当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090414

漏洞标题:从一个上传到傲游内网

相关厂商:傲游

漏洞作者: Matt

提交时间:2015-01-07 09:32

修复时间:2015-01-12 09:34

公开时间:2015-01-12 09:34

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-07: 细节已通知厂商并且等待厂商处理中
2015-01-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

从一个上传到傲游内网

详细说明:

从一个上传到傲游内网

漏洞证明:

首先是发现一个子域名的上传
custom.maxthon.cn
在上传图标的时候只验证了content-type没有对文件后判断

1532ed2be1f9d7260dd9085f527ba9e0.png


简单改包拿到shell

d57e70ec59f41084d0c6864c438a71d1.png


发现一些配置信息

$_Database_Config = array('dbhost' => '10.0.8.48',
'dbuser' => 'm_backend_cn',
'dbpass' => 'aoOJ1beLIDApfJC',
'dbname' => 'adbrw_admin',
'charset' => 'utf8',
'pconnect' => '0',
'environments' => 'production'
'mail.maxthon.cn',
'port' => '25',
'auth' => 'true',
'user' => 'zhaohongfeng@maxthon.cn',
'pass' => '@2010'
/*$_Database_Config = array( 'dbhost' => 'localhost',
'dbuser' => 'root',
'dbpass' => '123456',
'dbname' => 'adbmac_admin',
'charset' => 'utf8',
'pconnect' => '0'
);*/
//?版.搴.??ワ?绾夸?
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'odbmac_admin',
'dbpass' => 'BvYinxtAiS9P05P',
'dbname' => 'odbmac_admin',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'odbmac_admin',
'dbpass' => 'BvYinxtAiS9P05P',
'dbname' => 'odbmac_admin',
'charset' => 'utf8',
'pconnect' => '0'
'dbuser' => 'm_mad_cn',
'dbpass' => 'zLXM5NoF107bS8l',
'dbname' => 'adbrw_mad',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'm_plugins_cn',
'dbpass' => 'MD2xPBtiyrf0z0Y',
'dbname' => 'adbrw_plugins',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'm_feedback_cn',
'dbpass' => 'Th8K6k7vw6g2eZy',
'dbname' => 'feedback',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'adbrw_project',
'dbpass' => '1q@W3e$R',
'dbname' => 'adbrw_channel',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'm_backendwp_cn',
'dbpass' => 'GrW651KCwDByFdH',
'dbname' => 'wp_admin',
'charset' => 'utf8',
'pconnect' => '0',
'environments' => 'development'
'dbuser' => 'm_webapp_cn',
'dbpass' => '63KlZYVG',
'dbname' => 'adbrw_webapp',
'charset' => 'utf8',
'pconnect' => '0'
smtp_main_send( array('zhaohongfeng@maxthon.net','cuiwei@maxthon.net','linhongbin@maxthon.net')
$mail->Host = "mail.maxthon.net";
$mail->Username = "Maxthon-MM@maxthon.net";
$mail->Password = "1qaz2wsx";


并且这个邮箱密码成功登录~

1.jpg


然后就提了个权

QQ图片20150107035621.png


root:$1$v4vAHK1L$p3MlF0AWUa3xMKMTBxG3f0:15733:0:99999:7:::
bin:*:15267:0:99999:7:::


随便扫了一下内网
zabbix

13a8794f4e4fee293f9d62146f620936.png


cacti

QQ图片20150107035643.png


QQ图片20150107035643.png


QQ图片20150107035743.png


QQ图片20150107035914.png


还有这个不知道是什么玩意

QQ图片20150107035749.png


254是个华为的路由 看登录界面总感觉就像是办宽带电信送的。。
恩。。没接触什么重要的东西,,点到为止,,差不多一点拿到的shell,到现在结束~

修复方案:

