当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0207659

漏洞标题:美的某站命令执行/威胁内网

相关厂商:midea.com

漏洞作者: 凌零1

提交时间:2016-05-11 22:23

修复时间:2016-06-26 00:00

公开时间:2016-06-26 00:00

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-11: 细节已通知厂商并且等待厂商处理中
2016-05-11: 厂商已经确认,细节仅向厂商公开
2016-05-21: 细节向核心白帽子及相关领域专家公开
2016-05-31: 细节向普通白帽子公开
2016-06-10: 细节向实习白帽子公开
2016-06-26: 细节向公众公开

简要描述:

rt

详细说明:

java rec

%CI}_S3D2WRL[XON82W_6YP.png


http://61.145.111.17:8001/bea_wls_diagnostics/jsp.jsp www

(8%RXNC(E4I0LHGA[5@N(}E.png


收集部分内网信息
如果你进行了端口扫描操作,那么这里将会显示扫描结果!
http://172.16.12.41:80 >> Welcome to nginx!>>nginx >>Success
http://172.16.12.50:80 >> Welcome to tengine!>>Tengine/1.5.2 >>Success
http://172.16.12.49:80 >> Welcome to tengine!>>Tengine/1.5.2 >>Success
http://172.16.12.43:8081 >> Apache Tomcat/7.0.55>>Apache-Coyote/1.1 >>Success
http://172.16.12.52:8080 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://172.16.12.53:8080 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://172.16.12.59:8081 >> Apache Tomcat/7.0.63>>Apache-Coyote/1.1 >>Success
http://172.16.12.60:80 >> Login>>nginx/1.8.0 >>Success
http://172.16.12.73:8080 >> Apache Tomcat/7.0.63>>Apache-Coyote/1.1 >>Success
http://172.16.12.74:8081 >> Apache Tomcat/7.0.65>>Apache-Coyote/1.1 >>Success
http://172.16.12.74:8080 >> Apache Tomcat/7.0.65>>Apache-Coyote/1.1 >>Success
http://172.16.12.78:80 >> Insert title here>>nginx/1.9.3 >>Success
http://172.16.12.79:80 >> Insert title here>>nginx/1.9.3 >>Success
http://172.16.12.83:8080 >> Login>>Apache-Coyote/1.1 >>Success
http://172.16.12.85:8088 >> Welcome to nginx!>>nginx/1.4.7 >>Success
http://172.16.12.88:8080 >> Login>>Apache-Coyote/1.1 >>Success
http://172.16.12.90:8088 >> Welcome to nginx!>>nginx/1.4.7 >>Success
http://172.16.12.59:8080 >> Apache Tomcat/7.0.63>>Apache-Coyote/1.1 >>Success
http://172.16.12.114:8080 >> 登录>>null >>Success
http://172.16.12.115:8080 >> 登录>>null >>Success
http://172.16.12.118:8088 >> Welcome to nginx!>>nginx/1.4.7 >>Success
http://172.16.12.129:80 >> >>nginx/1.8.0 >>Success
http://172.16.12.134:80 >> >>Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips >>Success
http://172.16.12.75:80 >> IIS7>>Microsoft-IIS/7.0 >>Success
http://172.16.12.148:8080 >> >>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.148:8088 >> >>Jetty(6.1.26) >>Success
http://172.16.12.150:8088 >> >>Jetty(6.1.26) >>Success
http://172.16.12.149:8081 >> >>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.151:8081 >> Spark Worker at crawl151:43218>>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.152:8081 >> Spark Worker at crawl152:40201>>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.157:80 >> >>Apache/2.2.15 (CentOS) >>Success
http://172.16.12.161:80 >> Welcome to tengine!>>Tengine/1.5.2 >>Success
http://172.16.12.162:80 >> Welcome to tengine!>>Tengine/1.5.2 >>Success
http://172.16.12.175:80 >> >>Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.0-fips >>Success
http://172.16.12.188:80 >> Apache Tomcat/7.0.65>>Apache-Coyote/1.1 >>Success
