一次失败的漫游某政务系统内部网络的过程

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-069830

漏洞标题：一次失败的漫游某政务系统内部网络的过程

漏洞作者：路人甲

提交时间：2014-07-26 23:14

修复时间：2014-09-09 23:18

公开时间：2014-09-09 23:18

漏洞类型：成功的入侵事件

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-07-26：细节已通知厂商并且等待厂商处理中
2014-07-31：厂商已经确认，细节仅向厂商公开
2014-08-10：细节向核心白帽子及相关领域专家公开
2014-08-20：细节向普通白帽子公开
2014-08-30：细节向实习白帽子公开
2014-09-09：细节向公众公开

简要描述：

安全是一个整体，保证安全不在于强大的地方有多强大，而在于真正薄弱的地方在哪里。
利用上面这个原则通过一经典漏洞切入内部网络，收集与系统相关的敏感信息，通过系统管理员的疏忽，成功展开的一次测试案例，由于某项测试是我的机器不能完成的，导致整个测试过程失败告终。
本漏洞报告会描述一个较为完整的渗透测试过程，与白帽子分享一种渗透测试思路。

详细说明：

#0站点
http://121.28.35.250:8080/cms/loginAction.action

看到密钥驱动四个字，让我想到银行。。
#1 落脚点 Struts2-016漏洞
http://121.28.35.250:8080/cms/loginAction.action

网站物理路径： /usr/local/www/tomcat6/webapps/cms/
java.home: /usr/local/www/jdk1.6/jre
java.version: 1.6.0_30
os.name: Linux
os.arch: i386
os.version: 2.4.21-32.ELsmp
user.name: root
user.home: /root
user.dir: /
java.class.version: 50.0
java.class.path: /usr/local/www/tomcat6/bin/bootstrap.jar
java.library.path: /usr/local/www/jdk1.6/jre/lib/i386/server:/usr/local/www/jdk1.6/jre/lib/i386:/usr/local/www/jdk1.6/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
file.separator: /
path.separator: :
java.vendor: Sun Microsystems Inc.
java.vendor.url: http://java.sun.com/
java.vm.specification.version: 1.0
java.vm.specification.vendor: Sun Microsystems Inc.
java.vm.specification.name: Java Virtual Machine Specification
java.vm.version: 20.5-b03
java.vm.name: Java HotSpot(TM) Server VM
java.specification.version: 1.6
java.specification.name: Java Platform API Specification
java.io.tmpdir: /usr/local/www/tomcat6/temp

root权限：

#2 上传小马，搜寻struts相关敏感信息
首先读web-inf/conf下的配置文件，找到数据库连接的信息

<prop>key="hibernate.connection.provider_class">com.jolbox.bonecp.provider.BoneCPConnectionProvider</prop> 
<prop key="hibernate.connection.driver_class">com.mysql.jdbc.Driver</prop> 
<prop key="hibernate.connection.url">jdbc:mysql://127.0.0.1:3306/zyj?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true</prop> 
<prop key="hibernate.connection.username">root</prop>
<prop key="hibernate.connection.password">sjzxxzxjinzhou</prop> 
<prop key="bonecp.partitionCount">3</prop>
<prop key="bonecp.minConnectionsPerPartition">10</prop> 
<prop key="bonecp.maxConnectionsPerPartition">100</prop>
<prop key="bonecp.acquireIncrement">5</prop> 
<prop key="bonecp.idleMaxAgeInMinutes">1</prop>
<prop key="bonecp.idleConnectionTestPeriodInMinutes">1</prop> 
<prop key="bonecp.statementsCacheSize">50</prop>
<prop key="bonecp.releaseHelperThreads">5</prop>

连接数据库，发现passwd是加密的之外，userid和后面的deptid以及内容都是类似md5加密
不过回到一开始我用小马查看jsp文件的时候发现也是某种方式加密过得，相对很安全。

