLISHED 2188 TCP **.**.**.**:1521 **.**.**.**:49350 ESTABLISHED 2188 TCP **.**.**.**:1521 **.**.**.**:49351 ESTABLISHED 2188 TCP **.**.**.**:1521 **.**.**.**:49358 ESTABLISHED 2188 TCP **.**.**.**:1521 **.**.**.**:49359 ESTABLISHED 2188 TCP **.**.**.**:1521 **.**.**.**:49360 ESTABLISHED 2188 TCP **.**.**.**:1521 **.**.**.**:49361 ESTABLISHED 2188 TCP **.**.**.**:7028 **.**.**.**:0 LISTENING 6460 TCP **.**.**.**:7028 **.**.**.**:51011 TIME_WAIT 0 TCP **.**.**.**:7028 **.**.**.**:51017 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52258 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52259 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52260 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52261 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52262 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52263 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52264 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52265 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52266 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52267 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52268 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52269 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52364 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52365 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52366 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52367 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52368 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52369 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52370 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52371 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52372 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52373 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52374 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52375 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52376 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:52377 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53727 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53878 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53879 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53880 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53881 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53882 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53883 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53884 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53885 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53886 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53887 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53888 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53889 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53897 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53982 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53983 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53984 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53985 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53987 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53988 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53989 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53990 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53991 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53992 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53993 ESTABLISHED 6460 TCP **.**.**.**:7028 **.**.**.**:53994 ESTABLISHED 6460 TCP **.**.**.**:49332 **.**.**.**:1521 ESTABLISHED 5008 TCP **.**.**.**:49337 **.**.**.**:1521 ESTABLISHED 5008 TCP **.**.**.**:49338 **.**.**.**:1521 ESTABLISHED 5008 TCP **.**.**.