乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-22: 细节已通知厂商并且等待厂商处理中 2015-12-24: 厂商已经确认,细节仅向厂商公开 2016-01-03: 细节向核心白帽子及相关领域专家公开 2016-01-13: 细节向普通白帽子公开 2016-01-23: 细节向实习白帽子公开 2016-02-06: 细节向公众公开
日、日、顺
http://27.223.70.33:7003/rrs/security/loginInit.action存在JAVA反序列化漏洞直接反弹shell
看下配置信息
<?xml version='1.0' encoding='UTF-8'?><domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd"> <name>base_domain</name> <domain-version>10.3.6.0</domain-version> <security-configuration> <name>base_domain</name> <realm> <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider> <sec:authentication-provider xsi:type="wls:default-identity-asserterType"> <sec:active-type>AuthenticatedUser</sec:active-type> </sec:authentication-provider> <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper> <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer> <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator> <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper> <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider> <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder> <sec:name>myrealm</sec:name> <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType"> <sec:name>SystemPasswordValidator</sec:name> <pas:min-password-length>8</pas:min-password-length> <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters> </sec:password-validator> </realm> <default-realm>myrealm</default-realm> <credential-encrypted>{AES}vnP4/v2+QTzCHCq3aKp4hYWbpz719KHjLu7bi74B5zq9G+UqH6NpDD1jVw1ygwWMfQeGiIEUTEjY9wJKm6VGGsfK5adawjQqCJTIYb36+szO/Fz1n9UO024mpfHdyIj0</credential-encrypted> <node-manager-username>sWAiVNQfUO</node-manager-username> <node-manager-password-encrypted>{AES}mRKFKdf3X5FKaHtTjQVbUowc0tizbLMiJT3t9VxjeVQ=</node-manager-password-encrypted> </security-configuration> <server> <name>Adminserver1</name> <listen-address>10.135.108.127</listen-address> </server> <server> <name>Mserver1</name> <listen-port>7003</listen-port> <cluster>cluster1</cluster> <listen-address>10.135.108.127</listen-address> <jta-migratable-target> <name>Mserver1</name> <user-preferred-server>Mserver1</user-preferred-server> <cluster>cluster1</cluster> </jta-migratable-target> </server> <server> <name>Mserver2</name> <listen-port>7003</listen-port> <cluster>cluster1</cluster> <listen-address>10.135.108.128</listen-address> <jta-migratable-target> <name>Mserver2</name> <user-preferred-server>Mserver2</user-preferred-server> <cluster>cluster1</cluster> </jta-migratable-target> </server> <server> <name>Proxy_server1</name> <listen-port>8080</listen-port> <listen-address>10.135.108.127</listen-address> </server> <cluster> <name>cluster1</name> <multicast-address>239.192.0.0</multicast-address> <cluster-messaging-mode>multicast</cluster-messaging-mode> </cluster> <production-mode-enabled>true</production-mode-enabled> <embedded-ldap> <name>base_domain</name> <credential-encrypted>{AES}5tlDvl1s6m4LmZQhdW5GBKekLeyI/nLJuTe6+g67ntI59lm8YMkrf2e4o5TE8Kr7</credential-encrypted> </embedded-ldap> <configuration-version>10.3.6.0</configuration-version> <app-deployment> <name>pr</name> <target>Proxy_server1</target> <module-type>war</module-type> <source-path>rrs.war</source-path> <security-dd-model>Advanced</security-dd-model> </app-deployment> <app-deployment> <name>rrs</name> <target>Mserver2,Mserver1</target> <module-type>war</module-type> <source-path>/weblogic/deploywar/rrs.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <migratable-target> <name>Mserver1 (migratable)</name> <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes> <user-preferred-server>Mserver1</user-preferred-server> <cluster>cluster1</cluster> </migratable-target> <migratable-target> <name>Mserver2 (migratable)</name> <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes> <user-preferred-server>Mserver2</user-preferred-server> <cluster>cluster1</cluster> </migratable-target> <admin-server-name>Adminserver1</admin-server-name> <jdbc-system-resource> <name>rrswlportal</name> <target>cluster1</target> <descriptor-file-name>jdbc/rrswlportal-jdbc.xml</descriptor-file-name> </jdbc-system-resource></domain>
找到了网站目录/weblogic/deploywar/rrs.war拿到shellhttp://27.223.70.33:7003/uddiexplorer/sss.jsp
探测下内网http://27.223.70.33:7003/uddiexplorer/out.jsp
