记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

中国电信云某站任意上传可内网漫游

2014-10-08 22:45

http://www.71etop.com/index.php

phpcms改的

QQ截图20140824132806.png



QQ截图20140824132841.png



QQ截图20140824132914.png



QQ截图20140824133053.png



然后改包

QQ截图20140824133212.png



QQ截图20140824133227.png



QQ截图20140824133240.png



然后GO

QQ截图20140824133307.png



QQ截图20140824133346.png

漏洞证明:

然后弹个shell

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-08-24 13:03 CST



Interesting ports on 172.16.11.19:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.21:

Not shown: 1676 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds



Interesting ports on 172.16.11.23:

Not shown: 1674 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1433/tcp open ms-sql-s

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.24:

Not shown: 1674 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1433/tcp open ms-sql-s

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.25:

Not shown: 1674 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1433/tcp open ms-sql-s

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.28:

Not shown: 1671 closed ports

PORT STATE SERVICE

53/tcp open domain

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3005/tcp open deslogin

3389/tcp open ms-term-serv

7007/tcp open afs3-bos

8080/tcp open http-proxy



Interesting ports on 172.16.11.29:

Not shown: 1674 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3306/tcp open mysql

3389/tcp open ms-term-serv

4899/tcp open radmin





Interesting ports on 172.16.11.41:

Not shown: 1676 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds



Interesting ports on 172.16.11.42:

Not shown: 1674 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1521/tcp open oracle

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.44:

Not shown: 1675 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on www.fjec.org.cn (172.16.11.45):

Not shown: 1668 closed ports

PORT STATE SERVICE

80/tcp open http

81/tcp open hosts2-ns

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

446/tcp open ddm-rdb

1433/tcp open ms-sql-s

1521/tcp open oracle

3389/tcp open ms-term-serv

5001/tcp open commplex-link

8009/tcp open ajp13

8081/tcp open blackice-icecap



Interesting ports on 172.16.11.46:

Not shown: 1674 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1521/tcp open oracle

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.52:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.53:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.54:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.55:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.56:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.57:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.59:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv





Interesting ports on 172.16.11.68:

Not shown: 1670 closed ports

PORT STATE SERVICE

22/tcp open ssh

111/tcp open rpcbind

621/tcp open unknown

950/tcp open oftep-rpc

997/tcp open maitrd

2049/tcp open nfs

5001/tcp open commplex-link

8009/tcp open ajp13

8081/tcp open blackice-icecap

8082/tcp open blackice-alerts



Interesting ports on 172.16.11.69:

Not shown: 1672 closed ports

PORT STATE SERVICE

22/tcp open ssh

111/tcp open rpcbind

1015/tcp open unknown

5802/tcp open vnc-http-2

6002/tcp open X11:2

8009/tcp open ajp13

8081/tcp open blackice-icecap

8082/tcp open blackice-alerts



Interesting ports on 172.16.11.70:

Not shown: 1676 closed ports

PORT STATE SERVICE

22/tcp open ssh

111/tcp open rpcbind

918/tcp open unknown

1521/tcp open oracle







Interesting ports on 172.16.11.84:

Not shown: 1674 closed ports

PORT STATE SERVICE

21/tcp open ftp

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS





Interesting ports on 172.16.11.101:

Not shown: 1675 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.102:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv



Interesting ports on 172.16.11.103:

Not shown: 1676 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3389/tcp open ms-term-serv





Interesting ports on 172.16.11.116:

Not shown: 1665 closed ports

PORT STATE SERVICE

80/tcp open http

81/tcp open hosts2-ns

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS

1026/tcp open LSA-or-nterm

1027/tcp open IIS

1031/tcp open iad2

1032/tcp open iad3

1500/tcp open vlsi-lm

2030/tcp open device2

8080/tcp open http-proxy

8082/tcp open blackice-alerts

27000/tcp open flexlm0



Interesting ports on 172.16.11.117:

Not shown: 1674 closed ports

PORT STATE SERVICE

80/tcp open http

81/tcp open hosts2-ns

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

2030/tcp open device2



Interesting ports on 172.16.11.118:

Not shown: 1674 closed ports

PORT STATE SERVICE

80/tcp open http

81/tcp open hosts2-ns

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

27000/tcp open flexlm0



Interesting ports on 172.16.11.119:

Not shown: 1673 closed ports

PORT STATE SERVICE

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1521/tcp open oracle

5560/tcp open isqlplus

27000/tcp open flexlm0



Interesting ports on 172.16.11.120:

