乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-31: 细节已通知厂商并且等待厂商处理中 2016-01-04: 厂商已经确认,细节仅向厂商公开 2016-01-14: 细节向核心白帽子及相关领域专家公开 2016-01-24: 细节向普通白帽子公开 2016-01-28: 厂商已经修复漏洞并主动公开,细节向公众公开
20还是值得!
http://202.98.11.47:7001/反序列化命令执行ROOT权限
shadow
扫个内网
http://10.44.30.89 >> Apache Tomcat/5.5.35>>Apache-Coyote/1.1 >>Successhttp://10.44.30.35 >> >>nginx >>Successhttp://10.44.30.52 >> >>Microsoft-IIS/6.0 >>Successhttp://10.44.30.91 >> Apache Tomcat/5.5.35>>Apache-Coyote/1.1 >>Successhttp://10.44.30.51 >> >>Microsoft-IIS/6.0 >>Successhttp://10.44.30.113 >> 一汽解放紧急救援调度系统-管理员登录>>Microsoft-IIS/6.0 >>Successhttp://10.44.30.118 >> ��������������ƽ̨>>null >>Successhttp://10.44.30.54 >> >>Microsoft-IIS/6.0 >>Successhttp://10.44.30.90 >> Apache Tomcat/5.5.35>>Apache-Coyote/1.1 >>Successhttp://10.44.30.128 >> >>Microsoft-IIS/6.0 >>Successhttp://10.44.30.79 >> >>Microsoft-IIS/6.0 >>Successhttp://10.44.30.156 >> >>Microsoft-IIS/7.5 >>Successhttp://10.44.30.76 >> >>Microsoft-IIS/6.0 >>Successhttp://10.44.30.70 >> >>Microsoft-IIS/6.0 >>Successhttp://10.44.30.213 >> >>Microsoft-IIS/6.0 >>Success
十几台内网机器可深入!直接写shell拿下服务器http://202.98.11.47:7001/uddiexplorer/jmxroot.jsp
数据库配置
<jdbc-driver-params> <url>jdbc:oracle:thin:@10.44.31.36:1521/orcl</url> <driver-name>oracle.jdbc.OracleDriver</driver-name> <properties> <property> <name>user</name> <value>jmt11g</value> </property> </properties> <password-encrypted>{AES}VL8QgmX37Ftk778QCOHcvg4VkiHArfcrx9hYKahpyXQ=</password-encrypted> </jdbc-driver-params> <jdbc-connection-pool-params>
解密jmt11gcdpvrr208张数据表侧漏
所有数据库表
TABLE_NAMEVARCHAR2CDP_SENDGOODS_BAKCDP_SENDGOODSDETAIL_BAKSMP_INV_OUTBILL_DETAILS_H0924SMP_INV_OUTBILL_0924SMP_INV_INBILL_H_0924SMP_INV_INBILL_DETAILS_H_0924SMP_INV_INVENTORY_0924ERS_DBM_INVLOCATION_BAKCDP_ABNORMALCDP_BOXCDP_BOXDETAILCDP_BOXSEQCDP_CAMTESTDCDP_CAMTESTMCDP_INFOCOLLECTNOCDP_ORDERCDP_ORDERDETAILCDP_SENDGOODSCDP_SENDGOODSDETAILCDP_SPARETESTCPTESTERS_DBM_INVLOCATIONERS_DBM_ITEMMASTERERS_DBM_ITEMTYPEERS_DBM_MANUCENTERERS_DBM_MOVETYPEERS_DBM_MTYPEANDUCASEERS_DBM_PERIODERS_DBM_PROCESSERS_DBM_PRODUCTCLASSERS_DBM_PROTOURERS_DBM_UNITSERS_DBM_WAREHOUSEERS_DBM_WHOUSEAGEERS_DBM_WHOUSEITYPEERS_DBM_WHOUSEUSERERS_DBM_WORKSTATIONERS_INV_INBILLERS_INV_INBILLDETAILCDP_INBILLSCANRECD_INSERTCDP_INBILLSCANRECD_BAKJYTESTCDP_INSPECTBILLCDP_INSPECTBILLDT_SYS_SEARCHHELPT_SYS_SEARCHHELP_PARAMT_SYS_USERT_SYS_USER_ROLESMP_INV_OUTBILL_DETAILSBAKCDP_IO_CDPTODRBSCDP_INBILLSCANRECDDRBS_CARNETMSGDRBS_FIRMWAREANDTERDRBS_IO_CDPTODRBSDRBS_IO_CERTIFICATEDRBS_IO_TDSTODRBSDRBS_IO_TDSTODRBS_HDRBS_OPERATORRANGEDRBS_SALEANDOPERATORDRBS_TERFIRMWAREVERDRBS_TERMESSAGET