乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-24: 细节已通知厂商并且等待厂商处理中 2015-12-24: 厂商已经确认,细节仅向厂商公开 2016-01-03: 细节向核心白帽子及相关领域专家公开 2016-01-13: 细节向普通白帽子公开 2016-01-23: 细节向实习白帽子公开 2016-02-06: 细节向公众公开
雷欧
http://27.223.70.113:7003/mainFrame.html存在weblogic的反序列化漏洞直接上工具吧 就不反弹了
查看下配置信息cat config/config.xml
<?xml version='1.0' encoding='UTF-8'?><domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd"> <name>zhwlpt_domain</name> <domain-version>10.3.6.0</domain-version> <security-configuration> <name>zhwlpt_domain</name> <realm> <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider> <sec:authentication-provider xsi:type="wls:default-identity-asserterType"> <sec:active-type>AuthenticatedUser</sec:active-type> </sec:authentication-provider> <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper> <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer> <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator> <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper> <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider> <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder> <sec:name>myrealm</sec:name> <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType"> <sec:name>SystemPasswordValidator</sec:name> <pas:min-password-length>8</pas:min-password-length> <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters> </sec:password-validator> </realm> <default-realm>myrealm</default-realm> <credential-encrypted>{AES}8Gslv9DTeozRmJFQt9bkl1S0OeHNpDnmil1nx82e3xVSeBS2EoVMB8ICAZE52UZV2klWydswwH8AcN0nR1x6/kUMy0/9rEFQ2Dt8zin7Hs12wpaWhzfJlofjlFC8GXDV</credential-encrypted> <node-manager-username>esSSMG8U26</node-manager-username> <node-manager-password-encrypted>{AES}zJAMkb+1wyAI44ZNflvAI0KHhNm//5AG4/Gk9VYM0Fk=</node-manager-password-encrypted> </security-configuration> <server> <name>zhwlpt_admin</name> <log> <number-of-files-limited>true</number-of-files-limited> <file-count>10</file-count> </log> <web-server> <web-server-log> <number-of-files-limited>true</number-of-files-limited> <file-count>10</file-count> </web-server-log> </web-server> <listen-address>10.135.108.88</listen-address> </server> <server> <name>zhwlpt_app1</name> <log> <number-of-files-limited>true</number-of-files-limited> <file-count>10</file-count> </log> <machine>zhwlptapp02</machine> <listen-port>7003</listen-port> <cluster>zhwlpt_cluster</cluster> <web-server> <web-server-log> <number-of-files-limited>true</number-of-files-limited> <file-count>10</file-count> </web-server-log> </web-server> <listen-address>10.135.108.88</listen-address> <server-start> <arguments>-server -Xms4096m -Xmx4096m -XX:PermSize=512m -XX:MaxPermSize=1024m -Dfile.encoding=UTF-8</arguments> </server-start> <jta-migratable-target> <user-preferred-server>zhwlpt_app1</user-preferred-server> <cluster>zhwlpt_cluster</cluster> </jta-migratable-target> </server> <server> <name>zhwlpt_app2</name> <log> <number-of-files-limited>true</number-of-files-limited> <file-count>10</file-count> </log> <machine>zhwlptapp03</machine> <listen-port>7003</listen-port> <cluster>zhwlpt_cluster</cluster> <web-server> <web-server-log> <number-of-files-limited>true</number-of-files-limited> <file-count>10</file-count> </web-server-log> </web-server> <listen-address>10.135.108.89</listen-address> <server-start> <arguments>-server -Xms4096m -Xmx4096m -XX:PermSize=512m -XX:MaxPermSize=1024m -Dfile.encoding=UTF-8</arguments> </server-start> <jta-migratable-target> <user-preferred-server>zhwlpt_app2</user-preferred-server> <cluster>zhwlpt_cluster</cluster> </jta-migratable-target> </server> <cluster> <name>zhwlpt_cluster</name> <cluster-messaging-mode>unicast</cluster-messaging-mode> </cluster> <production-mode-enabled>true</production-mode-enabled> <embedded-ldap> <name>zhwlpt_domain</name> <credential-encrypted>{AES}sTjZUzYFaEh9LETOqcVQwfjTmMS2A5HwoyGjFu0pydtq4OfKSdcFh4fqgs8sRlg7</credential-encrypted> </embedded-ldap> <configuration-version>10.3.6.0</configuration-version> <app-deployment> <name>opms</name> <target>zhwlpt_cluster,zhwlpt_admin</target> <module-type>war</module-type> <source-path>servers/zhwlpt_admin/upload/opms.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>opms_edi</name> <target>zhwlpt_cluster,zhwlpt_admin</target> <module-type>war</module-type> <source-path>servers/zhwlpt_admin/upload/opms_edi.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <machine> <name>zhwlptapp02</name> <node-manager> <listen-address>10.135.108.88</listen-address> </node-manager> </machine> <machine> <name>zhwlptapp03</name> <node-manager> <listen-address>10.135.108.89</listen-address> </node-manager> </machine> <migratable-target> <name>zhwlpt_app1 (migratable)</name> <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes> <user-preferred-server>zhwlpt_app1</user-preferred-server> <cluster>zhwlpt_cluster</cluster> </migratable-target> <migratable-target> <name>zhwlpt_app2 (migratable)</name> <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes> <user-preferred-server>zhwlpt_app2</user-preferred-server> <cluster>zhwlpt_cluster</cluster> </migratable-target> <admin-server-name>zhwlpt_admin</admin-server-name> <jdbc-system-resource> <name>opmsJndi</name> <target>zhwlpt_cluster,zhwlpt_admin</target> <descriptor-file-name>jdbc/opmsJndi-8144-jdbc.xml</descriptor-file-name> </jdbc-system-resource></domain>
