当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0166208

漏洞标题:比亚迪某站命令执行已getshell影响内网48台主机安全

相关厂商:bydauto.com.cn

漏洞作者: 路人甲

提交时间:2015-12-31 10:44

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-31: 细节已通知厂商并且等待厂商处理中
2016-01-04: 厂商已经确认,细节仅向厂商公开
2016-01-14: 细节向核心白帽子及相关领域专家公开
2016-01-24: 细节向普通白帽子公开
2016-02-03: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

20rank还是值得!

详细说明:

http://113.106.76.91/

10.png


jboss配置不当,存在JAVA反序列化命令执行漏洞!
ipconfig显示内网!可进行内网探测

11.png


net view
四十几台主机!

服务器名称            注释
-------------------------------------------------------------------------------
\\AUTOFTP                                                                      
\\BID                                                                          
\\BYD-ASN                                                                      
\\BYD-BSP                                                                      
\\BYD-FC                                                                       
\\BYD-PO                                                                       
\\BYD-SCMASN                                                                   
\\BYD-SCMFC                                                                    
\\BYD-SCMPO                                                                    
\\BYDPOWER                                                                     
\\DLY-FUTIAN-001                                                               
\\DLY-FUTIAN-002                                                               
\\EDGE                                                                         
\\EDI1                 EDI1                                                    
\\EDI5                                                                         
\\LED-EIP                                                                      
\\NWCP                                                                         
\\PS-CC-SMS1                                                                   
\\PS-CC4-ELECINTE                                                              
\\PS-CC4-SFTP2                                                                 
\\PS-DIV1-FORKLIF                                                              
\\PS-DIV5-FTP02                                                                
\\PS-DLKX-BMAS01                                                               
\\PS-DMSCS-WEB1                                                                
\\PS-DMSPRD-EXCH                                                               
\\PS-DMSPRD-WEB                                                                
\\PS-DMSPRD-WEB01                                                              
\\PS-EDI-PROD2                                                                 
\\PS-EDI-TEST02                                                                
\\PS-EDI-TEST03                                                                
\\PS-EDI-TEST04                                                                
\\PS-ERP-MDMFTP                                                                
\\PS-ERP-MDMWEB2                                                               
\\PS-ERP-MDMWEB3                                                               
\\PS-IPRL-PATENT                                                               
\\PS-MDM-APACHE                                                                
\\PS-SALES-MAS                                                                 
\\PS-SAP-SAPROUTE                                                              
\\PS-SRM-APS01                                                                 
\\PS-ZCB-YKTDB01                                                               
\\SFTP                 SFTP                                                    
\\SPECIAL                                                                      
\\SVCTAG-DQ4KQ2X                                                               
\\WIN-4APDCGTCQRC                                                              
\\XUNIJIIIS                                                                    
命令成功完成。


直接写shell拿下服务器
http://113.106.76.91/she11.jsp

12.png


因为是内网,可以对内网进行探测,多个内网系统安全受影响

http://10.9.33.19 >> >>httpd >>Success
http://10.9.33.80 >> >>Apache >>Success
http://10.9.33.73 >> ��ʾ��Ϣ - Powered by PHPWind>>nginx >>Success
http://10.9.33.32 >> >>Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server >>Success
http://10.9.33.100 >> >>nginx >>Success
http://10.9.33.87 >> message>>Apache-Coyote/1.1 >>Success
http://10.9.33.101 >> >>nginx/1.4.4 >>Success
http://10.9.33.102 >> >>nginx/1.8.0 >>Success
http://10.9.33.96 >> Index of />>Apache >>Success
http://10.9.33.72 >> >>Apache/2.2.25 (Win32) >>Success
http://10.9.33.99 >> >>nginx >>Success
http://10.9.33.11 >> Login>>Virata-EmWeb/R6_0_1 >>Success
http://10.9.33.7 >> >>Microsoft-IIS/6.0 >>Success
http://10.9.33.63 >> >>Apache/2.2.25 (Win32) PHP/5.3.5 >>Success
http://10.9.33.64 >> 比亚迪叉车官网>>Apache-Coyote/1.1 >>Success
http://10.9.33.109 >> >>HP-iLO-Server/1.30 >>Success
http://10.9.33.55 >> ����ƺɽ�����ϵͳ-WEB��>>Apache-Coyote/1.1 >>Success
http://10.9.33.114 >> Index of />>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips PHP/5.3.27 >>Success
http://10.9.33.67 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.9.33.65 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://10.9.33.90 >> >>Microsoft-IIS/6.0 >>Success
http://10.9.33.144 >> >>nginx/1.9.5 >>Success
http://10.9.33.155 >> >>Apache >>Success
http://10.9.33.154 >> 比亚迪供应商门户>>nginx/1.9.3 >>Success
http://10.9.33.178 >> >>Microsoft-IIS/7.5 >>Success
http://10.9.33.177 >> >>Apache/2.2.25 (Win32) >>Success
http://10.9.33.193 >> >>Apache/2.2.15 (Win32) mod_jk/1.2.28 >>Success
http://10.9.33.185 >> >>httpd >>Success
http://10.9.33.189 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.195 >> >>Apache-Coyote/1.1 >>Success
http://10.9.33.194 >> >>Apache/2.2.15 (Win32) mod_jk/1.2.28 >>Success
http://10.9.33.176 >> >>Apache/2.2.25 (Win32) >>Success
http://10.9.33.198 >> >>nginx/0.9.5 >>Success
http://10.9.33.192 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.180 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.183 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.191 >> >>Mbedthis-Appweb/2.4.2 >>Success
http://10.9.33.218 >> developer.bydauto.com.cn>>Apache >>Success
http://10.9.33.221 >> >>nginx/1.7.7.1 WhiteRabbit >>Success
http://10.9.33.201 >> >>nginx >>Success
http://10.9.33.179 >> >>Serv-U/10.0.0.3 >>Success
http://10.9.33.199 >> >>Microsoft-IIS/7.5 >>Success
http://10.9.33.222 >> IIS Windows Server>>Microsoft-IIS/8.5 >>Success
http://10.9.33.242 >> Web user login>>Switch >>Success
http://10.9.33.241 >> Web user login>>Switch >>Success
http://10.9.33.243 >> Web user login>>Switch >>Success
http://10.9.33.213 >> >>Microsoft-IIS/7.5 >>Success
http://10.9.33.224 >> IIS7>>Microsoft-IIS/7.5 >>Success


48台内网主机系统可进一步深入漫游!!

漏洞证明:

修复方案:

求20rank!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-04 08:38

厂商回复:

正在处理,感谢您的报告。

最新状态:

暂无