当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171641

漏洞标题:国电南瑞捷鸿某站点命令执行(涉及大量工作人员信息报表/可扫描内网主机)

相关厂商:国家电网公司

漏洞作者: 路人甲

提交时间:2016-01-21 16:42

修复时间:2016-03-07 10:49

公开时间:2016-03-07 10:49

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-21: 细节已通知厂商并且等待厂商处理中
2016-01-23: 厂商已经确认,细节仅向厂商公开
2016-02-02: 细节向核心白帽子及相关领域专家公开
2016-02-12: 细节向普通白帽子公开
2016-02-22: 细节向实习白帽子公开
2016-03-07: 细节向公众公开

简要描述:

详细说明:

http://211.160.21.126:7002/EICS/jsp/login.jsp 存在命令执行,
通过数据库配置发现大量工作人员信息和工作信息,报表数据。还可以扫描内网。

漏洞证明:

11111.png

xinxi.png

xinxi1.png

xinxi2.png

xinxi3.png

<url>jdbc:oracle:thin:@192.168.61.87:1521:NRJH</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>PJMG</value>
      </property>
    </properties>
    <password-encrypted>{AES}q+mI4dSjEEHeNfeU6dr6O6aKHvdbANXsvrpxIv6uiAw=</password-encrypted> nrjh_829oa

数据库配置

http://211.160.21.126:7002/EICS/1.jspx 9635789

http://127.0.0.6 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.1 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.2 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.4 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.7 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.3 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.5 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.8 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.9 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.10 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.12 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.11 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.13 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.15 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.139 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.140 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.141 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.142 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.143 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.144 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.172 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.171 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.173 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.174 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.175 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.176 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.209 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.210 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.212 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.211 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.213 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.214 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.215 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.216 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.217 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.218 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.219 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.220 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.221 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.222 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.223 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.224 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.225 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.226 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.227 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.243 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.244 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.245 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.246 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.247 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.248 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.249 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.250 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.252 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.253 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.254 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.251 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.255 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.203 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.202 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.206 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.205 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.207 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.208 >> >>Apache/2.2.23 (Unix) DAV/2 SVN/1.6.9 >>Success
http://127.0.0.256 >> Redirect>>nginx >>Success

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2016-01-23 11:04

厂商回复:

谢谢

最新状态:

暂无