_SYS_ADMINDIVISIONT_SYS_BROWSELOGT_SYS_COMPANYT_SYS_LOOKUPT_SYS_LOOKUP_DETAILT_SYS_MENUT_SYS_MESSAGET_SYS_ORGANIZATIONT_SYS_PARAMETERT_SYS_PERMT_SYS_ROLET_SYS_ROLE_PERMSMP_INV_SEQUENCE_INOUT_BAKSMP_INV_SEQUENCE_DETAILS_BAKERS_INV_INVENTORYERS_INV_ITEMSEQUENCEERS_INV_LOCINVENTORYERS_INV_OUTBILLERS_INV_OUTBILLDETAILERS_INV_SUMSEQUENCEERS_PUR_REGISTERERS_PUR_REGISTERDETAILERS_QMS_FINISHCHECKBILLERS_SYS_AREAERS_SYS_BILL_SNERS_SYS_BILL_SN_DAYNOERS_SYS_BILL_SN_DEFERS_SYS_BLOBSERS_SYS_CITYSERS_SYS_COMERS_SYS_CUSTOM_QUERYERS_SYS_CUSTOM_QUERY_PARAERS_SYS_CUSTOM_QUERY_U_MODELERS_SYS_CUSTOM_QUERY_U_RIGHTERS_SYS_DELCHECKERS_SYS_DEPARTMENTERS_SYS_LOGINSERS_SYS_LOOKUP_TYPESERS_SYS_LOOKUP_VALUESERS_SYS_MENUSERS_SYS_MESSAGEERS_SYS_PARAMETERSERS_SYS_PERIODERS_SYS_PERMSERS_SYS_PROVINCESERS_SYS_ROLESERS_SYS_ROLE_PERMSERS_SYS_USERSERS_SYS_USERS_BACKERS_SYS_USERWAREHOUSEERS_SYS_USER_ROLESERS_SYS_WAREHOUSEPRODUCTS_BASEPRODUCT_CATEGORIES_BASEPS_TXNSMP_ADM_GOVCARSMP_ADM_TRIPSMP_ADM_VOCATIONSMP_CAMASSIGNSMP_CAMASSIGN_DETAILSMP_CAMCARSMP_CAMCARSONSMP_CAMCAR_HISTORYSMP_CAMCHARGESNOTREGSMP_CAMCHARGESNOTREG_DETAILSMP_CAMCHARGESREGISTRATIONSMP_CAMCHARGESREG_DETAILSMP_CAMINSTALLBILLSMP_CAMINSTALLBILLSONSMP_CAMINSTALLBILL_HSMP_CAMINSTALLMAINTNOTESSMP_CAMSEALPASTESMP_CAMSEALPASTE_DETAILSMP_CAMSERVICEMAINSMP_CAMSERVICESONSMP_CAMSEVICEREGMAINSMP_CAMSEVICEREGSONSMP_CAMSHIFTRECORDSSMP_CAMTELRECORDSMP_CAMTESTSMP_CAMTEST_HSMP_CAMWAGONFACTORYSMP_CAMWARRANTYPARSSMP_CERTIFICATESMP_DBM_ASSEMBLYBILLSMP_DBM_CAMCARCOLORSMP_DBM_CAMCARUSESMP_DBM_CAMCOMPANYSMP_DBM_CUSTOMERSMP_DBM_INSTALLPERSONSMP_DBM_ITEMMASTERSMP_DBM_ITEMQUOTASMP_DBM_PURCHASESMP_DBM_SUPPLIERSMP_DBM_UPDATECARLOGSMP_DBM_VERSIONSMP_DMP_ASSEMBLYTESTPROSMP_DMP_FAKEPOSITIONSTRATEGYSMP_DMP_POSITIONSTRATEGYSMP_FAKE_ITEMMASTERSMP_FETCHBILLMAINSMP_FETCHBILLSONSMP_INV_COLLARBILL_DETAILSSMP_INV_COLLARUSEBILLSMP_INV_INBILLSMP_INV_INBILL_DETAILSSMP_INV_INBILL_DETAILS_HSMP_INV_INBILL_HSMP_INV_INOUTBILLNOSMP_INV_INVENTORYSMP_INV_INVENTORY_HSMP_INV_OUTBILLSMP_INV_OUTBILL_DETAILSSMP_INV_OUTBILL_DETAILS_HSMP_INV_OUTBILL_HSMP_INV_SEQUENCE_DETAILSSMP_INV_SEQUENCE_INOUTSMP_INV_SEQUENCE_INOUT_HSMP_INV_SEQUENCE_INOUT_TEMPSMP_INV_SIMATTRIBUTESSMP_INV_SIMCOSTDSMP_INV_SIMPRINTSUPPLIERSTEMP_ITEMMASTERTESTDATET_SYS_DELCHECKT_SYS_WORKFLOWYFYS_DEPTYFYS_PROJECTCDP_JFWAREHOUSEERS_SYS_MESSAGE59CDP_IO_CDPTODRBS_HERS_DBM_INVLOCATION_BAK1CDP_INBILLSCANRECYU_ABCTEMP_USABLEQUATEMP_OUTBILL_DTEMP_OUTBILLTEMP_KQOUTBILL_DTEMP_KQOUTBILLTEMP_KQINBILL_DTEMP_KQINBILLTEMP_INVQUATEMP_INVENTORYTEMP_INBILL_DTEMP_INBILLTEMP1
求20rank!
危害等级:高
漏洞Rank:20
确认时间:2016-01-04 10:43
已经提交有关部门处理
2016-01-28:已修复