http://10.135.108.21 >> >>Apache/2.2.22 (Win32) mod_jk/1.2.30 >>Successhttp://10.135.108.16 >> 海尔翻译管理平台>>Apache-Coyote/1.1 >>Successhttp://10.135.108.29 >> nginx>>nginx >>Successhttp://10.135.108.12 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.65 >> Welcome to nginx!>>nginx/1.8.0 >>Successhttp://10.135.108.64 >> Welcome to nginx!>>nginx/1.8.0 >>Successhttp://10.135.108.117 >> >>Apache/2.2.21 (Unix) >>Successhttp://10.135.108.37 >> >>Apache-Coyote/1.1 >>Successhttp://10.135.108.38 >> >>Apache-Coyote/1.1 >>Successhttp://10.135.108.94 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.36 >> >>Apache-Coyote/1.1 >>Successhttp://10.135.108.95 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.93 >> 海尔微信公众号后台管理系统>>nginx/1.7.9 >>Successhttp://10.135.108.40 >> 海尔B2B首页>>Apache-Coyote/1.1 >>Successhttp://10.135.108.135 >> >>unknow >>Successhttp://10.135.108.158 >> Welcome to nginx!>>nginx/1.5.13 >>Successhttp://10.135.108.107 >> SAP J2EE Engine Start Page>>SAP J2EE Engine/7.00 >>Successhttp://10.135.108.160 >> HOPE>>nginx >>Successhttp://10.135.108.159 >> >>nginx/1.2.7 >>Successhttp://10.135.108.157 >> 移动办公平台 >>MAM Server 1.0 >>Successhttp://10.135.108.162 >> 登录>>Apache-Coyote/1.1 >>Successhttp://10.135.108.50 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Successhttp://10.135.108.14 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Successhttp://10.135.108.179 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.140 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.126 >> 云菜网云菜网>>null >>Successhttp://10.135.108.18 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.178 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.155 >> 海尔工业品商城>>Apache/2.4.6 (Unix) OpenSSL/1.0.1c mod_jk/1.2.37 >>Successhttp://10.135.108.55 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.197 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.198 >> SCRM应用平台导航页>>nginx/1.4.4 >>Successhttp://10.135.108.200 >> 海尔互联网网站建设服务版块>>Apache-Coyote/1.1 >>Successhttp://10.135.108.199 >> ��ӭʹ���Ű�����Ӧ�ð�ȫ���>>Apache Coyote/1.0 >>Successhttp://10.135.108.13 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Successhttp://10.135.108.188 >> >>Microsoft-IIS/6.0 >>Successhttp://10.135.108.208 >> Login>>Lotus-Domino >>Successhttp://10.135.108.11 >> 首页 - 海尔文化交互平台>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.49 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Successhttp://10.135.108.204 >> Welcome to nginx!>>nginx/1.6.1 >>Successhttp://10.135.108.201 >> >>Microsoft-IIS/6.0 >>Successhttp://10.135.108.110 >> �������Ϣ����ϵͳ>>Microsoft-IIS/6.0 >>Successhttp://10.135.108.132 >> 运行时错误>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.35 >> >>Jetty(8.1.15.v20140411) >>Successhttp://10.135.108.231 >> 海尔人才雷达:人才搜索>>Apache-Coyote/1.1 >>Successhttp://10.135.108.102 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1c mod_jk/1.2.37 >>Successhttp://10.135.108.19 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.20 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.232 >> 海客会-海尔·智慧社区生活服务平台>>null >>Successhttp://10.135.108.22 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.235 >> WebSphere Application Server Version V8.5 Liberty Profile200 OK>>nginx/1.6.1 >>Successhttp://10.135.108.211 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache-Coyote/1.1 >>Successhttp://10.135.108.138 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.17 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.249 >> Welcome to nginx!>>nginx >>Successhttp://10.135.108.241 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Successhttp://10.135.108.250 >> Welcome to nginx!>>nginx >>Successhttp://10.135.108.252 >> Welcome to nginx!>>nginx >>Successhttp://10.135.108.246 >> >>nginx/1.6.0 >>Successhttp://10.135.108.206 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.180 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.146 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.81 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.215 >> >>Microsoft-IIS/6.0 >>Successhttp://10.135.108.87 >> haier>>Microsoft-IIS/6.0 >>Successhttp://10.135.108.10 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.209 >> >>Microsoft-IIS/6.0 >>Successhttp://10.135.108.221 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.212 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache/2.4.7 (Unix) PHP/5.3.27 >>Successhttp://10.135.108.61 >> M-lab创客实验室beta版>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.118 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.90 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.62 >> IIS7>>Microsoft-IIS/7.5 >>Success
我就不一一列举了
升级
危害等级:高
漏洞Rank:15
确认时间:2015-12-24 09:08
感谢白帽子的测试与提醒,已安排人员进行处理。
暂无