中国南方电网getshell到内网漫游

编号187216
Urlhttp://www.wooyun.org/bug.php?action=view&id=187216
漏洞状态厂商已经确认
漏洞标题中国南方电网getshell到内网漫游
漏洞类型后台弱口令
厂商中国南方电网
白帽子镱鍚
提交日期2016-03-21 11:52:00
公开日期2016-05-05 15:43:00
修复时间(not set)
确认时间2016-03-21 00:00:00
Confirm Spend0
漏洞标签内网 getshell
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank5
漏洞简介
RT
漏洞细节

(PS:能给高rank吗??^_^)

http://116.55.241.7:9091/manager/html
tomcat弱口令:both tomcat


1.png


简单部署,getshell

http://116.55.241.7:9091/job/index.jsp


2.png


简单看了下,发现是内网机器,权限还是多高的

3.png


4.png


5.png


然后就开始内网漫游啦,这里首先给厂商说下抱歉,不知道怎么的,搞的你们的站点有时都不能访问了,就只是简单探测了一下,不敢再深入了
内网开放的web服务:

http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success


6.png


7.png


8.png


9.png


内网开放端口

10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open
10.180.201.250:21 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:21 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open


就不继续了,危害还是多大的,望尽快修复^_^

POC

(PS:能给高rank吗??^_^)

http://116.55.241.7:9091/manager/html
tomcat弱口令:both tomcat


1.png


简单部署,getshell

http://116.55.241.7:9091/job/index.jsp


2.png


简单看了下,发现是内网机器,权限还是多高的

3.png


4.png


5.png


然后就开始内网漫游啦,这里首先给厂商说下抱歉,不知道怎么的,搞的你们的站点有时都不能访问了,就只是简单探测了一下,不敢再深入了
内网开放的web服务:

http://10.180.201.163:8081 >> Welcome to JBoss™>>Apache-Coyote/1.1 >>Success
http://10.180.201.228:8080 >> 云南OMS接口>>Apache-Coyote/1.1 >>Success
http://10.180.201.229:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success
http://10.180.201.235:80 >> >>GoAhead-Webs >>Success
http://10.180.201.240:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.241:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.243:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.242:80 >> 系统登录>>Apache-Coyote/1.1 >>Success
http://10.180.201.246:80 >> Oracle HTTP Server Index>>Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.5f mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 >>Success
http://10.180.201.253:80 >> >>MoxaHttp/1.0 >>Success
http://10.180.201.245:8081 >> Apache Tomcat>>Apache-Coyote/1.1 >>Success


6.png


7.png


8.png


9.png


内网开放端口

10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.161:135 >>> Open
10.180.201.161:3389 >>> Open
10.180.201.163:1521 >>> Open
10.180.201.170:3389 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open
10.180.201.250:21 >>> Open
10.180.201.225:135 >>> Open
10.180.201.225:3389 >>> Open
10.180.201.226:135 >>> Open
10.180.201.226:3389 >>> Open
10.180.201.228:135 >>> Open
10.180.201.228:3389 >>> Open
10.180.201.228:8080 >>> Open
10.180.201.229:135 >>> Open
10.180.201.229:3389 >>> Open
10.180.201.230:21 >>> Open
10.180.201.230:1521 >>> Open
10.180.201.231:21 >>> Open
10.180.201.231:1521 >>> Open
10.180.201.232:21 >>> Open
10.180.201.232:1521 >>> Open
10.180.201.233:21 >>> Open
10.180.201.233:1521 >>> Open
10.180.201.234:21 >>> Open
10.180.201.234:1521 >>> Open
10.180.201.235:80 >>> Open
10.180.201.235:443 >>> Open
10.180.201.238:135 >>> Open
10.180.201.238:3389 >>> Open
10.180.201.240:80 >>> Open
10.180.201.241:135 >>> Open
10.180.201.241:443 >>> Open
10.180.201.241:80 >>> Open
10.180.201.241:3389 >>> Open
10.180.201.242:80 >>> Open
10.180.201.242:135 >>> Open
10.180.201.242:3389 >>> Open
10.180.201.243:80 >>> Open
10.180.201.243:135 >>> Open
10.180.201.243:443 >>> Open
10.180.201.243:3389 >>> Open
10.180.201.244:135 >>> Open
10.180.201.244:3389 >>> Open
10.180.201.245:21 >>> Open
10.180.201.245:80 >>> Open
10.180.201.245:135 >>> Open
10.180.201.245:3389 >>> Open
10.180.201.246:80 >>> Open
10.180.201.246:135 >>> Open
10.180.201.246:443 >>> Open
10.180.201.246:1521 >>> Open
10.180.201.246:3389 >>> Open
10.180.201.247:21 >>> Open
10.180.201.247:135 >>> Open
10.180.201.247:3389 >>> Open
10.180.201.248:135 >>> Open
10.180.201.248:3389 >>> Open
10.180.201.249:135 >>> Open
10.180.201.249:443 >>> Open
10.180.201.249:1521 >>> Open
10.180.201.249:3389 >>> Open
10.180.201.250:21 >>> Open
10.180.201.250:1521 >>> Open
10.180.201.251:135 >>> Open
10.180.201.251:3389 >>> Open
10.180.201.252:21 >>> Open
10.180.201.253:80 >>> Open


就不继续了,危害还是多大的,望尽快修复^_^

修复方案

..

状态信息 2016-03-21: 细节已通知厂商并且等待厂商处理中
2016-03-21: 厂商已经确认,细节仅向厂商公开
2016-03-31: 细节向核心白帽子及相关领域专家公开
2016-04-10: 细节向普通白帽子公开
2016-04-20: 细节向实习白帽子公开
2016-05-05: 细节向公众公开
厂商回复感谢关注。
回应信息危害等级:中漏洞Rank:5 确认时间:2016-03-21 15:43
Showing 1-4 of 4 items.
评论内容评论人点赞数评论时间

@镱鍚 确实太少!给的少就是管理员给你说,兄弟啊,别提交了我们的洞了,我的日子刚好过几天,你就来给我难堪!

暴走02016-03-21 16:47:00

@中国南方电网 你们就不能多给点么。。

镱鍚02016-03-21 16:40:00

我也要充电费

绝对领域02016-03-21 14:59:00

大兄弟 我要充电费

晓庄02016-03-21 13:23:00