后台登陆无验证码，先尝试弱口令爆破：
username：

jzsgxs
zhzfb
jzsajj
zhsjj
zhmzj
zhzlx
zhhbj
jzshsz
zhrenshou	
zhlsj
zhgsj
zhliantong	
zhngj
jzswsj
jzsjtj	
jzsshuiwu	
zhgsh
jzsxhgyy	
zhxzjj
zhxswj
zhdaj
zhajj
jzslyj
jzsghj
zhxfj
jzsczj
zhhwj
jzszfb
zhjgxx
zhgaj
jzsqxj
zhgdj
zhwjj
zhgtj
jzsdag
zhjjj
zhsfj
zhxytz
jzsdlzx
jzstyz
zhxyzx
jzsxtgl
jzszjj
jzsxqz
zhxfy
jzssjj
zhhbpx
mbzz
zhxjyj
zhtjj
jzskfb
jzswjj
zhyjj
zhwangtong	
zhqxj
jzsjzz
zhswj
jzsgxj
zhyidong	
zhkjj
jzsgtj
zhzjj
jzslsj
jzsdsj
zhjyj
zhjcj
jzsjsj
zhgxs
zhjtj
zhtmx
zhnjj
jzszjzx
zhxrh
zhnmj
zhjcy
jzsjyj
zhdsj
jzskjj
jzshbj
jzstjj
zhwms
jzsyjj
zhlyj
zhnxgx
zhnfh
jzsswj
jzsnmj
zhfpb
zhdianxin	
zhwsj
zhxys
zhxfgj
zhyzj
jzszwzx
zhfgj
jzsmzj
jzsylz
zhxnh
zhxmz
jzsdzsz
zhsbj
zhnqhx
zhjsj
zhzsyx
zhxtx
jzsgaj
jzsguoshui
zhxcx
zhycj
jzscl
zhrsj
jzsxtgly
jzsgdj
zhxlmx
jzsjcj
jzsrsj
zhxgsj
zhyzyh
zhlfw
jzswgxj
jzszszz
jzsfzgyy
jzsgsj
zhcl
jzssfj
jzsmyz
jzsfgj
zhjdb
zhxtgly
zhczj
jzszhujian
zhxzhz
zhwgxj

password用最普通的也是最有效的123456，无视开头说的那个密钥驱动
爆破结果让我震惊，这么多账户竟然某系统管理员是弱密码，权限之高是其他账户所不能媲美的

133个重要级别的用户尽在掌控！可重置任意账户密码。进一步通过社工方式去渗透（暂未实现）

再次查看之前连接数据库得到的一堆未知加密的数据，看到一个有意思的东西：

这个系统管理员账户密码的前32位值解密后就是123456，开始怀疑这个系统的加密方式了。。
总共两个系统管理员账户，另外一个，见下图

管理员都是弱口令，大大疏忽。
#3添加账户，远程连接，提权
ifconfig查看下接口信息

eth0 Link encap:Ethernet  HWaddr 00:15:60:A5:B1:AB  
     inet addr:172.16.1.30  Bcast:172.16.1.255  Mask:255.255.255.0
     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
     RX packets:112996547 errors:0 dropped:0 overruns:0 frame:0
     TX packets:3012804034 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:1000 
     RX bytes:1058177455 (1009.1 Mb)  TX bytes:4290024868 (4091.2 Mb)
     Interrupt:25 Memory:fdef0000-fdf00000 
eth1 Link encap:Ethernet  HWaddr 00:15:60:A5:B1:AA  
     inet addr:192.168.1.26  Bcast:192.168.1.255  Mask:255.255.255.0
     UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
     RX packets:900726744 errors:0 dropped:0 overruns:0 frame:0
     TX packets:1143532749 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:1000 
     RX bytes:1126653386 (1074.4 Mb)  TX bytes:3460928106 (3300.5 Mb)
     Interrupt:26 Memory:fdee0000-fdef0000 
lo   Link encap:Local Loopback  
     inet addr:127.0.0.1  Mask:255.0.0.0
     UP LOOPBACK RUNNING  MTU:16436  Metric:1
     RX packets:694977377 errors:0 dropped:0 overruns:0 frame:0
     TX packets:694977377 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:0 
     RX bytes:2982040501 (2843.8 Mb)  TX bytes:2982040501 (2843.8 Mb)

