当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163694

漏洞标题:湖北邮政风险点控制系统存在weblogic反序列化漏洞(可入内网)

相关厂商:国家邮政局

漏洞作者: 路人甲

提交时间:2015-12-22 23:15

修复时间:2016-02-06 10:45

公开时间:2016-02-06 10:45

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-22: 细节已通知厂商并且等待厂商处理中
2015-12-24: 厂商已经确认,细节仅向厂商公开
2016-01-03: 细节向核心白帽子及相关领域专家公开
2016-01-13: 细节向普通白帽子公开
2016-01-23: 细节向实习白帽子公开
2016-02-06: 细节向公众公开

简要描述:

RT

详细说明:

湖北邮政廉政风险点控制管理系统
http://58.52.163.234:7001/
weblogic的反序列化漏洞
直接反弹shell

1.jpg


查看下端口

C:\Oracle\Middleware\user_projects\domains\slzfxkz>netstat -an
netstat -an
»l½
Эө ±¾µصٖ· ΢²¿µٖ· ״̬
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1158 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1521 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3938 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5520 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5560 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5580 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49159 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49172 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1521 127.0.0.1:55301 ESTABLISHED
TCP 127.0.0.1:7001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:49156 0.0.0.0:0 LISTENING
TCP 127.0.0.1:55301 127.0.0.1:1521 ESTABLISHED
TCP 192.168.0.19:139 0.0.0.0:0 LISTENING
TCP 192.168.0.19:1521 192.168.0.19:49160 ESTABLISHED
TCP 192.168.0.19:1521 192.168.0.19:49166 ESTABLISHED
TCP 192.168.0.19:1521 192.168.0.19:49167 ESTABLISHED
TCP 192.168.0.19:1521 192.168.0.19:49168 ESTABLISHED
TCP 192.168.0.19:1521 192.168.0.19:49181 ESTABLISHED
TCP 192.168.0.19:1521 192.168.0.19:49182 ESTABLISHED
TCP 192.168.0.19:1521 192.168.0.19:58098 ESTABLISHED
TCP 192.168.0.19:1521 192.168.0.19:58137 TIME_WAIT
TCP 192.168.0.19:1521 192.168.0.19:58138 TIME_WAIT
TCP 192.168.0.19:3938 192.168.0.19:58131 TIME_WAIT
TCP 192.168.0.19:3938 192.168.0.19:58134 TIME_WAIT
TCP 192.168.0.19:3938 192.168.0.19:58141 TIME_WAIT
TCP 192.168.0.19:3938 192.168.0.19:58146 TIME_WAIT
TCP 192.168.0.19:7001 0.0.0.0:0 LISTENING
TCP 192.168.0.19:49160 192.168.0.19:1521 ESTABLISHED
TCP 192.168.0.19:49166 192.168.0.19:1521 ESTABLISHED
TCP 192.168.0.19:49167 192.168.0.19:1521 ESTABLISHED
TCP 192.168.0.19:49168 192.168.0.19:1521 ESTABLISHED
TCP 192.168.0.19:49181 192.168.0.19:1521 ESTABLISHED
TCP 192.168.0.19:49182 192.168.0.19:1521 ESTABLISHED
TCP 192.168.0.19:58098 192.168.0.19:1521 ESTABLISHED
TCP 192.168.0.19:58123 45.62.103.177:1111 ESTABLISHED
TCP 192.168.0.19:58124 63.245.201.133:443 ESTABLISHED
TCP 192.168.0.19:58130 192.168.0.19:1158 TIME_WAIT
TCP 192.168.0.19:58133 192.168.0.19:1158 TIME_WAIT
TCP 192.168.0.19:58140 192.168.0.19:1158 TIME_WAIT
TCP 192.168.0.19:58142 192.168.0.19:1521 TIME_WAIT
TCP 192.168.0.19:58144 74.125.23.113:443 SYN_SENT
TCP 192.168.0.19:58145 192.168.0.19:1158 TIME_WAIT
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:3389 [::]:0 LISTENING
TCP [::]:47001 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49172 [::]:0 LISTENING
TCP [::1]:7001 [::]:0 LISTENING
TCP [2001:0:da1e:40c2:10cb:37c2:3f57:ffec]:7001 [::]:0 LISTENING
TCP [fe80::5efe:192.168.0.19%13]:7001 [::]:0 LISTENING
TCP [fe80::10cb:37c2:3f57:ffec%11]:7001 [::]:0 LISTENING
TCP [fe80::44b4:ed89:9ec8:ea98%12]:7001 [::]:0 LISTENING
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
UDP 192.168.0.19:137 *:*
UDP 192.168.0.19:138 *:*
UDP [::]:500 *:*
UDP [::]:4500 *:*
UDP [::]:5355 *:*


