从一个上传到傲游内网 | wooyun-2015-090414

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-090414

漏洞标题：

从一个上传到傲游内网

漏洞详情

披露状态：

2015-01-07：细节已通知厂商并且等待厂商处理中
2015-01-12：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

从一个上传到傲游内网

详细说明：

从一个上传到傲游内网

漏洞证明：

首先是发现一个子域名的上传
custom.maxthon.cn
在上传图标的时候只验证了content-type没有对文件后判断

简单改包拿到shell

发现一些配置信息

$_Database_Config = array('dbhost' => '10.0.8.48',
     'dbuser' => 'm_backend_cn',
     'dbpass' => 'aoOJ1beLIDApfJC',
     'dbname' => 'adbrw_admin',
     'charset' => 'utf8',
     'pconnect' => '0',
     'environments' => 'production'
'mail.maxthon.cn',
                                   'port'     =>     '25',
                                   'auth'     =>     'true',
                                   'user'     =>     'zhaohongfeng@maxthon.cn',
                                   'pass'     =>     '@2010'
     /*$_Database_Config = array(     'dbhost'     =>     'localhost',
                                        'dbuser'     =>     'root',
                                        'dbpass'     =>     '123456',
                                        'dbname'     =>     'adbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
                                   );*/
     //?版.搴.??ワ?绾夸?                             
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'odbmac_admin',
                                        'dbpass'     =>     'BvYinxtAiS9P05P',
                                        'dbname'     =>     'odbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'odbmac_admin',
                                        'dbpass'     =>     'BvYinxtAiS9P05P',
                                        'dbname'     =>     'odbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
                                        'dbuser'     =>     'm_mad_cn',
                                        'dbpass'     =>     'zLXM5NoF107bS8l',
                                        'dbname'     =>     'adbrw_mad',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_plugins_cn',
                                        'dbpass'     =>     'MD2xPBtiyrf0z0Y',
                                        'dbname'     =>     'adbrw_plugins',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_feedback_cn',
                                        'dbpass'     =>     'Th8K6k7vw6g2eZy',
                                        'dbname'     =>     'feedback',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'adbrw_project',
                                        'dbpass'     =>     '1q@W3e$R',
                                        'dbname'     =>     'adbrw_channel',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_backendwp_cn',
                                        'dbpass'     =>     'GrW651KCwDByFdH',
                                        'dbname'     =>     'wp_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0',
                                        'environments' => 'development'
                                        'dbuser'     =>     'm_webapp_cn',
                                        'dbpass'     =>     '63KlZYVG',
                                        'dbname'     =>     'adbrw_webapp',
                                        'charset'     =>     'utf8',
                                    'pconnect'     =>     '0'
smtp_main_send( array('zhaohongfeng@maxthon.net','cuiwei@maxthon.net','linhongbin@maxthon.net')
     $mail->Host       = "mail.maxthon.net";
          $mail->Username   = "Maxthon-MM@maxthon.net";    
          $mail->Password   = "1qaz2wsx";

并且这个邮箱密码成功登录～

然后就提了个权

root:$1$v4vAHK1L$p3MlF0AWUa3xMKMTBxG3f0:15733:0:99999:7:::
bin:*:15267:0:99999:7:::

随便扫了一下内网
zabbix

cacti

还有这个不知道是什么玩意

254是个华为的路由看登录界面总感觉就像是办宽带电信送的。。
恩。。没接触什么重要的东西，，点到为止，，差不多一点拿到的shell，到现在结束～

修复方案：

首先是发现一个子域名的上传
custom.maxthon.cn
在上传图标的时候只验证了content-type没有对文件后判断

简单改包拿到shell

发现一些配置信息

$_Database_Config = array('dbhost' => '10.0.8.48',
     'dbuser' => 'm_backend_cn',
     'dbpass' => 'aoOJ1beLIDApfJC',
     'dbname' => 'adbrw_admin',
     'charset' => 'utf8',
     'pconnect' => '0',
     'environments' => 'production'
'mail.maxthon.cn',
                                   'port'     =>     '25',
                                   'auth'     =>     'true',
                                   'user'     =>     'zhaohongfeng@maxthon.cn',
                                   'pass'     =>     '@2010'
     /*$_Database_Config = array(     'dbhost'     =>     'localhost',
                                        'dbuser'     =>     'root',
                                        'dbpass'     =>     '123456',
                                        'dbname'     =>     'adbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
                                   );*/
     //?版.搴.??ワ?绾夸?                             
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'odbmac_admin',
                                        'dbpass'     =>     'BvYinxtAiS9P05P',
                                        'dbname'     =>     'odbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'odbmac_admin',
                                        'dbpass'     =>     'BvYinxtAiS9P05P',
                                        'dbname'     =>     'odbmac_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
                                        'dbuser'     =>     'm_mad_cn',
                                        'dbpass'     =>     'zLXM5NoF107bS8l',
                                        'dbname'     =>     'adbrw_mad',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_plugins_cn',
                                        'dbpass'     =>     'MD2xPBtiyrf0z0Y',
                                        'dbname'     =>     'adbrw_plugins',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_feedback_cn',
                                        'dbpass'     =>     'Th8K6k7vw6g2eZy',
                                        'dbname'     =>     'feedback',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'adbrw_project',
                                        'dbpass'     =>     '1q@W3e$R',
                                        'dbname'     =>     'adbrw_channel',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0'
     $_Database_Config = array(     'dbhost'     =>     '10.0.8.48',
                                        'dbuser'     =>     'm_backendwp_cn',
                                        'dbpass'     =>     'GrW651KCwDByFdH',
                                        'dbname'     =>     'wp_admin',
                                        'charset'     =>     'utf8',
                                        'pconnect'     =>     '0',
                                        'environments' => 'development'
                                        'dbuser'     =>     'm_webapp_cn',
                                        'dbpass'     =>     '63KlZYVG',
                                        'dbname'     =>     'adbrw_webapp',
                                        'charset'     =>     'utf8',
                                    'pconnect'     =>     '0'
smtp_main_send( array('zhaohongfeng@maxthon.net','cuiwei@maxthon.net','linhongbin@maxthon.net')
     $mail->Host       = "mail.maxthon.net";
          $mail->Username   = "Maxthon-MM@maxthon.net";    
          $mail->Password   = "1qaz2wsx";

并且这个邮箱密码成功登录～

然后就提了个权

root:$1$v4vAHK1L$p3MlF0AWUa3xMKMTBxG3f0:15733:0:99999:7:::
bin:*:15267:0:99999:7:::

随便扫了一下内网
zabbix

cacti

还有这个不知道是什么玩意

254是个华为的路由看登录界面总感觉就像是办宽带电信送的。。
恩。。没接触什么重要的东西，，点到为止，，差不多一点拿到的shell，到现在结束～

版权声明：转载请注明来源 Matt@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-01-12 09:34

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Matt@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Matt@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