乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-11: 细节已通知厂商并且等待厂商处理中 2016-03-11: 厂商已经确认,细节仅向厂商公开 2016-03-16: 厂商已经修复漏洞并主动公开,细节向公众公开
给个高分可否,小礼物真的会送吗。
中银保险参数管理平台(http://111.205.37.193:7001/BOCIParamManager/)之前有白帽子提交过webloigc后台弱口令导致getshell,这个漏洞是修补了,可是反序列化没修补。
测试结果:
内网IP地址
开放了3389、21等N多端口
活动连接 协议 本地地址 外部地址 状态 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING TCP 0.0.0.0:6100 0.0.0.0:0 LISTENING TCP 0.0.0.0:6200 0.0.0.0:0 LISTENING TCP 0.0.0.0:30005 0.0.0.0:0 LISTENING TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING TCP 0.0.0.0:49174 0.0.0.0:0 LISTENING TCP 0.0.0.0:49175 0.0.0.0:0 LISTENING TCP 0.0.0.0:49184 0.0.0.0:0 LISTENING TCP 0.0.0.0:49198 0.0.0.0:0 LISTENING TCP 21.8.143.113:139 0.0.0.0:0 LISTENING TCP 21.8.143.113:445 21.8.143.114:50996 ESTABLISHED TCP 21.8.143.113:7001 0.0.0.0:0 LISTENING TCP 21.8.143.113:7001 21.8.143.24:30349 TIME_WAIT TCP 21.8.143.113:7001 21.8.143.24:33745 TIME_WAIT TCP 21.8.143.113:7001 21.8.143.24:39151 TIME_WAIT TCP 21.8.143.113:7001 21.8.143.24:51216 TIME_WAIT TCP 21.8.143.113:7001 21.8.143.24:52160 TIME_WAIT TCP 21.8.143.113:7001 21.8.143.24:63610 TIME_WAIT TCP 21.8.143.113:7001 21.8.143.50:3961 ESTABLISHED TCP 21.8.143.113:7001 21.8.143.50:24606 ESTABLISHED TCP 21.8.143.113:7001 21.8.143.50:58333 TIME_WAIT TCP 21.8.143.113:7001 22.8.142.51:52412 ESTABLISHED TCP 21.8.143.113:7001 22.8.142.53:47623 ESTABLISHED TCP 21.8.143.113:7001 22.8.142.53:49399 TIME_WAIT TCP 21.8.143.113:7001 22.8.142.53:60535 TIME_WAIT TCP 21.8.143.113:9005 0.0.0.0:0 LISTENING TCP 21.8.143.113:49963 21.8.143.202:1521 ESTABLISHED TCP 21.8.143.113:53403 21.8.143.202:1521 ESTABLISHED TCP 21.8.143.113:53694 21.8.143.202:1521 ESTABLISHED TCP 21.8.143.113:53790 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53793 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53794 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53796 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53798 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53799 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53802 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53803 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53804 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53807 21.8.143.113:30005 TIME_WAIT TCP 21.8.143.113:53808 21.8.143.113:30005 TIME_WAIT TCP 127.0.0.1:6100 127.0.0.1:53791 TIME_WAIT TCP 127.0.0.1:6100 127.0.0.1:53795 TIME_WAIT TCP 127.0.0.1:6100 127.0.0.1:53800 TIME_WAIT TCP 127.0.0.1:6100 127.0.0.1:53805 TIME_WAIT TCP 127.0.0.1:6200 127.0.0.1:53792 TIME_WAIT TCP 127.0.0.1:6200 127.0.0.1:53797 TIME_WAIT TCP 127.0.0.1:6200 127.0.0.1:53801 TIME_WAIT TCP 127.0.0.1:6200 127.0.0.1:53806 TIME_WAIT TCP 127.0.0.1:7001 0.0.0.0:0 LISTENING TCP 127.0.0.1:9005 0.0.0.0:0 LISTENING TCP 127.0.0.1:49969 127.0.0.1:49970 ESTABLISHED TCP 127.0.0.1:49970 127.0.0.1:49969 ESTABLISHED TCP 127.0.0.1:49971 127.0.0.1:49972 ESTABLISHED TCP 127.0.0.1:49972 127.0.0.1:49971 ESTABLISHED TCP 127.0.0.1:49973 127.0.0.1:49974 ESTABLISHED TCP 127.0.0.1:49974 127.0.0.1:49973 ESTABLISHED TCP 127.0.0.1:49975 127.0.0.1:49976 ESTABLISHED TCP 127.0.0.1:49976 127.0.0.1:49975 ESTABLISHED TCP 127.0.0.1:49977 127.0.0.1:49978 ESTABLISHED TCP 127.0.0.1:49978 127.0.0.1:49977 ESTABLISHED TCP 127.0.0.1:49979 127.0.0.1:49980 ESTABLISHED TCP 127.0.0.1:49980 127.0.0.1:49979 ESTABLISHED TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING TCP [::]:3389 [::]:0 LISTENING TCP [::]:47001 [::]:0 LISTENING TCP [::]:49152 [::]:0 LISTENING TCP [::]:49153 [::]:0 LISTENING TCP [::]:49174 [::]:0 LISTENING TCP [::]:49175 [::]:0 LISTENING TCP [::]:49184 [::]:0 LISTENING TCP [::]:49198 [::]:0 LISTENING TCP [::1]:7001 [::]:0 LISTENING TCP [::1]:9005 [::]:0 LISTENING TCP [2002:1508:8f71::1508:8f71]:445 [2002:1508:8f71::1508:8f71]:53449 ESTABLISHED TCP [2002:1508:8f71::1508:8f71]:7001 [::]:0 LISTENING TCP [2002:1508:8f71::1508:8f71]:9005 [::]:0 LISTENING TCP [2002:1508:8f71::1508:8f71]:53449 [2002:1508:8f71::1508:8f71]:445 ESTABLISHED TCP [fe80::200:5efe:21.8.143.113%12]:7001 [::]:0 LISTENING TCP [fe80::200:5efe:21.8.143.113%12]:9005 [::]:0 LISTENING UDP 0.0.0.0:123 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:4500 *:* UDP 0.0.0.0:5355 *:* UDP 21.8.143.113:137 *:* UDP 21.8.143.113:138 *:* UDP 127.0.0.1:53302 *:* UDP 127.0.0.1:53870 *:* UDP 127.0.0.1:54748 *:* UDP 127.0.0.1:60396 *:* UDP 127.0.0.1:63134 *:* UDP [::]:123 *:* UDP [::]:500 *:* UDP [::]:4500 *:*
