乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-18: 细节已通知厂商并且等待厂商处理中 2015-12-22: 厂商已经确认,细节仅向厂商公开 2016-01-01: 细节向核心白帽子及相关领域专家公开 2016-01-11: 细节向普通白帽子公开 2016-01-21: 细节向实习白帽子公开 2016-02-05: 细节向公众公开
为了邀请码
**.**.**.**:7001/EzSearchIndexService/login.html
可以JAVA反序列化命令执行
反弹shell,命令执行,内网地址
type config.xml发现服务器上部署了好多应用,并且已成马场!
D:\bea\user_projects\domains\base_domain\config>type config.xmltype config.xml<?xml version='1.0' encoding='UTF-8'?><domain xmlns="http://**.**.**.**/ns/weblogic/920/domain" xmlns:sec="http://www.**.**.**.**/ns/weblogic/90/security" xmlns:wls="http://**.**.**.**/ns/weblogic/90/security/wls" xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance" xsi:schemaLocation="http://**.**.**.**/ns/weblogic/90/security/wls http://**.**.**.**/ns/weblogic/90/security/wls.xsd http://**.**.**.**/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://**.**.**.**/ns/weblogic/90/security/xacml http://**.**.**.**/ns/weblogic/90/security/xacml.xsd http://**.**.**.**/ns/weblogic/90/security http://**.**.**.**/ns/weblogic/90/security.xsd"> <name>base_domain</name> <domain-version>**.**.**.**</domain-version> <security-configuration> <name>base_domain</name> <realm> <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider> <sec:authentication-provider xsi:type="wls:default-identity-asserterType"> <sec:active-type>AuthenticatedUser</sec:active-type> </sec:authentication-provider> <sec:role-mapper xmlns:xac="http://**.**.**.**/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper> <sec:authorizer xmlns:xac="http://**.**.**.**/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer> <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator> <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper> <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider> <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder> <sec:name>myrealm</sec:name> </realm> <default-realm>myrealm</default-realm> <credential-encrypted>{3DES}l9zmg/ryNHX07/WVH+XSE1G29VwaVCcCetGQy905A8P8+wqP8bCmW3glrJoyuCT8To0841vcY8fGG5Q42DGRbKRZ+LMXO3f3</credential-encrypted> <node-manager-username>weblogic</node-manager-username> <node-manager-password-encrypted>{3DES}Ld7oPIys6sK3no9IDaLplw==</node-manager-password-encrypted> </security-configuration> <server> <name>AdminServer</name> <listen-address></listen-address> </server> <embedded-ldap> <name>base_domain</name> <credential-encrypted>{3DES}t7gqdj2XZF7hT7/WMhXaPCKyAVqJHmY/7S7++Hix3rs=</credential-encrypted> </embedded-ldap> <configuration-version>**.**.**.**</configuration-version> <app-deployment> <name>EzServer</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\鍏冲畞2013.08.20\EzServerV**.**.**.**211091000\EzServer</source-path> <deployment-order>100</deployment-order> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>EzServerClient</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\鍏冲畞2013.08.20\EzServerClientV**.**.**.**305291000a\source\EzServerClient.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>EzMapService</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\鍏冲畞2013.08.20\EzMapServiceV**.**.**.**206251430\EzMapService</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>EzManager</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\鍏冲畞2013.08.20\杩愮淮绠$悊绯荤粺V**.**.**.**306081000\EzManager</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>gpsServer</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\鍏冲畞2013.08.20\GpsServerV**.**.**.**108301200\gpsServer</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>GpsCompent</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\鍏冲畞2013.08.20\GPS缁勪欢V**.**.**.**111251547\GpsCompent</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>manager</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>servers\AdminServer\upload\manager.war</source-path> <security-dd-model>DDOnly</security-dd-model> <staging-mode>stage</staging-mode> </app-deployment> <app-deployment> <name>EzSearchIndexService</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\娴嬭瘯鍦板浘鍙癨鏃爈ic鐨別zsearch\EzSearchIndexService</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>EzSearchService23</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\娴嬭瘯鍦板浘鍙癨鏃爈ic鐨別zsearch\EzSearchService23</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>EzSearchService231</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\娴嬭瘯鍦板浘鍙癨鏃爈ic鐨別zsearch\EzSearchService231</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>EzRouter23</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\娴嬭瘯鍦板浘鍙癨EzRouter23</source-path> <deployment-order>100</deployment-order> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>alarm</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\璀︽皯閫歕瀹夎鍖匼璀︽皯閫歏1.0\alarm</source-path> <deployment-order>100</deployment-order> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>Rest</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>D:\璀︽皯閫歕瀹夎鍖匼璀︽皯閫歏1.0\Rest</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>1</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>servers\AdminServer\upload\1.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>cmd</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>servers\AdminServer\upload\cmd.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>a</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>servers\AdminServer\upload\a.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <admin-server-name>AdminServer</admin-server-name> <jdbc-system-resource> <name>gpsdata</name> <target>AdminServer</target> <descriptor-file-name>jdbc/gpsdata-jdbc.xml</descriptor-file-name> </jdbc-system-resource> <jdbc-system-resource> <name>jdbc/ics1</name> <target>AdminServer</target> <descriptor-file-name>jdbc/jdbc2fics1-4628-jdbc.xml</descriptor-file-name> </jdbc-system-resource> <jdbc-system-resource> <name>jdbc/ezmanager</name> <target>AdminServer</target> <descriptor-file-name>jdbc/jdbc2fezmanager-9364-jdbc.xml</descriptor-file-name> </jdbc-system-resource> <jdbc-system-resource> <name>jdbc/ics</name> <target>AdminServer</target> <descriptor-file-name>jdbc/jdbc2fics-6309-jdbc.xml</descriptor-file-name> </jdbc-system-resource> <jdbc-system-resource> <name>gpsdata1</name> <target>AdminServer</target> <descriptor-file-name>jdbc/gpsdata1-jdbc.xml</descriptor-file-name> </jdbc-system-resource></domain>D:\bea\user_projects\domains\base_domain\config>
已成马场:**.**.**.**:7001/manager/**.**.**.**:7001/1/**.**.**.**:7001/cmd/
都是马儿
全盘杀马!打补丁!
危害等级:中
漏洞Rank:10
确认时间:2015-12-22 18:26
CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无