**:49350 **.**.**.**:1521 ESTABLISHED 5008 TCP **.**.**.**:49351 **.**.**.**:1521 ESTABLISHED 5008 TCP **.**.**.**:49358 **.**.**.**:1521 ESTABLISHED 5008 TCP **.**.**.**:49359 **.**.**.**:1521 ESTABLISHED 5008 TCP **.**.**.**:49360 **.**.**.**:1521 ESTABLISHED 5008 TCP **.**.**.**:49361 **.**.**.**:1521 ESTABLISHED 5008 TCP **.**.**.**:50369 **.**.**.**:5938 ESTABLISHED 1588 TCP **.**.**.**:57926 **.**.**.**:80 ESTABLISHED 6972 TCP **.**.**.**:61395 **.**.**.**:80 ESTABLISHED 6972 TCP [::]:135 [::]:0 LISTENING 1004 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:1521 [::]:0 LISTENING 2188 TCP [::]:2301 [::]:0 LISTENING 2800 TCP [::]:2381 [::]:0 LISTENING 2800 TCP [::]:3938 [::]:0 LISTENING 4508 TCP [::]:5520 [::]:0 LISTENING 5008 TCP [::]:47001 [::]:0 LISTENING 4 TCP [::]:49152 [::]:0 LISTENING 584 TCP [::]:49153 [::]:0 LISTENING 452 TCP [::]:49156 [::]:0 LISTENING 568 TCP [::]:49157 [::]:0 LISTENING 684 TCP [::]:49182 [::]:0 LISTENING 2224 TCP [::]:49183 [::]:0 LISTENING 2256 TCP [::]:50939 [::]:0 LISTENING 672 TCP [::]:50941 [::]:0 LISTENING 5460 TCP [::1]:7028 [::]:0 LISTENING 6460 TCP [::1]:50655 [::1]:6150 SYN_SENT 2188 TCP [2001:0:dcfa:401a:2092:24a8:53ef:fefd]:7028 [::]:0 LISTENING 6460 TCP [fe80::5efe:**.**.**.**%16]:7028 [::]:0 LISTENING 6460 TCP [fe80::9dd:c172:1675:3113%23]:7028 [::]:0 LISTENING 6460 TCP [fe80::2092:24a8:53ef:fefd%20]:7028 [::]:0 LISTENING 6460 TCP [fe80::5c66:a01d:5bba:95d1%21]:7028 [::]:0 LISTENING 6460 TCP [fe80::70dc:23be:22a1:c1da%22]:1521 [fe80::70dc:23be:22a1:c1da%22]:49179 ESTABLISHED 2188 TCP [fe80::70dc:23be:22a1:c1da%22]:1521 [fe80::70dc:23be:22a1:c1da%22]:49180 ESTABLISHED 2188 TCP [fe80::70dc:23be:22a1:c1da%22]:1521 [fe80::70dc:23be:22a1:c1da%22]:50642 TIME_WAIT 0 TCP [fe80::70dc:23be:22a1:c1da%22]:7028 [::]:0 LISTENING 6460 TCP [fe80::70dc:23be:22a1:c1da%22]:49179 [fe80::70dc:23be:22a1:c1da%22]:1521 ESTABLISHED 2256 TCP [fe80::70dc:23be:22a1:c1da%22]:49180 [fe80::70dc:23be:22a1:c1da%22]:1521 ESTABLISHED 2224 TCP [fe80::f953:36ab:f3aa:f159%24]:7028 [::]:0 LISTENING 6460 UDP **.**.**.**:500 *:* 568 UDP **.**.**.**:3600 *:* 6972 UDP **.**.**.**:4500 *:* 568 UDP **.**.**.**:5355 *:* 1240 UDP **.**.**.**:49510 *:* 14228 UDP **.**.**.**:50093 *:* 6972 UDP **.**.**.**:52824 *:* 6716 UDP **.**.**.**:53043 *:* 1588 UDP **.**.**.**:54785 *:* 7488 UDP **.**.**.**:54799 *:* 5300 UDP **.**.**.**:54806 *:* 4356 UDP **.**.**.**:55168 *:* 2204 UDP **.**.**.**:58477 *:* 2204 UDP **.**.**.**:58479 *:* 2204 UDP **.**.**.**:58546 *:* 2204 UDP **.**.**.**:58547 *:* 2204 UDP **.**.**.**:60123 *:* 15684 UDP **.**.**.**:60595 *:* 2204 UDP **.**.**.**:60596 *:* 2204 UDP **.**.**.**:61929 *:* 2204 UDP **.**.**.**:63485 *:* 6672 UDP **.**.**.**:58057 *:* 6972 UDP **.**.**.**:137 *:* 4 UDP **.**.**.**:138 *:* 4 UDP **.**.**.**:5353 *:* 1588 UDP [::]:500 *:* 568 UDP [::]:4500 *:* 568 UDP [::]:5355 *:* 1240 UDP [::]:53044 *:* 1588 UDP [::1]:5353 *:* 1588tasklist /svc映像名称 PID 服务 ========================= ======== ============================================System Idle Process 0 暂缺 System 4 暂缺 smss.exe 432 暂缺 csrss.exe 520 暂缺 csrss.exe 576 暂缺 wininit.exe 584 暂缺 winlogon.exe 624 暂缺 services.exe 672 暂缺 lsass.exe 684 SamSs lsm.exe 692 暂缺 svchost.exe 788 DcomLaunch, PlugPlay, Power svchost.exe 1004 RpcEptMapper, RpcSs svchost.exe 452 Dhcp, eventlog, lmhosts svchost.exe 568 gpsvc, IKEEXT, iphlpsvc, LanmanServer, ProfSvc, Schedule, seclogon, SENS, ShellHWDetection, Winmgmt, wuauserv svchost.exe 976 EventSystem, netprofm, nsi svchost.exe 1084 Netman, TrkWks, UxSms ZhuDongFangYu.exe 1176 ZhuDongFangYu svchost.exe 1240 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc, WinRM svchost.exe 1404 BFE, DPS, MpsSvc spoolsv.exe 1616 Spooler cissesrv.exe 1764 Cissesrv vcagent.exe 1796 