config.xml
<?xml version='1.0' encoding='UTF-8'?><domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd"> <name>base_domain</name> <domain-version>10.3.6.0</domain-version> <security-configuration> <name>base_domain</name> <realm> <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider> <sec:authentication-provider xsi:type="wls:default-identity-asserterType"> <sec:active-type>AuthenticatedUser</sec:active-type> </sec:authentication-provider> <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper> <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer> <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator> <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper> <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider> <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder> <sec:name>myrealm</sec:name> <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType"> <sec:name>SystemPasswordValidator</sec:name> <pas:min-password-length>8</pas:min-password-length> <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters> </sec:password-validator> </realm> <default-realm>myrealm</default-realm> <credential-encrypted>{AES}35uscvHlIcGYxHP8/cYYvz/HBNTXRuyMdTWJxMviEROzQg71NmNyJnbZWZPSf8vT83QmQ7p4Lw+oi8HFgmNmIC766Qv1IrXtcMFyYgBo5EdD/yq2ltrqUXOL1DWIMH17</credential-encrypted> <node-manager-username>aNpdpFYxhR</node-manager-username> <node-manager-password-encrypted>{AES}jVtYKs0BcCaIcIONh9GnkJjfaLex7Ai8USCfJzQeJIQ=</node-manager-password-encrypted> </security-configuration> <server> <name>AdminServer01</name> <listen-address></listen-address> </server> <production-mode-enabled>true</production-mode-enabled> <embedded-ldap> <name>base_domain</name> <credential-encrypted>{AES}FcHxi+7xjZj3VICingEIe/0JViC6wu2jI8URmDK5i0O/U0tCzjWYC+2jsoxx9sXQ</credential-encrypted> </embedded-ldap> <administration-port-enabled>true</administration-port-enabled> <administration-port>9005</administration-port> <configuration-version>10.3.6.0</configuration-version> <app-deployment> <name>BOCIParamManager</name> <target>AdminServer01</target> <module-type>war</module-type> <source-path>D:\鍙傛暟绠$悊杞欢\BOCIParamManager.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <app-deployment> <name>BOCIDispatchService</name> <target>AdminServer01</target> <module-type>war</module-type> <source-path>D:\褰卞儚澶勭悊杞欢\BOCIDispatchService.war</source-path> <security-dd-model>DDOnly</security-dd-model> </app-deployment> <admin-server-name>AdminServer01</admin-server-name> <jdbc-system-resource> <name>PARA_MANG_DS</name> <target>AdminServer01</target> <descriptor-file-name>jdbc/PARA_MANG_DS-2338-jdbc.xml</descriptor-file-name> </jdbc-system-resource> <jdbc-system-resource> <name>DispatchServiceDS</name> <target>AdminServer01</target> <descriptor-file-name>jdbc/DispatchServiceDS-4602-jdbc.xml</descriptor-file-name> </jdbc-system-resource></domain>
数据库配置文件在 D:\Oracle\Middleware\user_projects\domains\base_domain\config\jdbc\PARA_MANG_DS-2338-jdbc.xml
<?xml version='1.0' encoding='UTF-8'?><jdbc-data-source xmlns="http://xmlns.oracle.com/weblogic/jdbc-data-source" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/jdbc-data-source http://xmlns.oracle.com/weblogic/jdbc-data-source/1.2/jdbc-data-source.xsd"> <name>PARA_MANG_DS</name> <jdbc-driver-params> <url>jdbc:oracle:thin:@(description=(ADDRESS_LIST =(ADDRESS = (PROTOCOL = TCP)(HOST = DBServer1)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = DBServer2)(PORT = 1521))(load_balance=yes)(failover=yes))(connect_data=(service_name=bocicm)(instance_name=bocicm1)(instance_name=bocicm2)))</url> <driver-name>oracle.jdbc.xa.client.OracleXADataSource</driver-name> <properties> <property> <name>user</name> <value>appadmin</value> </property> </properties> <password-encrypted>{AES}qEnPROhlP75yK60Zu46b8ekijQCUWsoI5KSLOsoDdK0=</password-encrypted> </jdbc-driver-params> <jdbc-connection-pool-params> <test-table-name>SQL SELECT 1 FROM DUAL</test-table-name> </jdbc-connection-pool-params> <jdbc-data-source-params> <jndi-name>PARA_MANG_DS</jndi-name> <global-transactions-protocol>TwoPhaseCommit</global-transactions-protocol> </jdbc-data-source-params></jdbc-data-source>
就不上传shell深入了,不是不会哦...
小礼物小礼物.
危害等级:中
漏洞Rank:10
确认时间:2016-03-11 17:09
非常感谢,小礼物准备中......
2016-03-16:已修复