Midea Supply Chain Management System (formal environment) has command execution. getshell can roam 53 machines through the Intranet.
A lot of Intranet machines
Http: // 202.104.30.80: 8000/
Http: // 202.104.30.80/
JAVA deserialization Vulnerability
Get shell
Http: // 202.104.30.80: 8000/uddiexplorer/css. jsp
Involves multiple systems
Detect Intranet
Http: // 202.104.30.80: 8000/uddiexplorer/out. jsp
http://172.16.16.38 >>>> Apache/2.4.3 (Unix) mod_jk/1.2.37> Success http://172.16.16.29 >>>> Microsoft-IIS/8.5> Success http://172.16.16.70 >> ????????? IT ??? >>> Microsoft-IIS/6.0> Success http://172.16.16.72 >>>> Microsoft-IIS/5.0> Success http://172.16.16.49 >>>> Null> Success http://172.16.16.63 >>>> Apache >> Success http://172.16.16.23 >> ?????????????? MAS ??? >>> Apache-Coyote/1.1> Success http://172.16.16.8 > Cisco Content Security Management Appliance M1070 (172.16.16.8)-Welcome> glass/1.0 Python/2.6.4> Success http://172.16.16.8 0> product logon interface> IBM_HTTP_Server> Success http://172.16.16.8 4 >>>> Serv-U/11.1.0.7> Success http://172.16.16.20 >>??????????? >>> Nginx/1.4.1> Success http://172.16.16.19 >>??????????? >>> Nginx/1.4.1> Success http://172.16.16.52 >>>> Microsoft-IIS/6.0> Success http://172.16.16.66 >>>> Microsoft-IIS/6.0> Success http://172.16.16.61 >>>> Microsoft-IIS/7.5> Success http://172.16.16.119 >>>> Null> Success http://172.16.16.120 >>????? >>> Apache/2.0.53 (Win32)> Success http://172.16.16.128 > Midea boutique appliances-exquisite life, instant release> Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1> Success http://172.16.16.43 >>>> Microsoft-IIS/6.0> Success http://172.16.16.133 >>>> Microsoft-IIS/5.0> Success http://172.16.16.14 1 >>>> null >> Success http://172.16.16.134 > (Formal environment) wiling holding Supply Chain Management Platform> null> Success http://172.16.16.158 > Meide real estate> Microsoft-IIS/6.0> Success http://172.16.16.14 2> China Marketing Headquarters Sales Management Platform> null> Success http://172.16.16.154 >>> JX01 ??? ???????????> Apache-Coyote/1.1> Success http://172.16.16.152 > Meide group EAM (electromechanical)-test environment> Resin/3.0.22> Success http://172.16.16.165 >>>> Apache/2.2.17 (Win32) mod_jk/1.2.26> Success http://172.16.16.166 > Apache Tomcat> Apache-Coyote/1.1> Success http://172.16.16.76 >>????????????? >>> Null> Success http://172.16.16.14 >>>> Microsoft-IIS/6.0> Success http://172.16.16.175 > Apache Tomcat> Apache-Coyote/1.1> Success http://172.16.16.176 > (Test environment) wiling holdings Supply Chain Management Platform> null> Success http://172.16.16.178 > Apache Tomcat> Apache-Coyote/1.1> Success http://172.16.16.172 > IceWarp WebClient> IceWarp/11.3.0.4> Success http://172.16.16.173 > GMCC-global leading brand of compressors> Microsoft-IIS/6.0> Success http://172.16.16.185 >>>> Microsoft-IIS/6.0> Success http://172.16.16.8 1 >>>> Microsoft-IIS/6.0 >> Success http://172.16.16.184 >>>> Microsoft-IIS/6.0> Success http://172.16.16.79 >>>> Microsoft-IIS/6.0> Success http://172.16.16.189 > IIS7> Microsoft-IIS/7.5> Success http://172.16.16.19 3> JX01 ???> Apache-Coyote/1.1> Success http://172.16.16.20 4 >>>> Apache/2.2.17 (Win32)> Success http://172.16.16.20 5 >>>> Apache/2.2.17 (Win32)> Success http://172.16.16.20 7> Midea water appliance business division bar code platform> Resin/3.0.15> Success http://172.16.16.20 8 >>>> Microsoft-IIS/6.0> Success http://172.16.16.214 >>> Andy Tong Bao> Apache-Coyote/1.1> Success http://172.16.16.215 > Apache Tomcat> Apache-Coyote/1.1> Success http://172.16.16.212 >>>> IBM_HTTP_Server> Success http://172.16.16.245 >>>> Null> Success http://172.16.16.210 > Midea's External Symantec Antivirus Deploy Web> Microsoft-IIS/7.5> Success http://172.16.16.241 >>>> Null> Success http://172.16.16.251 > WEB-IMS> null> Success http://172.16.16.229 >>>> Microsoft-IIS/6.0> Success
Not
Detect Intranet
Http: // 202.104.30.80: 8000/uddiexplorer/out. jsp
Solution:
Upgrade version