http://172.16.12.189:80 >> Apache Tomcat/7.0.65>>Apache-Coyote/1.1 >>Success
http://172.16.12.190:80 >> Apache Tomcat/7.0.65>>Apache-Coyote/1.1 >>Success
http://172.16.12.195:80 >> Welcome to nginx!>>nginx >>Success
http://172.16.12.206:80 >> >>Apache-Coyote/1.1 >>Success
http://172.16.12.212:80 >> iService Portal>>Apache/2.2.15 (Red Hat) >>Success
http://172.16.12.215:8080 >> >>null >>Success
http://172.16.12.216:8080 >> >>null >>Success
http://172.16.12.231:8081 >> Spark Worker at mvxl1738:43407>>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.232:8081 >> Spark Worker at mvxl1739:53058>>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.233:8081 >> Spark Worker at mvxl1740:49959>>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.234:8081 >> Spark Worker at mvxl1741:46181>>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.235:8081 >> Spark Worker at mvxl1742:43937>>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.236:8081 >> Spark Worker at mvxl1743:54045>>Jetty(8.y.z-SNAPSHOT) >>Success
http://172.16.12.237:8080 >> Apache Tomcat/7.0.54>>Apache-Coyote/1.1 >>Success
http://172.16.12.238:8080 >> Apache Tomcat/7.0.54>>Apache-Coyote/1.1 >>Success
http://172.16.12.239:8080 >> Apache Tomcat/7.0.54>>Apache-Coyote/1.1 >>Success
http://172.16.12.239:8081 >> Apache Tomcat/7.0.54>>Apache-Coyote/1.1 >>Success
http://172.16.12.246:8080 >> Apache Tomcat/7.0.54>>Apache-Coyote/1.1 >>Success
http://172.16.12.247:8080 >> Apache Tomcat/7.0.54>>Apache-Coyote/1.1 >>Success
http://10.16.0.44:80 >> 美的集团赛门铁克SEP防病毒软件部署网页网页>>Microsoft-IIS/7.5 >>Success
http://10.16.0.55:80 >> >>Microsoft-IIS/8.5 >>Success
http://172.16.16.21:80 >> ????????????>>nginx/1.4.1 >>Success
http://172.16.16.16:8080 >> 产品登录界面>>Apache-Coyote/1.1 >>Success
http://172.16.16.22:80 >> ????????????>>nginx/1.4.1 >>Success
http://172.16.16.20:80 >> ????????????>>nginx/1.4.1 >>Success
http://172.16.16.19:80 >> ????????????>>nginx/1.4.1 >>Success
http://172.16.16.29:80 >> >>Microsoft-IIS/8.5 >>Success
http://172.16.16.38:80 >> >>Apache/2.4.3 (Unix) mod_jk/1.2.37 >>Success
http://172.16.16.43:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.8:80 >> Cisco Content Security Management Appliance M1070 (172.16.16.8) - Welcome >>glass/1.0 Python/2.6.4 >>Success
http://172.16.16.49:8081 >> 经销商营销管理系统(正式环境)>>null >>Success
http://172.16.16.14:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.61:80 >> >>Microsoft-IIS/7.5 >>Success
http://172.16.16.63:80 >> >>Apache >>Success
http://172.16.16.63:8081 >> 172.16.16.63 - />>Microsoft-IIS/6.0 >>Success
http://172.16.16.52:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.72:80 >> >>Microsoft-IIS/5.0 >>Success
http://172.16.16.70:80 >> ?????????IT??????>>Microsoft-IIS/6.0 >>Success
http://172.16.16.66:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.79:8080 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://172.16.16.80:80 >> 产品登录界面>>IBM_HTTP_Server >>Success
http://172.16.16.84:80 >> >>Serv-U/11.1.0.7 >>Success
http://172.16.16.98:8080 >> >>Microsoft-IIS/5.0 >>Success