成功拿到shellhttp://27.223.70.113:7003/uddiexplorer/1ss.jsp?o=index探测下内网http://27.223.70.113:7003/uddiexplorer/out.jsp再次沦陷73台机器
http://10.135.108.16 >> 海尔翻译管理平台>>Apache-Coyote/1.1 >>Successhttp://10.135.108.21 >> >>Apache/2.2.22 (Win32) mod_jk/1.2.30 >>Successhttp://10.135.108.29 >> nginx>>nginx >>Successhttp://10.135.108.37 >> >>Apache-Coyote/1.1 >>Successhttp://10.135.108.36 >> >>Apache-Coyote/1.1 >>Successhttp://10.135.108.38 >> >>Apache-Coyote/1.1 >>Successhttp://10.135.108.93 >> 海尔微信公众号后台管理系统>>nginx/1.7.9 >>Successhttp://10.135.108.64 >> Welcome to nginx!>>nginx/1.8.0 >>Successhttp://10.135.108.65 >> Welcome to nginx!>>nginx/1.8.0 >>Successhttp://10.135.108.87 >> haier>>Microsoft-IIS/6.0 >>Successhttp://10.135.108.135 >> >>unknow >>Successhttp://10.135.108.35 >> >>Jetty(8.1.15.v20140411) >>Successhttp://10.135.108.40 >> 海尔B2B首页>>Apache-Coyote/1.1 >>Successhttp://10.135.108.95 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.94 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.159 >> >>nginx/1.2.7 >>Successhttp://10.135.108.160 >> HOPE>>nginx >>Successhttp://10.135.108.117 >> >>Apache/2.2.21 (Unix) >>Successhttp://10.135.108.157 >> 移动办公平台 >>MAM Server 1.0 >>Successhttp://10.135.108.158 >> Welcome to nginx!>>nginx/1.5.13 >>Successhttp://10.135.108.162 >> 登录>>Apache-Coyote/1.1 >>Successhttp://10.135.108.18 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.19 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.178 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.179 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.12 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.107 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Successhttp://10.135.108.126 >> 云菜网云菜网>>null >>Successhttp://10.135.108.148 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.50 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Successhttp://10.135.108.155 >> 海尔工业品商城>>Apache/2.4.6 (Unix) OpenSSL/1.0.1c mod_jk/1.2.37 >>Successhttp://10.135.108.188 >> >>Microsoft-IIS/6.0 >>Successhttp://10.135.108.55 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.14 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Successhttp://10.135.108.49 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Successhttp://10.135.108.197 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.198 >> SCRM应用平台导航页>>nginx/1.4.4 >>Successhttp://10.135.108.204 >> Welcome to nginx!>>nginx/1.6.1 >>Successhttp://10.135.108.13 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Successhttp://10.135.108.199 >> ��ӭʹ���Ű�����Ӧ�ð�ȫ���>>Apache Coyote/1.0 >>Successhttp://10.135.108.110 >> �������Ϣ����ϵͳ>>Microsoft-IIS/6.0 >>Successhttp://10.135.108.208 >> Login>>Lotus-Domino >>Successhttp://10.135.108.200 >> 海尔互联网网站建设服务版块>>Apache-Coyote/1.1 >>Successhttp://10.135.108.146 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.180 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.140 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.231 >> 海尔人才雷达:人才搜索>>Apache-Coyote/1.1 >>Successhttp://10.135.108.232 >> 海客会-海尔·智慧社区生活服务平台>>null >>Successhttp://10.135.108.235 >> WebSphere Application Server Version V8.5 Liberty Profile200 OK>>nginx/1.6.1 >>Successhttp://10.135.108.201 >> >>Microsoft-IIS/6.0 >>Successhttp://10.135.108.132 >> 运行时错误>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.138 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.20 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.62 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.215 >> >>Microsoft-IIS/6.0 >>Successhttp://10.135.108.241 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Successhttp://10.135.108.249 >> Welcome to nginx!>>nginx >>Successhttp://10.135.108.250 >> Welcome to nginx!>>nginx >>Successhttp://10.135.108.252 >> Welcome to nginx!>>nginx >>Successhttp://10.135.108.22 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.206 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.221 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.246 >> >>nginx/1.6.0 >>Successhttp://10.135.108.17 >> IIS7>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.211 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache-Coyote/1.1 >>Successhttp://10.135.108.209 >> >>Microsoft-IIS/6.0 >>Successhttp://10.135.108.118 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.81 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.181 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.10 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.212 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache/2.4.7 (Unix) PHP/5.3.27 >>Successhttp://10.135.108.61 >> M-lab创客实验室beta版>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.169 >> >>Microsoft-IIS/7.5 >>Successhttp://10.135.108.133 >> 海尔二维码管理平台>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.11 >> 首页 - 海尔文化交互平台>>Microsoft-IIS/7.0 >>Successhttp://10.135.108.90 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.135.108.113 >> >>Microsoft-IIS/7.5 >>Success
升级
危害等级:高
漏洞Rank:15
确认时间:2015-12-24 15:32
感谢白帽子的测试与提醒,已安排人员进行处理。
暂无
