当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090414

漏洞标题:从一个上传到傲游内网

相关厂商:傲游

漏洞作者: Matt

提交时间:2015-01-07 09:32

修复时间:2015-01-12 09:34

公开时间:2015-01-12 09:34

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-07: 细节已通知厂商并且等待厂商处理中
2015-01-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

从一个上传到傲游内网

详细说明:

从一个上传到傲游内网

漏洞证明:

首先是发现一个子域名的上传
custom.maxthon.cn
在上传图标的时候只验证了content-type没有对文件后判断

1532ed2be1f9d7260dd9085f527ba9e0.png


简单改包拿到shell

d57e70ec59f41084d0c6864c438a71d1.png


发现一些配置信息

$_Database_Config = array('dbhost' => '10.0.8.48',
     'dbuser' => 'm_backend_cn',
     'dbpass' => 'aoOJ1beLIDApfJC',
     'dbname' => 'adbrw_admin',
     'charset' => 'utf8',
     'pconnect' => '0',
     'environments' => 'production'
'mail.maxthon.cn',
                                   'port'     =>     '25',
                                   'auth'     =>     'true',
                                   'user'     =>     'zhaohongfeng@maxthon.cn',
                                   'pass'     =>     '@2010'
     /*$_Database_Config = array(     'dbhost'     =>     'localhost',
                                        'dbuser'     =>     'root',
                                        'dbpass'     =>     '123456',
                                        'dbname'     =>     'adbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
                                   );*/
     //?版.搴.??ワ?绾夸?                             
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'odbmac_admin',
                                        'dbpass'     =>     'BvYinxtAiS9P05P',
                                        'dbname'     =>     'odbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'odbmac_admin',
                                        'dbpass'     =>     'BvYinxtAiS9P05P',
                                        'dbname'     =>     'odbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
                                        'dbuser'     =>     'm_mad_cn',
                                        'dbpass'     =>     'zLXM5NoF107bS8l',
                                        'dbname'     =>     'adbrw_mad',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_plugins_cn',
                                        'dbpass'     =>     'MD2xPBtiyrf0z0Y',
                                        'dbname'     =>     'adbrw_plugins',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_feedback_cn',
                                        'dbpass'     =>     'Th8K6k7vw6g2eZy',
                                        'dbname'     =>     'feedback',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'adbrw_project',
                                        'dbpass'     =>     '1q@W3e$R',
                                        'dbname'     =>     'adbrw_channel',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_backendwp_cn',
                                        'dbpass'     =>     'GrW651KCwDByFdH',
                                        'dbname'     =>     'wp_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0',
                                        'environments' => 'development'
                                        'dbuser'     =>     'm_webapp_cn',
                                        'dbpass'     =>     '63KlZYVG',
                                        'dbname'     =>     'adbrw_webapp',
                                        'charset'     =>     'utf8',
                                    'pconnect'     =>     '0'
smtp_main_send( array('zhaohongfeng@maxthon.net','cuiwei@maxthon.net','linhongbin@maxthon.net')
     $mail->Host       = "mail.maxthon.net";
          $mail->Username   = "Maxthon-MM@maxthon.net";    
          $mail->Password   = "1qaz2wsx";


并且这个邮箱密码成功登录~

1.jpg


然后就提了个权

QQ图片20150107035621.png


root:$1$v4vAHK1L$p3MlF0AWUa3xMKMTBxG3f0:15733:0:99999:7:::
bin:*:15267:0:99999:7:::


随便扫了一下内网
zabbix

13a8794f4e4fee293f9d62146f620936.png


cacti

QQ图片20150107035643.png


QQ图片20150107035643.png


QQ图片20150107035743.png


QQ图片20150107035914.png


还有这个不知道是什么玩意

QQ图片20150107035749.png


254是个华为的路由 看登录界面总感觉就像是办宽带电信送的。。
恩。。没接触什么重要的东西,,点到为止,,差不多一点拿到的shell,到现在结束~

修复方案:

