当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153444

漏洞标题:中广核某系统存在命令执行漏洞,可威胁内网

相关厂商:中国广核集团有限公司

漏洞作者: 路人甲

提交时间:2015-11-11 14:11

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-23: 厂商已经确认,细节仅向厂商公开
2015-12-03: 细节向核心白帽子及相关领域专家公开
2015-12-13: 细节向普通白帽子公开
2015-12-23: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

命令执行

详细说明:

中广核招聘网 - 社会招聘
http://**.**.**.**:8001/phrs/Society/SocietyMain.html

QQ截图20151110213343.png


QQ截图20151110213554.png


QQ截图20151110213658.png

漏洞证明:

★K8cmd-> arp -a
====================================================================================================================================
  ? (**.**.**.**) at 34:40:b5:a2:aa:2 [ethernet] stored in bucket 35
  **.**.**.** (**.**.**.**) at 2:bf:a:c8:f:a [ethernet] stored in bucket 41
  ? (**.**.**.**) at 0:e0:ed:b:53:82 [ethernet] stored in bucket 74
  ? (**.**.**.**) at 0:e0:ed:4:47:78 [ethernet] stored in bucket 75
  ? (**.**.**.**) at 18:a9:5:5a:e2:cc [ethernet] stored in bucket 88
  ? (**.**.**.**) at 0:1a:64:c5:c9:10 [ethernet] stored in bucket 90
  ? (**.**.**.**) at 5c:f3:fc:49:c2:b4 [ethernet] stored in bucket 92
  ? (**.**.**.**) at 5c:f3:fc:49:bb:70 [ethernet] stored in bucket 93
  ? (**.**.**.**) at 2:bf:a:c8:f:a [ethernet] stored in bucket 100
  ? (**.**.**.**) at 2:bf:a:c8:f:a [ethernet] stored in bucket 102
  ? (**.**.**.**) at 0:14:5e:76:dd:12 [ethernet] stored in bucket 117
  ? (**.**.**.**) at 0:22:46:21:7f:7b [ethernet] stored in bucket 120
  ? (**.**.**.**) at 0:22:46:23:e2:0 [ethernet] stored in bucket 121
  ? (**.**.**.**) at 84:b5:9c:76:cb:f9 [ethernet] stored in bucket 136
bucket:    0     contains:    0 entries
bucket:    1     contains:    0 entries
bucket:    2     contains:    0 entries
bucket:    3     contains:    0 entries
bucket:    4     contains:    0 entries
bucket:    5     contains:    0 entries
bucket:    6     contains:    0 entries
bucket:    7     contains:    0 entries
bucket:    8     contains:    0 entries
bucket:    9     contains:    0 entries
bucket:   10     contains:    0 entries
bucket:   11     contains:    0 entries
bucket:   12     contains:    0 entries
bucket:   13     contains:    0 entries
bucket:   14     contains:    0 entries
bucket:   15     contains:    0 entries
bucket:   16     contains:    0 entries
bucket:   17     contains:    0 entries
bucket:   18     contains:    0 entries
bucket:   19     contains:    0 entries
bucket:   20     contains:    0 entries
bucket:   21     contains:    0 entries
bucket:   22     contains:    0 entries
bucket:   23     contains:    0 entries
bucket:   24     contains:    0 entries
bucket:   25     contains:    0 entries
bucket:   26     contains:    0 entries
bucket:   27     contains:    0 entries
bucket:   28     contains:    0 entries
bucket:   29     contains:    0 entries
bucket:   30     contains:    0 entries
bucket:   31     contains:    0 entries
bucket:   32     contains:    0 entries
bucket:   33     contains:    0 entries
bucket:   34     contains:    0 entries
bucket:   35     contains:    1 entries
bucket:   36     contains:    0 entries
bucket:   37     contains:    0 entries
bucket:   38     contains:    0 entries
bucket:   39     contains:    0 entries
bucket:   40     contains:    0 entries
bucket:   41     contains:    1 entries
bucket:   42     contains:    0 entries
bucket:   43     contains:    0 entries
bucket:   44     contains:    0 entries
bucket:   45     contains:    0 entries
bucket:   46     contains:    0 entries
bucket:   47     contains:    0 entries
bucket:   48     contains:    0 entries
bucket:   49     contains:    0 entries
bucket:   50     contains:    0 entries
bucket:   51     contains:    0 entries
bucket:   52     contains:    0 entries
bucket:   53     contains:    0 entries
bucket:   54     contains:    0 entries
bucket:   55     contains:    0 entries
bucket:   56     contains:    0 entries
bucket:   57     contains:    0 entries