探测下内网

C:\Oracle\Middleware\user_projects\domains\slzfxkz>arp -a
arp -a

2.jpg


½ӿغ 192.168.0.19 --- 0xc
Internet µٖ· ϯmµٖ· `э
192.168.0.1 3c-e5-a6-55-9c-d4 ¶¯̬
192.168.0.3 44-37-e6-59-d9-db ¶¯̬
192.168.0.5 00-16-ec-a2-d6-18 ¶¯̬
192.168.0.11 b8-ae-ed-d2-2f-25 ¶¯̬
192.168.0.39 c0-3f-d5-73-53-0a ¶¯̬
192.168.0.40 c8-9c-dc-67-ec-ed ¶¯̬
192.168.0.44 40-8d-5c-44-da-fa ¶¯̬
192.168.0.55 00-21-97-11-51-c1 ¶¯̬
192.168.0.66 90-e6-ba-c4-56-f7 ¶¯̬
192.168.0.74 c0-3f-d5-3f-0e-6e ¶¯̬
192.168.0.75 14-dd-a9-ea-6c-4b ¶¯̬
192.168.0.101 d8-cb-8a-48-51-33 ¶¯̬
192.168.0.105 ec-a8-6b-3b-e0-c9 ¶¯̬
192.168.0.107 00-1b-b9-76-d0-7d ¶¯̬
192.168.0.114 00-11-5b-4c-66-08 ¶¯̬
192.168.0.115 3c-97-0e-f8-c7-1f ¶¯̬
192.168.0.121 ec-a8-6b-37-6e-1b ¶¯̬
192.168.0.122 90-fb-a6-78-05-24 ¶¯̬
192.168.0.124 50-7b-9d-03-97-de ¶¯̬
192.168.0.130 44-87-fc-98-a6-31 ¶¯̬
192.168.0.131 0c-72-2c-e9-10-0b ¶¯̬
192.168.0.132 44-8a-5b-aa-5f-da ¶¯̬
192.168.0.139 40-8d-5c-44-de-02 ¶¯̬
192.168.0.141 d8-cb-8a-0a-18-c4 ¶¯̬
192.168.0.144 20-89-84-26-41-20 ¶¯̬
192.168.0.147 e8-9a-8f-cf-8e-c1 ¶¯̬
192.168.0.154 44-87-fc-fb-86-59 ¶¯̬
192.168.0.157 40-8d-5c-29-82-c1 ¶¯̬
192.168.0.165 9c-21-6a-60-6b-fb ¶¯̬
192.168.0.173 00-e0-4c-97-2b-0c ¶¯̬
192.168.0.179 28-d2-44-21-33-74 ¶¯̬
192.168.0.183 a0-d3-c1-4f-6c-d6 ¶¯̬
192.168.0.185 c0-3f-d5-9d-c2-6f ¶¯̬
192.168.0.190 a0-d3-c1-4f-1e-52 ¶¯̬
192.168.0.192 f0-76-1c-58-f8-a1 ¶¯̬
192.168.0.199 d8-cb-8a-0e-f7-ce ¶¯̬
192.168.0.214 a0-d3-c1-4f-6f-2b ¶¯̬
192.168.0.231 b8-97-5a-3a-fc-88 ¶¯̬
192.168.0.245 bc-46-99-a8-f4-0b ¶¯̬
192.168.0.249 44-37-e6-36-af-a0 ¶¯̬
192.168.0.255 ff-ff-ff-ff-ff-ff ¾²̬
224.0.0.2 01-00-5e-00-00-02 ¾²̬
224.0.0.22 01-00-5e-00-00-16 ¾²̬
224.0.0.252 01-00-5e-00-00-fc ¾²̬
C:\Oracle\Middleware\user_projects\domains\slzfxkz>


漏洞证明:

探测下内网
<code>C:\Oracle\Middleware\user_projects\domains\slzfxkz>arp -a
arp -a

2.jpg

修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-24 11:03

厂商回复:

谢谢

最新状态:

暂无