内网环境，我们添加一个账户，然后lcx反弹出来，由于系统版本很低，存在多个可提权的漏洞，直接提升到root权限

之后就是内网漫游过程，首先我们确定存在两个内网段
172.16.1.0/24和192.168.1.0/24然后nmap扫描得到端口开放情况：
网段172.16.1.0/24

# nmap (V. 3.00) scan initiated Sat Jul 26 09:17:47 2014 as: nmap -sS -T4 -o /tmp/172.log 172.16.1.0/24 
Host   (172.16.1.0) seems to be a subnet broadcast address (returned 5 extra pings). Skipping host.
Interesting ports on  (172.16.1.3):
(The 1595 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
445/tcp    open        microsoft-ds            
1025/tcp   open        NFS-or-IIS              
3389/tcp   open        ms-term-serv            
Interesting ports on  (172.16.1.8):
(The 1595 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
2301/tcp   open        compaqdiag              
6000/tcp   open        X11                     
Interesting ports on  (172.16.1.29):
(The 1593 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http                    
81/tcp     open        hosts2-ns               
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
712/tcp    open        unknown                 
3306/tcp   open        mysql                   
6000/tcp   open        X11                     
Interesting ports on  (172.16.1.30):
(The 1590 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http                    
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
443/tcp    open        https                   
2301/tcp   open        compaqdiag              
3306/tcp   open        mysql                   
6000/tcp   open        X11                     
8009/tcp   open        ajp13                   
8080/tcp   open        http-proxy              
Interesting ports on  (172.16.1.56):
(The 1593 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
445/tcp    open        microsoft-ds            
1025/tcp   open        NFS-or-IIS              
1521/tcp   open        oracle                  
2301/tcp   open        compaqdiag              
5520/tcp   open        sdlog                   
5631/tcp   open        pcanywheredata          
Interesting ports on  (172.16.1.59):
(The 1593 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
445/tcp    open        microsoft-ds            
1025/tcp   open        NFS-or-IIS              
1521/tcp   open        oracle                  
2301/tcp   open        compaqdiag              
5520/tcp   open        sdlog                   
5631/tcp   open        pcanywheredata          
Interesting ports on  (172.16.1.102):
(The 1589 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
25/tcp     open        smtp                    
80/tcp     open        http                    
110/tcp    open        pop-3                   
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
445/tcp    open        microsoft-ds            
1025/tcp   open        NFS-or-IIS              
1027/tcp   open        IIS                     
1033/tcp   open        netinfo                 
1433/tcp   open        ms-sql-s                
2301/tcp   open        compaqdiag              
Interesting ports on  (172.16.1.103):
(The 1589 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
23/tcp     open        telnet                  
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
1521/tcp   open        oracle                  
2301/tcp   open        compaqdiag              
6000/tcp   open        X11                     
8080/tcp   open        http-proxy              
32776/tcp  open        sometimes-rpc15         
32778/tcp  open        sometimes-rpc19         
32779/tcp  open        sometimes-rpc21         
Interesting ports on  (172.16.1.116):
(The 1592 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
2301/tcp   open        compaqdiag              
6000/tcp   open        X11                     
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
Interesting ports on  (172.16.1.211):
(The 1593 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
445/tcp    open        microsoft-ds            
3306/tcp   open        mysql                   
3389/tcp   open        ms-term-serv            
8009/tcp   open        ajp13                   
8080/tcp   open        http-proxy              
Interesting ports on  (172.16.1.253):
(The 1600 ports scanned but not shown below are in state: closed)
Port       State       Service
23/tcp     open        telnet                  
Skipping host   (172.16.1.254) due to host timeout
Host   (172.16.1.255) seems to be a subnet broadcast address (returned 5 extra pings). Skipping host.
# Nmap run completed at Sat Jul 26 09:23:02 2014 -- 256 IP addresses (12 hosts up) scanned in 315 seconds

