当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114897

漏洞标题:德邦某智能网管系统存在命令执行漏洞

相关厂商:deppon.com

漏洞作者: 茜茜公主

提交时间:2015-05-19 11:19

修复时间:2015-05-25 14:01

公开时间:2015-05-25 14:01

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-19: 细节已通知厂商并且等待厂商处理中
2015-05-20: 厂商已经确认,细节仅向厂商公开
2015-05-25: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

st2命令执行

详细说明:

分支机构智能网管系统
http://snms.deppon.com:8080/itms/index.login.action

QQ截图20150519093335.jpg


Target: http://180.153.16.29:8080/itms/index.login.action
Useage: S2-016 
Whoami: admin
WebPath: /deppon/server/default/./deploy/acs.ear/itms.war/
====================================================================================================================================
Target: http://180.153.16.29:8080/itms/index.login.action
Useage: S2-019 
Whoami: admin
WebPath: /deppon/server/default/./deploy/acs.ear/itms.war/
====================================================================================================================================


漏洞证明:

QQ截图20150519093423.jpg


★K8cmd-> netstat -an
====================================================================================================================================
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 0.0.0.0:43205               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:8009                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:37834               0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:1098              0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:1099              0.0.0.0:*                   LISTEN      
tcp        0      0 192.168.3.7:3181            0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:8080                0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:8083              0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:52025               0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:6011              0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:4444              0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:8093              0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:4445              0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:4446              0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:3873              0.0.0.0:*                   LISTEN      
tcp        0      0 192.168.3.7:8080            192.168.255.1:54442         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            192.168.255.1:34117         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            192.168.255.1:43844         ESTABLISHED 
tcp        0      0 192.168.3.7:8080            192.168.255.1:1958          TIME_WAIT   
tcp        0      0 192.168.3.7:8080            10.251.254.38:25432         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            192.168.255.1:58830         TIME_WAIT   
tcp        0      0 192.168.3.7:57852           10.253.2.203:1828           ESTABLISHED 
tcp        0      0 192.168.3.7:8080            192.168.255.1:1920          TIME_WAIT   
tcp        0      0 192.168.3.7:8080            192.168.255.1:45312         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            192.168.255.1:27912         TIME_WAIT   
tcp        0      0 192.168.3.7:56112           192.168.2.112:3306          ESTABLISHED 
tcp        0      0 192.168.3.7:8080            10.251.254.38:42292         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            10.251.254.38:47143         ESTABLISHED 
tcp        0      0 192.168.3.7:56091           192.168.2.112:3306          ESTABLISHED 
tcp        0      0 192.168.3.7:8080            192.168.255.1:56081         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            192.168.255.1:53440         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            192.168.255.1:59581         ESTABLISHED 
tcp        0      0 192.168.3.7:8080            192.168.255.1:35874         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            192.168.255.1:1956          TIME_WAIT   
tcp        0      0 192.168.3.7:8080            10.251.254.38:36592         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            10.251.254.38:49176         TIME_WAIT   
tcp        0      0 192.168.3.7:56053           192.168.2.112:3306          ESTABLISHED 
tcp        0      0 192.168.3.7:8080            10.251.254.38:34121         TIME_WAIT   
tcp        0      0 192.168.3.7:8080            192.168.255.1:39499         ESTABLISHED 
tcp        0      0 192.168.3.7:56096           192.168.2.112:3306          ESTABLISHED 
tcp        0      0 192.168.3.7:8080


QQ截图20150519093530.jpg


在根目录下上传jsp访问会跳转到登录页面,我们可以利用jboss
上传到这个文件夹里jbossmq-httpil
小马:http://180.153.16.29:8080/jbossmq-httpil/one.jsp

QQ截图20150519094322.jpg


QQ截图20150519094430.jpg


ip对应的系统是http://snms.deppon.com:8080/jbossmq-httpil/wooyun.jsp
或http://180.153.16.29:8080/jbossmq-httpil/wooyun.jsp
密码woo0yun

QQ截图20150519094553.jpg


QQ截图20150519094718.jpg

修复方案:

补丁

版权声明:转载请注明来源 茜茜公主@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-20 15:26

厂商回复:

您好,感谢您对德邦安全的关注以及您对问题的反馈。我们已着手处理该问题。

最新状态:

2015-05-25:感谢您的帮助,我们已经关闭风险接口,并将在后期的版本更新中对安全问题进行审查。谢谢