cpqvcagent hpwmistor.exe 1916 HPWMISTOR omtsreco.exe 2016 OracleMTSRecoveryService conhost.exe 2036 暂缺 TNSLSNR.EXE 2188 OracleOraDb11g_home1TNSListener oracle.exe 2224 OracleServiceNXCZG oracle.exe 2256 OracleServiceORCL ProLiantMonitor.exe 2304 ProLiantMonitor, sysdown svchost.exe 2392 RemoteRegistry smhstart.exe 2552 SysMgmtHp cmd.exe 2776 暂缺 conhost.exe 2788 暂缺 hpsmhd.exe 2800 暂缺 hpqams.exe 2808 hpqams cmd.exe 2872 暂缺 rotatelogs.exe 2892 暂缺 cmd.exe 2428 暂缺 rotatelogs.exe 2440 暂缺 hpsmhd.exe 2956 暂缺 cmd.exe 3108 暂缺 conhost.exe 3116 暂缺 rotatelogs.exe 3132 暂缺 cmd.exe 3140 暂缺 conhost.exe 3148 暂缺 rotatelogs.exe 3164 暂缺 WmiPrvSE.exe 4332 暂缺 java.exe 5008 暂缺 emagent.exe 4508 暂缺 WmiPrvSE.exe 2724 暂缺 WmiPrvSE.exe 5464 暂缺 svchost.exe 5460 PolicyAgent WmiPrvSE.exe 5824 暂缺 msdtc.exe 4328 MSDTC taskhost.exe 5388 暂缺 dwm.exe 1260 暂缺 explorer.exe 4356 暂缺 360rp.exe 2204 暂缺 360sd.exe 6416 暂缺 360tray.exe 6972 暂缺 MtxHotPlugService.exe 5488 暂缺 cpqteam.exe 6648 暂缺 SoftMgrLite.exe 1628 暂缺 cmd.exe 7212 暂缺 conhost.exe 6328 暂缺 java.exe 6460 暂缺 explorer.exe 6716 暂缺 TeamViewer_Service.exe 1588 TeamViewer TeamViewer.exe 14344 暂缺 tv_w32.exe 15408 暂缺 tv_x64.exe 14808 暂缺 QQProtect.exe 14228 QPCore LogonUI.exe 19676 暂缺 TeamViewer.exe 19352 暂缺 QQPCRTP.exe 7488 QQPCRTP QQPCTray.exe 5300 暂缺 QQPCNetFlow.exe 15684 暂缺 QQPCRealTimeSpeedup.exe 16480 暂缺 QMAutoClean.exe 12628 暂缺 QQPCTray.exe 6672 暂缺 WmiPrvSE.exe 20768 暂缺 WMIC.exe 12872 暂缺 conhost.exe 9144 暂缺 tasklist.exe 16680 暂缺 conhost.exe 8024 暂缺 arp -a接口: **.**.**.** --- 0x16 Internet 地址 物理地址 类型 **.**.**.**54 00-13-32-02-d6-7d 动态 **.**.**.**55 ff-ff-ff-ff-ff-ff 静态 **.**.**.** 01-00-5e-00-00-16 静态 **.**.**.** 01-00-5e-00-00-fb 静态 **.**.**.** 01-00-5e-00-00-fc 静态 **.**.**.** 01-00-5e-2f-21-7d 静态 **.**.**.** 01-00-5e-26-1d-da 静态 **.**.**.** 01-00-5e-76-00-71 静态 **.**.**.** 01-00-5e-79-f7-6e 静态 **.**.**.** 01-00-5e-26-12-3a 静态 **.**.**.** 01-00-5e-2a-1c-01 静态 **.**.**.** 01-00-5e-4b-f8-72 静态 **.**.**.** 01-00-5e-37-f8-dc 静态 **.**.**.** 01-00-5e-4e-25-ab 静态 **.**.**.** 01-00-5e-75-73-77 静态 **.**.**.** 01-00-5e-27-f8-72 静态 **.**.**.** 01-00-5e-5d-3a-01 静态 **.**.**.** 01-00-5e-36-04-71 静态 **.**.**.** 01-00-5e-42-98-7b 静态 **.**.**.** 01-00-5e-34-55-6f 静态 **.**.**.** 01-00-5e-63-14-65 静态 **.**.**.** 01-00-5e-08-f8-6e 静态 **.**.**.** 01-00-5e-48-7c-b6 静态 **.**.**.** 01-00-5e-17-75-77 静态 **.**.**.** 01-00-5e-7f-f3-72 静态 **.**.**.** 01-00-5e-32-1b-01 静态 **.**.**.** 01-00-5e-36-07-6e 静态 **.**.**.** 01-00-5e-17-d3-7d 静态 **.**.**.** 01-00-5e-23-0f-75 静态 **.**.**.** ff-ff-ff-ff-ff-ff 静态 systeminfo主机名: WIN-8SNLBR6ADUNOS 名称: Microsoft Windows Server 2008 R2 Enterprise OS 版本: 6.1.7600 暂缺 Build 7600OS 制造商: Microsoft CorporationOS 配置: 独立服务器OS 构件类型: Multiprocessor Free注册的所有人: Windows 用户注册的组织: 产品 ID: 00486-OEM-8400691-20006初始安装日期: 2015/6/1, 21:44:57系统启动时间: 2015/11/17, 9:35:00系统制造商: HP系统型号: ProLiant DL388p Gen8系统类型: x64-based PC处理器: 安装了 1 个处理器。 [01]: Intel64 Family 6 Model 62 Stepping 4 GenuineIntel ~1200 MhzBIOS 版本: HP P70, 2013/9/18Windows 目录: C:\Windows系统目录: C:\Windows\system32启动设备: \Device\HarddiskVolume1系统区域设置: zh-cn;中文(中国)输入法区域设置: zh-cn;中文(中国)时区: (UTC+08:00)北京,重庆,香港特别行政区,乌鲁木齐物理内存总量: 16,349 MB可用的物理内存: 3,601 MB虚拟内存: 最大值: 32,697 MB虚拟内存: 可用: 17,872 MB虚拟内存: 使用中: 14,825 MB页面文件位置: C:\pagefile.sys域: WORKGROUP登录服务器: \\WIN-8SNLBR6ADUN修补程序: 安装了 2 个修补程序。 [01]: KB958488 [02]: KB974598网卡: 安装了 4 个 NIC。 [01]: HP Ethernet 1Gb 4-port 331FLR Adapter 连接名: 本地连接 5 状态: 媒体连接已中断 [02]: HP Ethernet 1Gb 4-port 331FLR Adapter 连接名: 本地连接 6 启用 DHCP: 否 IP 地址 [01]: **.**.**.** [02]: fe80::70dc:23be:22a1:c1da [03]: HP Ethernet 1Gb 4-port 331FLR Adapter 连接名: 本地连接 7 状态: 媒体连接已中断 [04]: HP Ethernet 1Gb 4-port 331FLR Adapter 连接名: 本地连接 8 状态: 媒体连接已中断
危害等级:高
漏洞Rank:12
确认时间:2015-12-31 18:05
CNVD确认并复现所述情况,已经转由CNCERT下发给宁夏分中心,由其后续协调网站管理单位处置
暂无