首先是发现一个子域名的上传
custom.maxthon.cn
在上传图标的时候只验证了content-type没有对文件后判断

1532ed2be1f9d7260dd9085f527ba9e0.png


简单改包拿到shell

d57e70ec59f41084d0c6864c438a71d1.png


发现一些配置信息

$_Database_Config = array('dbhost' => '10.0.8.48',
     'dbuser' => 'm_backend_cn',
     'dbpass' => 'aoOJ1beLIDApfJC',
     'dbname' => 'adbrw_admin',
     'charset' => 'utf8',
     'pconnect' => '0',
     'environments' => 'production'
'mail.maxthon.cn',
                                   'port'     =>     '25',
                                   'auth'     =>     'true',
                                   'user'     =>     'zhaohongfeng@maxthon.cn',
                                   'pass'     =>     '@2010'
     /*$_Database_Config = array(     'dbhost'     =>     'localhost',
                                        'dbuser'     =>     'root',
                                        'dbpass'     =>     '123456',
                                        'dbname'     =>     'adbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
                                   );*/
     //?版.搴.??ワ?绾夸?                             
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'odbmac_admin',
                                        'dbpass'     =>     'BvYinxtAiS9P05P',
                                        'dbname'     =>     'odbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'odbmac_admin',
                                        'dbpass'     =>     'BvYinxtAiS9P05P',
                                        'dbname'     =>     'odbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
                                        'dbuser'     =>     'm_mad_cn',
                                        'dbpass'     =>     'zLXM5NoF107bS8l',
                                        'dbname'     =>     'adbrw_mad',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_plugins_cn',
                                        'dbpass'     =>     'MD2xPBtiyrf0z0Y',
                                        'dbname'     =>     'adbrw_plugins',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_feedback_cn',
                                        'dbpass'     =>     'Th8K6k7vw6g2eZy',
                                        'dbname'     =>     'feedback',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'adbrw_project',
                                        'dbpass'     =>     '1q@W3e$R',
                                        'dbname'     =>     'adbrw_channel',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_backendwp_cn',
                                        'dbpass'     =>     'GrW651KCwDByFdH',
                                        'dbname'     =>     'wp_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0',
                                        'environments' => 'development'
                                        'dbuser'     =>     'm_webapp_cn',
                                        'dbpass'     =>     '63KlZYVG',
                                        'dbname'     =>     'adbrw_webapp',
                                        'charset'     =>     'utf8',
                                    'pconnect'     =>     '0'
smtp_main_send( array('zhaohongfeng@maxthon.net','cuiwei@maxthon.net','linhongbin@maxthon.net')
     $mail->Host       = "mail.maxthon.net";
          $mail->Username   = "Maxthon-MM@maxthon.net";    
          $mail->Password   = "1qaz2wsx";


并且这个邮箱密码成功登录~

1.jpg


然后就提了个权

QQ图片20150107035621.png


root:$1$v4vAHK1L$p3MlF0AWUa3xMKMTBxG3f0:15733:0:99999:7:::
bin:*:15267:0:99999:7:::


随便扫了一下内网
zabbix

13a8794f4e4fee293f9d62146f620936.png


cacti

QQ图片20150107035643.png


QQ图片20150107035643.png


QQ图片20150107035743.png


QQ图片20150107035914.png


还有这个不知道是什么玩意

QQ图片20150107035749.png


254是个华为的路由 看登录界面总感觉就像是办宽带电信送的。。
恩。。没接触什么重要的东西,,点到为止,,差不多一点拿到的shell,到现在结束~

版权声明:转载请注明来源 Matt@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-12 09:34

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2015-01-07 09:41 | 玉林嘎 ( 普通白帽子 | Rank:758 漏洞数:96 )

    还以为是遨游内网

  2. 2015-01-07 09:43 | Matt 认证白帽子 ( 普通白帽子 | Rank:523 漏洞数:107 | 承接代码审计 http://codescan.cn/)

    @玉林嘎 哈哈

  3. 2015-01-07 12:05 | huc-ray ( 路人 | Rank:25 漏洞数:7 | 菜鸟一枚)

    @玉林嘎 遨游内网还是遨游内网?汉字博大精深

  4. 2015-01-12 09:51 | 杀器王子 认证白帽子 ( 普通白帽子 | Rank:1532 漏洞数:121 | 磨刀霍霍向猪羊)

    无良

  5. 2015-01-12 09:55 | 玉林嘎 ( 普通白帽子 | Rank:758 漏洞数:96 )

    厂商机智得关闭了网站

  6. 2015-01-12 12:11 | Stardustsky ( 路人 | Rank:4 漏洞数:3 | ……)

    竟然忽略了!!