中国电信云某站任意上传可内网漫游 | wooyun-2014-073672| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-073672

漏洞标题：中国电信云某站任意上传可内网漫游

漏洞作者： scanf

提交时间：2014-08-24 17:22

修复时间：2014-10-08 17:26

公开时间：2014-10-08 17:26

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-08-24：细节已通知厂商并且等待厂商处理中
2014-08-29：厂商已经确认，细节仅向厂商公开
2014-09-08：细节向核心白帽子及相关领域专家公开
2014-09-18：细节向普通白帽子公开
2014-09-28：细节向实习白帽子公开
2014-10-08：细节向公众公开

简要描述：

内网里面真是有意思啊！

详细说明：

http://www.71etop.com/index.php
phpcms改的

然后改包

然后GO

漏洞证明：

然后弹个shell

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-08-24 13:03 CST
Interesting ports on 172.16.11.19:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.21:
Not shown: 1676 closed ports
PORT    STATE SERVICE
80/tcp  open  http
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Interesting ports on 172.16.11.23:
Not shown: 1674 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.24:
Not shown: 1674 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.25:
Not shown: 1674 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.28:
Not shown: 1671 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3005/tcp open  deslogin
3389/tcp open  ms-term-serv
7007/tcp open  afs3-bos
8080/tcp open  http-proxy
Interesting ports on 172.16.11.29:
Not shown: 1674 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
3389/tcp open  ms-term-serv
4899/tcp open  radmin
Interesting ports on 172.16.11.41:
Not shown: 1676 closed ports
PORT    STATE SERVICE
80/tcp  open  http
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Interesting ports on 172.16.11.42:
Not shown: 1674 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1521/tcp open  oracle
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.44:
Not shown: 1675 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on www.fjec.org.cn (172.16.11.45):
Not shown: 1668 closed ports
PORT     STATE SERVICE
80/tcp   open  http
81/tcp   open  hosts2-ns
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
446/tcp  open  ddm-rdb
1433/tcp open  ms-sql-s
1521/tcp open  oracle
3389/tcp open  ms-term-serv
5001/tcp open  commplex-link
8009/tcp open  ajp13
8081/tcp open  blackice-icecap
Interesting ports on 172.16.11.46:
Not shown: 1674 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1521/tcp open  oracle
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.52:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.53:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.54:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.55:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.56:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.57:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.59:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.68:
Not shown: 1670 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
621/tcp  open  unknown
950/tcp  open  oftep-rpc
997/tcp  open  maitrd
2049/tcp open  nfs
5001/tcp open  commplex-link
8009/tcp open  ajp13
8081/tcp open  blackice-icecap
8082/tcp open  blackice-alerts
Interesting ports on 172.16.11.69:
Not shown: 1672 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
1015/tcp open  unknown
5802/tcp open  vnc-http-2
6002/tcp open  X11:2
8009/tcp open  ajp13
8081/tcp open  blackice-icecap
8082/tcp open  blackice-alerts
Interesting ports on 172.16.11.70:
Not shown: 1676 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
918/tcp  open  unknown
1521/tcp open  oracle
Interesting ports on 172.16.11.84:
Not shown: 1674 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
Interesting ports on 172.16.11.101:
Not shown: 1675 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.102:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.103:
Not shown: 1676 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
Interesting ports on 172.16.11.116:
Not shown: 1665 closed ports
PORT      STATE SERVICE
80/tcp    open  http
81/tcp    open  hosts2-ns
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1025/tcp  open  NFS-or-IIS
1026/tcp  open  LSA-or-nterm
1027/tcp  open  IIS
1031/tcp  open  iad2
1032/tcp  open  iad3
1500/tcp  open  vlsi-lm
2030/tcp  open  device2
8080/tcp  open  http-proxy
8082/tcp  open  blackice-alerts
27000/tcp open  flexlm0
Interesting ports on 172.16.11.117:
Not shown: 1674 closed ports
PORT     STATE SERVICE
80/tcp   open  http
81/tcp   open  hosts2-ns
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2030/tcp open  device2
Interesting ports on 172.16.11.118:
Not shown: 1674 closed ports
PORT      STATE SERVICE
80/tcp    open  http
81/tcp    open  hosts2-ns
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
27000/tcp open  flexlm0
Interesting ports on 172.16.11.119:
Not shown: 1673 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1521/tcp  open  oracle
5560/tcp  open  isqlplus