网段192.168.1.0/24

# nmap (V. 3.00) scan initiated Sat Jul 26 00:14:41 2014 as: nmap -T4 -o /tmp/192.log 192.168.1.0/24 
Host   (192.168.1.0) seems to be a subnet broadcast address (returned 15 extra pings). Skipping host.
All 1601 scanned ports on  (192.168.1.4) are: closed
All 1601 scanned ports on  (192.168.1.5) are: closed
Interesting ports on  (192.168.1.7):
(The 1592 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
873/tcp    open        rsync                   
8009/tcp   open        ajp13                   
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
Interesting ports on  (192.168.1.9):
(The 1590 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
902/tcp    open        unknown                 
1521/tcp   open        oracle                  
2301/tcp   open        compaqdiag              
8080/tcp   open        http-proxy              
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
Interesting ports on  (192.168.1.11):
(The 1593 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
2301/tcp   open        compaqdiag              
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
Interesting ports on  (192.168.1.12):
(The 1590 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http                    
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
443/tcp    open        https                   
873/tcp    open        rsync                   
2301/tcp   open        compaqdiag              
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
Interesting ports on  (192.168.1.13):
(The 1590 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http                    
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
902/tcp    open        unknown                 
2301/tcp   open        compaqdiag              
3306/tcp   open        mysql                   
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
Interesting ports on  (192.168.1.15):
(The 1592 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
53/tcp     open        domain                  
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
2301/tcp   open        compaqdiag              
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
Interesting ports on  (192.168.1.16):
(The 1592 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
2301/tcp   open        compaqdiag              
3306/tcp   open        mysql                   
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
Interesting ports on  (192.168.1.17):
(The 1593 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
554/tcp    open        rtsp                    
902/tcp    open        unknown                 
2301/tcp   open        compaqdiag              
7070/tcp   open        realserver              
Interesting ports on  (192.168.1.18):
(The 1588 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http                    
81/tcp     open        hosts2-ns               
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
2301/tcp   open        compaqdiag              
3306/tcp   open        mysql                   
8009/tcp   open        ajp13                   
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
32786/tcp  open        sometimes-rpc25         
Interesting ports on  (192.168.1.22):
(The 1599 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
443/tcp    open        https                   
Interesting ports on  (192.168.1.24):
(The 1583 ports scanned but not shown below are in state: filtered)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http                    
280/tcp    open        http-mgmt               
554/tcp    open        rtsp                    
1030/tcp   open        iad1                    
1031/tcp   open        iad2                    
1033/tcp   closed      netinfo                 
1067/tcp   open        instl_boots             
1433/tcp   open        ms-sql-s                
1521/tcp   open        oracle                  
2030/tcp   open        device2                 
2301/tcp   open        compaqdiag              
3389/tcp   open        ms-term-serv            
5001/tcp   open        commplex-link           
6002/tcp   open        X11:2                   
8080/tcp   open        http-proxy              
8888/tcp   open        sun-answerbook          
49400/tcp  open        compaqdiag              
Interesting ports on  (192.168.1.25):
(The 1597 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
111/tcp    open        sunrpc                  
5001/tcp   open        commplex-link           
5002/tcp   open        rfe                     
Interesting ports on jiaotongchuban (192.168.1.26):