首先是发现一个子域名的上传
custom.maxthon.cn
在上传图标的时候只验证了content-type没有对文件后判断

1532ed2be1f9d7260dd9085f527ba9e0.png


简单改包拿到shell

d57e70ec59f41084d0c6864c438a71d1.png


发现一些配置信息

$_Database_Config = array('dbhost' => '10.0.8.48',
'dbuser' => 'm_backend_cn',
'dbpass' => 'aoOJ1beLIDApfJC',
'dbname' => 'adbrw_admin',
'charset' => 'utf8',
'pconnect' => '0',
'environments' => 'production'
'mail.maxthon.cn',
'port' => '25',
'auth' => 'true',
'user' => 'zhaohongfeng@maxthon.cn',
'pass' => '@2010'
/*$_Database_Config = array( 'dbhost' => 'localhost',
'dbuser' => 'root',
'dbpass' => '123456',
'dbname' => 'adbmac_admin',
'charset' => 'utf8',
'pconnect' => '0'
);*/
//?版.搴.??ワ?绾夸?
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'odbmac_admin',
'dbpass' => 'BvYinxtAiS9P05P',
'dbname' => 'odbmac_admin',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'odbmac_admin',
'dbpass' => 'BvYinxtAiS9P05P',
'dbname' => 'odbmac_admin',
'charset' => 'utf8',
'pconnect' => '0'
'dbuser' => 'm_mad_cn',
'dbpass' => 'zLXM5NoF107bS8l',
'dbname' => 'adbrw_mad',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'm_plugins_cn',
'dbpass' => 'MD2xPBtiyrf0z0Y',
'dbname' => 'adbrw_plugins',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'm_feedback_cn',
'dbpass' => 'Th8K6k7vw6g2eZy',
'dbname' => 'feedback',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'adbrw_project',
'dbpass' => '1q@W3e$R',
'dbname' => 'adbrw_channel',
'charset' => 'utf8',
'pconnect' => '0'
$_Database_Config = array( 'dbhost' => '10.0.8.48',
'dbuser' => 'm_backendwp_cn',
'dbpass' => 'GrW651KCwDByFdH',
'dbname' => 'wp_admin',
'charset' => 'utf8',
'pconnect' => '0',
'environments' => 'development'
'dbuser' => 'm_webapp_cn',
'dbpass' => '63KlZYVG',
'dbname' => 'adbrw_webapp',
'charset' => 'utf8',
'pconnect' => '0'
smtp_main_send( array('zhaohongfeng@maxthon.net','cuiwei@maxthon.net','linhongbin@maxthon.net')
$mail->Host = "mail.maxthon.net";
$mail->Username = "Maxthon-MM@maxthon.net";
$mail->Password = "1qaz2wsx";


并且这个邮箱密码成功登录~

1.jpg


然后就提了个权

QQ图片20150107035621.png


root:$1$v4vAHK1L$p3MlF0AWUa3xMKMTBxG3f0:15733:0:99999:7:::
bin:*:15267:0:99999:7:::


随便扫了一下内网
zabbix

13a8794f4e4fee293f9d62146f620936.png


cacti

QQ图片20150107035643.png


QQ图片20150107035643.png


QQ图片20150107035743.png


QQ图片20150107035914.png


还有这个不知道是什么玩意

QQ图片20150107035749.png


254是个华为的路由 看登录界面总感觉就像是办宽带电信送的。。
恩。。没接触什么重要的东西,,点到为止,,差不多一点拿到的shell,到现在结束~

版权声明:转载请注明来源 Matt@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-12 09:34

厂商回复:

最新状态:

暂无


漏洞评价:

评论

  1. 2015-01-07 09:41 | 玉林嘎 ( 普通白帽子 | Rank:758 漏洞数:96 )

    还以为是遨游内网

  2. 2015-01-07 09:43 | Matt 认证白帽子 ( 普通白帽子 | Rank:523 漏洞数:107 | 承接代码审计 http://codescan.cn/)

    @玉林嘎 哈哈

  3. 2015-01-07 12:05 | huc-ray ( 路人 | Rank:25 漏洞数:7 | 菜鸟一枚)

    @玉林嘎 遨游内网还是遨游内网?汉字博大精深

  4. 2015-01-12 09:51 | 杀器王子 认证白帽子 ( 普通白帽子 | Rank:1532 漏洞数:121 | 磨刀霍霍向猪羊)

    无良

  5. 2015-01-12 09:55 | 玉林嘎 ( 普通白帽子 | Rank:758 漏洞数:96 )

    厂商机智得关闭了网站

  6. 2015-01-12 12:11 | Stardustsky ( 路人 | Rank:4 漏洞数:3 | ……)

    竟然忽略了!!