27000/tcp open  flexlm0
Interesting ports on 172.16.11.120:
Not shown: 1676 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
1521/tcp open  oracle
8080/tcp open  http-proxy
8082/tcp open  blackice-alerts
Interesting ports on 172.16.11.121:
Not shown: 1678 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
1521/tcp open  oracle
Interesting ports on 172.16.11.122:
Not shown: 1677 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Interesting ports on 172.16.11.123:
Not shown: 1676 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
1521/tcp open  oracle
8080/tcp open  http-proxy
8082/tcp open  blackice-alerts
Interesting ports on 172.16.11.124:
Not shown: 1678 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
1521/tcp open  oracle
Interesting ports on 172.16.11.148:
Not shown: 1677 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
8009/tcp open  ajp13
9090/tcp open  zeus-admin
Interesting ports on 172.16.11.149:
Not shown: 1677 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
8009/tcp open  ajp13
9090/tcp open  zeus-admin
Interesting ports on 172.16.11.150:
Not shown: 1677 closed ports
PORT     STATE SERVICE
80/tcp   open  http
88/tcp   open  kerberos-sec
8009/tcp open  ajp13
Interesting ports on 172.16.11.164:
Not shown: 1677 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
1521/tcp open  oracle
8082/tcp open  blackice-alerts
Interesting ports on 172.16.11.196:
Not shown: 1672 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
648/tcp  open  unknown
732/tcp  open  unknown
2049/tcp open  nfs
5801/tcp open  vnc-http-1
5901/tcp open  vnc-1
6001/tcp open  X11:1
8082/tcp open  blackice-alerts
Interesting ports on 172.16.11.197:
Not shown: 1679 closed ports
PORT    STATE SERVICE
111/tcp open  rpcbind
Interesting ports on 172.16.11.198:
Not shown: 1675 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1521/tcp open  oracle
Interesting ports on 172.16.11.199:
Not shown: 1670 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
792/tcp  open  unknown
806/tcp  open  unknown
2049/tcp open  nfs
5801/tcp open  vnc-http-1
5901/tcp open  vnc-1
6001/tcp open  X11:1
8081/tcp open  blackice-icecap
Interesting ports on 172.16.11.200:
Not shown: 1678 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
8082/tcp open  blackice-alerts
Interesting ports on 172.16.11.212:
Not shown: 1678 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
2012/tcp open  ttyinfo
Interesting ports on 172.16.11.213:
Not shown: 1675 closed ports
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
2000/tcp open  callbook
8082/tcp open  blackice-alerts
8888/tcp open  sun-answerbook
Interesting ports on 172.16.11.214:
Not shown: 1679 closed ports
PORT    STATE SERVICE
111/tcp open  rpcbind
Interesting ports on 172.16.11.215:
Not shown: 1678 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
1521/tcp open  oracle
Interesting ports on 172.16.11.216:
Not shown: 1678 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
8082/tcp open  blackice-alerts
Interesting ports on 172.16.11.217:
Not shown: 1678 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
8082/tcp open  blackice-alerts
Interesting ports on 172.16.11.218:
Not shown: 1678 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
2046/tcp open  sdfunc
Interesting ports on 172.16.11.228:
Not shown: 1675 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5432/tcp open  postgres
8000/tcp open  http-alt
Interesting ports on 172.16.11.244:
Not shown: 1676 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
111/tcp   open  rpcbind
10000/tcp open  snet-sensor-mgmt
Interesting ports on 172.16.11.245:
Not shown: 1677 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
1521/tcp open  oracle
3306/tcp open  mysql
Interesting ports on 172.16.11.246:
Not shown: 1679 closed ports
PORT    STATE SERVICE
111/tcp open  rpcbind
Nmap finished: 255 IP addresses (100 hosts up) scanned in 195.043 seconds

然后开个代理进内网看看
http://172.16.11.84/default.aspx
弱口令
admin / 123456

修复方案：

这个应该不要用本地js验证吧

版权声明：转载请注明来源 scanf@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：14

确认时间：2014-08-29 08:21

厂商回复：

CNVD确认并复现所述情况，转由CNCERT向中国电信集团公司通报，由其后续协调省公司处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-073672

漏洞标题：中国电信云某站任意上传可内网漫游

相关厂商：中国电信

漏洞作者： scanf

提交时间：2014-08-24 17:22

修复时间：2014-10-08 17:26

公开时间：2014-10-08 17:26

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 scanf@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-073672

漏洞标题：中国电信云某站任意上传可内网漫游

相关厂商：中国电信

漏洞作者： scanf

提交时间：2014-08-24 17:22

修复时间：2014-10-08 17:26

公开时间：2014-10-08 17:26

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-073672"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 scanf@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：