(The 1590 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http                    
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
443/tcp    open        https                   
2301/tcp   open        compaqdiag              
3306/tcp   open        mysql                   
6000/tcp   open        X11                     
8009/tcp   open        ajp13                   
8080/tcp   open        http-proxy              
Interesting ports on  (192.168.1.27):
(The 1595 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
2301/tcp   open        compaqdiag              
6000/tcp   open        X11                     
Interesting ports on  (192.168.1.28):
(The 1592 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
2301/tcp   open        compaqdiag              
6000/tcp   open        X11                     
13722/tcp  open        VeritasNetbackup        
13782/tcp  open        VeritasNetbackup        
13783/tcp  open        VeritasNetbackup        
Interesting ports on  (192.168.1.32):
(The 1589 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
23/tcp     open        telnet                  
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
199/tcp    open        smux                    
1521/tcp   open        oracle                  
2301/tcp   open        compaqdiag              
6000/tcp   open        X11                     
8080/tcp   open        http-proxy              
32776/tcp  open        sometimes-rpc15         
32778/tcp  open        sometimes-rpc19         
32779/tcp  open        sometimes-rpc21         
Interesting ports on  (192.168.1.102):
(The 1599 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
Interesting ports on  (192.168.1.103):
(The 1599 ports scanned but not shown below are in state: closed)
Port       State       Service
111/tcp    open        sunrpc                  
873/tcp    open        rsync                   
Interesting ports on  (192.168.1.104):
(The 1596 ports scanned but not shown below are in state: filtered)
Port       State       Service
21/tcp     closed      ftp                     
22/tcp     open        ssh                     
23/tcp     closed      telnet                  
80/tcp     closed      http                    
631/tcp    closed      ipp                     
Interesting ports on  (192.168.1.200):
(The 1591 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp                     
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
139/tcp    open        netbios-ssn             
445/tcp    open        microsoft-ds            
666/tcp    open        doom                    
760/tcp    open        krbupdate               
798/tcp    open        unknown                 
873/tcp    open        rsync                   
2049/tcp   open        nfs                     
Interesting ports on  (192.168.1.201):
(The 1582 ports scanned but not shown below are in state: filtered)
Port       State       Service
32770/tcp  closed      sometimes-rpc3          
32771/tcp  closed      sometimes-rpc5          
32772/tcp  closed      sometimes-rpc7          
32773/tcp  closed      sometimes-rpc9          
32774/tcp  closed      sometimes-rpc11         
32775/tcp  closed      sometimes-rpc13         
32776/tcp  closed      sometimes-rpc15         
32777/tcp  closed      sometimes-rpc17         
32778/tcp  closed      sometimes-rpc19         
32779/tcp  closed      sometimes-rpc21         
32780/tcp  closed      sometimes-rpc23         
32786/tcp  closed      sometimes-rpc25         
32787/tcp  closed      sometimes-rpc27         
43188/tcp  closed      reachout                
44442/tcp  closed      coldfusion-auth         
44443/tcp  closed      coldfusion-auth         
47557/tcp  closed      dbbrowse                
49400/tcp  closed      compaqdiag              
54320/tcp  closed      bo2k                    
Interesting ports on  (192.168.1.233):
(The 1593 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http                    
111/tcp    open        sunrpc                  
199/tcp    open        smux                    
873/tcp    open        rsync                   
891/tcp    open        unknown                 
2301/tcp   open        compaqdiag              
8009/tcp   open        ajp13                   
Interesting ports on  (192.168.1.250):
(The 1598 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
23/tcp     open        telnet                  
80/tcp     open        http                    
Host   (192.168.1.255) seems to be a subnet broadcast address (returned 15 extra pings). Skipping host.
# Nmap run completed at Sat Jul 26 00:23:09 2014 -- 256 IP addresses (25 hosts up) scanned in 508 seconds