http://172.16.16.79:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.102:8080 >> >>Apache-Coyote/1.1 >>Success
http://172.16.16.81:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.69:80 >> ?????????????>>null >>Success
http://172.16.16.76:80 >> ?????????????>>null >>Success
http://172.16.16.112:8080 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://172.16.16.120:80 >> ????????>>Apache/2.0.53 (Win32) >>Success
http://172.16.16.119:80 >> >>null >>Success
http://172.16.16.133:80 >> >>Microsoft-IIS/5.0 >>Success
http://172.16.16.128:8080 >> 美的精品电器--精致生活,一触即发>>Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 >>Success
http://172.16.16.128:80 >> 美的精品电器--精致生活,一触即发>>Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 >>Success
http://172.16.16.134:80 >> (正式环境)威灵控股供应链管理平台>>null >>Success
http://172.16.16.131:80 >> 172.16.16.131 - />>Microsoft-IIS/6.0 >>Success
http://172.16.16.141:80 >> >>Apache-Coyote/1.1 >>Success
http://172.16.16.142:80 >> 中国营销总部销售管理平台>>null >>Success
http://172.16.16.154:80 >> JX01????????????>>Apache-Coyote/1.1 >>Success
http://172.16.16.152:80 >> 美的集团EAM(机电)-测试环境>>Resin/3.0.22 >>Success
http://172.16.16.158:80 >> 美的地产>>Microsoft-IIS/6.0 >>Success
http://172.16.16.165:8080 >> >>Apache-Coyote/1.1 >>Success
http://172.16.16.166:80 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://172.16.16.165:80 >> >>Apache/2.2.17 (Win32) mod_jk/1.2.26 >>Success
http://172.16.16.166:8080 >> Apache Tomcat/5.0.28>>Apache-Coyote/1.1 >>Success
http://172.16.16.175:80 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://172.16.16.176:80 >> (测试环境)威灵控股供应链管理平台>>null >>Success
http://172.16.16.184:8080 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://172.16.16.173:80 >> GMCC丨Welling ——全球压缩机与电机领导品牌>>Apache/2.2.25 (Win32) PHP/5.2.4 >>Success
http://172.16.16.192:8080 >> >>null >>Success
http://172.16.16.204:80 >> >>Apache/2.2.17 (Win32) >>Success
http://172.16.16.205:80 >> >>Apache/2.2.17 (Win32) >>Success
http://172.16.16.208:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.210:80 >> Midea's External Symantec Antivirus Deploy Web>>Microsoft-IIS/7.5 >>Success
http://172.16.16.212:80 >> >>IBM_HTTP_Server >>Success
http://172.16.16.212:8080 >> Apache Tomcat/7.0.54>>Apache-Coyote/1.1 >>Success
http://172.16.16.214:80 >> 安得直通宝>>Apache-Coyote/1.1 >>Success
http://172.16.16.215:80 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://172.16.16.215:8080 >> Apache Tomcat/5.0.28>>Apache-Coyote/1.1 >>Success
http://172.16.16.185:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.229:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.184:80 >> >>Microsoft-IIS/6.0 >>Success
http://172.16.16.240:80 >> ????????????>>nginx/1.4.1 >>Success
http://172.16.16.241:80 >> >>null >>Success
http://172.16.16.241:8080 >> >>null >>Success
http://172.16.16.245:80 >> >>null >>Success
http://172.16.16.251:80 >> WEB-IMS>>null >>Success
可走http

AM)_F1E)G28Q6VV]DZIYSR3.png


漏洞证明:

可走http

AM)_F1E)G28Q6VV]DZIYSR3.png


修复方案:

版权声明:转载请注明来源 凌零1@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-05-11 23:50

厂商回复:

确认漏洞存在,根据过往评分,给予8RANK,感谢提醒。

最新状态:

暂无