Not shown: 1676 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

1521/tcp open oracle

8080/tcp open http-proxy

8082/tcp open blackice-alerts



Interesting ports on 172.16.11.121:

Not shown: 1678 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

1521/tcp open oracle



Interesting ports on 172.16.11.122:

Not shown: 1677 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds



Interesting ports on 172.16.11.123:

Not shown: 1676 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

1521/tcp open oracle

8080/tcp open http-proxy

8082/tcp open blackice-alerts



Interesting ports on 172.16.11.124:

Not shown: 1678 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

1521/tcp open oracle



Interesting ports on 172.16.11.148:

Not shown: 1677 closed ports

PORT STATE SERVICE

21/tcp open ftp

8009/tcp open ajp13

9090/tcp open zeus-admin



Interesting ports on 172.16.11.149:

Not shown: 1677 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

8009/tcp open ajp13

9090/tcp open zeus-admin



Interesting ports on 172.16.11.150:

Not shown: 1677 closed ports

PORT STATE SERVICE

80/tcp open http

88/tcp open kerberos-sec

8009/tcp open ajp13



Interesting ports on 172.16.11.164:

Not shown: 1677 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

1521/tcp open oracle

8082/tcp open blackice-alerts



Interesting ports on 172.16.11.196:

Not shown: 1672 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

648/tcp open unknown

732/tcp open unknown

2049/tcp open nfs

5801/tcp open vnc-http-1

5901/tcp open vnc-1

6001/tcp open X11:1

8082/tcp open blackice-alerts



Interesting ports on 172.16.11.197:

Not shown: 1679 closed ports

PORT STATE SERVICE

111/tcp open rpcbind



Interesting ports on 172.16.11.198:

Not shown: 1675 closed ports

PORT STATE SERVICE

22/tcp open ssh

111/tcp open rpcbind

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1521/tcp open oracle



Interesting ports on 172.16.11.199:

Not shown: 1670 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

139/tcp open netbios-ssn

445/tcp open microsoft-ds

792/tcp open unknown

806/tcp open unknown

2049/tcp open nfs

5801/tcp open vnc-http-1

5901/tcp open vnc-1

6001/tcp open X11:1

8081/tcp open blackice-icecap



Interesting ports on 172.16.11.200:

Not shown: 1678 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

8082/tcp open blackice-alerts



Interesting ports on 172.16.11.212:

Not shown: 1678 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

2012/tcp open ttyinfo



Interesting ports on 172.16.11.213:

Not shown: 1675 closed ports

PORT STATE SERVICE

80/tcp open http

111/tcp open rpcbind

2000/tcp open callbook

8082/tcp open blackice-alerts

8888/tcp open sun-answerbook



Interesting ports on 172.16.11.214:

Not shown: 1679 closed ports

PORT STATE SERVICE

111/tcp open rpcbind



Interesting ports on 172.16.11.215:

Not shown: 1678 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

1521/tcp open oracle



Interesting ports on 172.16.11.216:

Not shown: 1678 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

8082/tcp open blackice-alerts



Interesting ports on 172.16.11.217:

Not shown: 1678 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

8082/tcp open blackice-alerts



Interesting ports on 172.16.11.218:

Not shown: 1678 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

2046/tcp open sdfunc







Interesting ports on 172.16.11.228:

Not shown: 1675 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

5432/tcp open postgres

8000/tcp open http-alt



Interesting ports on 172.16.11.244:

Not shown: 1676 closed ports

PORT STATE SERVICE

21/tcp open ftp

80/tcp open http

111/tcp open rpcbind

10000/tcp open snet-sensor-mgmt



Interesting ports on 172.16.11.245:

Not shown: 1677 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

1521/tcp open oracle

3306/tcp open mysql



Interesting ports on 172.16.11.246:

Not shown: 1679 closed ports

PORT STATE SERVICE

111/tcp open rpcbind



Nmap finished: 255 IP addresses (100 hosts up) scanned in 195.043 seconds



然后开个代理进内网看看

http://172.16.11.84/default.aspx

弱口令

admin / 123456

QQ截图20140824134459.png



QQ截图20140824134526.png

修复方案:

这个应该不要用本地js验证吧

知识来源: www.wooyun.org/bugs/wooyun-2014-073672

阅读:604177 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“中国电信云某站任意上传可内网漫游”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云