当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-073665

漏洞标题:TCL漏洞大礼包可成功进入内网

相关厂商:TCL官方网上商城

漏洞作者: 炊烟

提交时间:2014-08-25 11:43

修复时间:2014-10-09 11:48

公开时间:2014-10-09 11:48

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-25: 细节已通知厂商并且等待厂商处理中
2014-08-25: 厂商已经确认,细节仅向厂商公开
2014-09-04: 细节向核心白帽子及相关领域专家公开
2014-09-14: 细节向普通白帽子公开
2014-09-24: 细节向实习白帽子公开
2014-10-09: 细节向公众公开

简要描述:

上个iis写权限的入侵,正好去内网看看

详细说明:

http://www.wooyun.org/bugs/wooyun-2014-073659/trace/9b8168bb886443ec301bc0fd783bc9b5
经过这个漏洞的提权,顺便进入内网又逛了一圈

漏洞证明:

#1.注入

http://battery.tcl.com/read_news.php?id=38
http://lighting.tcl.com/cn/about.aspx?id=69
http://ehr.tcl.com/ehr POST注入
http://magazine.tcl.com/manager/login.aspx POST注入
http://oa.king.tcl.com/management/Regeist/Region.aspx POST注入






剩下的其他人提交过了,就不提了.
#2.iis写权限
http://jck.tcl.com/




10.0.0.50 admin admin123
#3.进入内网










财务机子



在SQL Server中增加以下用户
用户名:mrpii_user
密 码:s0meth9ng (第二位为数字零,第七位为数字9)




10.0.0.71 rainbow$ byrainbow
10.0.0.7 rainbow$ byrainbow
10.0.0.50 admin admin123
10.0.0.65 rainbow$ byrainbow administrator tclgroup100#
10.0.0.71 hash:
Administrator:500:C42AB4FDD2E5209873946B1E7B905DD7:75B6FE7933203A61E9411B65BB699540:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
SUPPORT_388945a0:1001:NO PASSWORD*********************:E01C66FBAD728559C0B7D2E8A2748DDC:::
IUSR_TCL-HQWEBAPP:1003:75ED74016B24CE3B0D672C5B9753E5FD:915F3C84BF7DEAC005BA89C7BE26F4BC:::
IWAM_TCL-HQWEBAPP:1004:558D4251AB2847BE2903B96741F01C95:CEEEE45E12B17A7CAEE2C607BC04907F:::
ASPNET:1007:82C09D009D6309CF14C1D8C7226E090D:20AC2CF35AFB2AA03935E74252D53CA4::
10.0.0.50 hash:
admin:500:AC804745EE68EBEA1AA818381E4E281B:3008C87294511142799DCA1191E69A0F:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
SUPPORT_388945a0:1001:NO PASSWORD*********************:F39A4F428731EE8A18C64B497EB8750B:::
IUSR_TCLSERVER:1003:10705772B4D5E9EF199BD5A21B374EA0:C31009FAA50B3337C76B861182A8BC48:::
IWAM_TCLSERVER:1004:C8886D6FD1415516E93046121C6BA266:FF849EB0D6958930D8AEFEB6AB6AA9EF:::
ASPNET:1006:98DBF730AC25D742142032B99129F178:84ED04D9271C7126DC82140CA518D019:::
netadmin:1017:1410B4B87965F7AB1D71060D896B7A46:3089B72DD05CC1070BC7385B16A48A19:::
10.0.0.7 hash:
Administrator:500:E663B236496F5F70AAD3B435B51404EE:D396761730E964E7C5A1A7332969BB4E:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
SUPPORT_388945a0:1001:NO PASSWORD*********************:F5727899A90D988E4CFCA9FE8CE1824E:::
ASPNET:1006:455BEBC5ABFB5EBBB3C620E095A0553F:73E97B16BA9B531F3514FEEB4D11B61C:::
10.0.0.65 hash:
cwadmin:500:F29DF31EC20786E6E0DC13374F13212C:237422F9A6BA3C21DEC6A059A5929809:::
Guest-kd:501:NO PASSWORD*********************:NO PASSWORD*********************:::
SUPPORT_388945a0:1001:NO PASSWORD*********************:2F6729C6FA829BFFD2B2CD4946262724:::
jl:1003:EB82BF920660E3EB76236DE4B033B02F:A45146DD7B44D5EAF7F81E1282DC42EF:::
SQLDebugger:1004:NO PASSWORD*********************:9236B5F718DE0B6D3D70AF237662510E:::
qv:1005:0F03044B42851184AAD3B435B51404EE:ADB4A292D127F8D787943155D235E35C:::
IUSR_TCLCWYJ:1006:CACA693A162D1DF5BB5F9FAEEEF48269:BFC96FA6CB3EAA4BD25CF61D0FB31332:::
IWAM_TCLCWYJ:1007:543B7DC4F6A8F424D2B06FF25FD0BC1C:A08990D20F04DEEECFF7BDCAE2B86EF2:::
IQVS_TCLCWYJ:1009:NO PASSWORD*********************:05EEA5482710D16E8BA445C9BE40DF7A:::
clg:1011:B333CEFDB5DDC4C9AAD3B435B51404EE:1295FEC6245F5A646F6A0EC2042C902F:::
qv2:1012:D28CE024A35D524BAAD3B435B51404EE:3DEE165BFBA1D7FBFF80E412D5A570B7:::
ASPNET:1013:821A48BC293D2BED49467691C74538A0:7F6A09CF1F4BD4EBFF5C0EE884804ACF:::
yaobin:1014:F171EAC38D498E1DD619446AD90C226D:E01CE226330A89424891F4B16CBB081E:::
synUser:1016:ACE79C1349CE71D991E643486F98795F:D1A670F93253316FDD232CEA7E317997:::
kingdee:1017:141D0CB7FDE2A2281B00588A6A3BF94C:70A5A2CCFA01FF90F9E01C35726F8774:::
admin:1018:AC804745EE68EBEAA8EED815A197BD87:8F909FDB472D0B85CDDB3E36669A9B07:::


最后来张图:

修复方案:

PS:不深入了,就这样吧.

版权声明:转载请注明来源 炊烟@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-08-25 22:33

厂商回复:

感谢您的关注,已转交相关单位确认处理。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-02-01 11:34 | 0x 80 ( 普通白帽子 | Rank:1301 漏洞数:398 | 某安全公司招聘系统运维、渗透测试、安全运...)

    后门我都有