bucket:   58     contains:    0 entries
bucket:   59     contains:    0 entries
bucket:   60     contains:    0 entries
bucket:   61     contains:    0 entries
bucket:   62     contains:    0 entries
bucket:   63     contains:    0 entries
bucket:   64     contains:    0 entries
bucket:   65     contains:    0 entries
bucket:   66     contains:    0 entries
bucket:   67     contains:    0 entries
bucket:   68     contains:    0 entries
bucket:   69     contains:    0 entries
bucket:   70     contains:    0 entries
bucket:   71     contains:    0 entries
bucket:   72     contains:    0 entries
bucket:   73     contains:    0 entries
bucket:   74     contains:    1 entries
bucket:   75     contains:    1 entries
bucket:   76     contains:    0 entries
bucket:   77     contains:    0 entries
bucket:   78     contains:    0 entries
bucket:   79     contains:    0 entries
bucket:   80     contains:    0 entries
bucket:   81     contains:    0 entries
bucket:   82     contains:    0 entries
bucket:   83     contains:    0 entries
bucket:   84     contains:    0 entries
bucket:   85     contains:    0 entries
bucket:   86     contains:    0 entries
bucket:   87     contains:    0 entries
bucket:   88     contains:    1 entries
bucket:   89     contains:    0 entries
bucket:   90     contains:    1 entries
bucket:   91     contains:    0 entries
bucket:   92     contains:    1 entries
bucket:   93     contains:    1 entries
bucket:   94     contains:    0 entries
bucket:   95     contains:    0 entries
bucket:   96     contains:    0 entries
bucket:   97     contains:    0 entries
bucket:   98     contains:    0 entries
bucket:   99     contains:    0 entries
bucket:  100     contains:    1 entries
bucket:  101     contains:    0 entries
bucket:  102     contains:    1 entries
bucket:  103     contains:    0 entries
bucket:  104     contains:    0 entries
bucket:  105     contains:    0 entries
bucket:  106     contains:    0 entries
bucket:  107     contains:    0 entries
bucket:  108     contains:    0 entries
bucket:  109     contains:    0 entries
bucket:  110     contains:    0 entries
bucket:  111     contains:    0 entries
bucket:  112     contains:    0 entries
bucket:  113     contains:    0 entries
bucket:  114     contains:    0 entries
bucket:  115     contains:    0 entries
bucket:  116     contains:    0 entries
bucket:  117     contains:    1 entries
bucket:  118     contains:    0 entries
bucket:  119     contains:    0 entries
bucket:  120     contains:    1 entries
bucket:  121     contains:    1 entries
bucket:  122     contains:    0 entries
bucket:  123     contains:    0 entries
bucket:  124     contains:    0 entries
bucket:  125     contains:    0 entries
bucket:  126     contains:    0 entries
bucket:  127     contains:    0 entries
bucket:  128     contains:    0 entries
bucket:  129     contains:    0 entries
bucket:  130     contains:    0 entries
bucket:  131     contains:    0 entries
bucket:  132     contains:    0 entries
bucket:  133     contains:    0 entries
bucket:  134     contains:    0 entries
bucket:  135     contains:    0 entries
bucket:  136     contains:    1 entries
bucket:  137     contains:    0 entries
bucket:  138     contains:    0 entries
bucket:  139     contains:    0 entries
bucket:  140     contains:    0 entries
bucket:  141     contains:    0 entries
bucket:  142     contains:    0 entries
bucket:  143     contains:    0 entries
bucket:  144     contains:    0 entries
bucket:  145     contains:    0 entries
bucket:  146     contains:    0 entries
bucket:  147     contains:    0 entries
bucket:  148     contains:    0 entries
There are 14 entries in the arp table.


可威胁内网
http://**.**.**.**:8001/phrs/wpp.jsp

QQ截图20151110215809.png

修复方案:

补丁

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-11-23 16:19

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向国家能源局通报,由其后续协调网站管理单位处置。

最新状态:

暂无