之后我的思路是通过一开始找到的账户信息对22开放的ip进行远程连接尝试，下面列出收集到的详细信息：
/usr/local/www/tomcat6/webapps/cms/WEB-INF/classes/init.properties

#################################################
ftpserver.enabled=off
ftpserver.port=8001
ftpserver.user.admin.userpassword=a80b8790be99e90c6ac5144a6fd18ab5
ftpserver.user.admin.homedirectory=D:/www
ftpserver.user.admin.enableflag=true
ftpserver.user.admin.writepermission=true
ftpserver.user.admin.maxloginnumber=0
ftpserver.user.admin.maxloginperip=0
ftpserver.user.admin.idletime=0
ftpserver.user.admin.uploadrate=0
ftpserver.user.admin.downloadrate=0
#################################################
sys.database.address=127.0.0.1
sys.database.name=zyj
sys.database.port=3306
sys.database.username=root
sys.database.password=111111
#################################################

/usr/local/www/tomcat6/webapps/cms/WEB-INF/classes/init.properties_OLD

#################################################
ftpserver.enabled=off
ftpserver.port=8001
ftpserver.user.admin.userpassword=a80b8790be99e90c6ac5144a6fd18ab5
ftpserver.user.admin.homedirectory=D:/www
ftpserver.user.admin.enableflag=true
ftpserver.user.admin.writepermission=true
ftpserver.user.admin.maxloginnumber=0
ftpserver.user.admin.maxloginperip=0
ftpserver.user.admin.idletime=0
ftpserver.user.admin.uploadrate=0
ftpserver.user.admin.downloadrate=0
#################################################
sys.database.address=127.0.0.1
sys.database.name=zyj
sys.database.port=3306
sys.database.username=root
sys.database.password=mysql5.5@250
#################################################

/usr/local/www/tomcat6/webapps/cms/WEB-INF/conf/applicationContext.xml

<prop>key="hibernate.connection.provider_class">com.jolbox.bonecp.provider.BoneCPConnectionProvider</prop> 
<prop key="hibernate.connection.driver_class">com.mysql.jdbc.Driver</prop> 
<prop key="hibernate.connection.url">jdbc:mysql://127.0.0.1:3306/zyj?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true</prop> 
<prop key="hibernate.connection.username">root</prop>
<prop key="hibernate.connection.password">sjzxxzxjinzhou</prop> 
<prop key="bonecp.partitionCount">3</prop>
<prop key="bonecp.minConnectionsPerPartition">10</prop> 
<prop key="bonecp.maxConnectionsPerPartition">100</prop>
<prop key="bonecp.acquireIncrement">5</prop> 
<prop key="bonecp.idleMaxAgeInMinutes">1</prop>
<prop key="bonecp.idleConnectionTestPeriodInMinutes">1</prop> 
<prop key="bonecp.statementsCacheSize">50</prop>
<prop key="bonecp.releaseHelperThreads">5</prop>

上面出现的账户密码在22连接的时候均失败了。

漏洞证明：

大部分都在详细说明里讲了，下面提下某项测试是我的机器不能完成的那个思路
通过破解shadow中root的密码（$1$为md5加密，相对来说好破解），对nmap中扫出开放22端口的用这个密码来连接。可惜机器不行不能破解该root密码，导致内网漫游的失败。

修复方案：

升级struts2，提升管理员密码强度

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2014-07-31 10:47

厂商回复：

CNVD确认并复现所述情况，已经转由CNCERT下发给山西分中心处置。按通用软件漏洞案例评分，rank 10

漏洞评价：

2014-07-26 23:15 | tnt1200 ( 普通白帽子 | Rank:121 漏洞数:17 | 关注飞机安全....)

前排围观
2014-07-27 13:45 | zhxs ( 实习白帽子 | Rank:32 漏洞数:19 | Jyhack-TeaM：http://bbs.jyhack.com/)

膜拜哈
2014-09-09 23:27 | depycode ( 普通白帽子 | Rank:275 漏洞数:44 | 关注网络安全，提高技术！)

lcx 反弹？？？ nc ？
2014-09-09 23:45 | Sura、Rain ( 路人 | Rank:15 漏洞数:8 | 关注Java WEB安全)

其实就是个s2漏洞。这些思路有什么好炫耀的

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-069830

漏洞标题：一次失败的漫游某政务系统内部网络的过程

相关厂商：cncert

漏洞作者：路人甲

提交时间：2014-07-26 23:14

修复时间：2014-09-09 23:18

公开时间：2014-09-09 23:18

漏洞类型：成功的入侵事件

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-069830

漏洞标题：一次失败的漫游某政务系统内部网络的过程

相关厂商：cncert

漏洞作者： 路人甲

提交时间：2014-07-26 23:14

修复时间：2014-09-09 23:18

公开时间：2014-09-09 23:18

漏洞类型：成功的入侵事件

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-069830"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云