乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-24: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-08-08: 厂商已经主动忽略漏洞,细节向公众公开
9维游戏某服务系统高危漏洞导致多个重要站点躺枪
涉及大量重要系统,九维游戏社区、多趣游戏社区、webmin、内网等经常在九维上玩游戏,今天顺手测试一下。#收集信息,收集了部分域名和并做了IP分段
upload1.hero.9wee.com, upload168.hero.9wee.com, s165.hero.9wee.com, s112.hero.9wee.com, s155.hero.9wee.com, s103.hero.9wee.com, upload59.hero.9wee.com, s15.9.9wee.com, z91.hero.9wee.com, s42.hero.9wee.com, s46.hero.9wee.com, s117.hero.9wee.com, s149.hero.9wee.com, s139.hero.9wee.com, z2.hero.9wee.com, s62.hero.9wee.com, s143.hero.9wee.com, s68.hero.9wee.com, s148.hero.9wee.com, upload145.hero.9wee.com, upload57.hero.9wee.com, upload52.hero.9wee.com, upload183.hero.9wee.com, upload46.hero.9wee.com, upload44.hero.9wee.com, upload164.hero.9wee.com, s59.hero.9wee.com, s147.hero.9wee.com, z42.hero.9wee.com, s115.hero.9wee.com, s122.hero.9wee.com, z34.hero.9wee.com, s7.9.9wee.com, s3.9.9wee.com, s67.hero.9wee.com, s106.hero.9wee.com, z68.hero.9wee.com, s107.hero.9wee.com, upload167.hero.9wee.com, upload141.hero.9wee.com, gm.9.9wee.com, s1.jf.9wee.com, s168.hero.9wee.com, upload109.hero.9wee.com, upload61.hero.9wee.com, s138.hero.9wee.com, s52.hero.9wee.com, z1.hero.9wee.com, s0.9.9wee.com, s189.hero.9wee.com, s110.hero.9wee.com, s10.9.9wee.com, upload125.hero.9wee.c,s4.dh.9wee.com, s5.dh.9wee.com, gm.tc.9wee.com, game.7.9wee.com, s7.jf.9wee.com, lhzs.bbs.9wee.com, zq.bbs.9wee.com, ogzq.bbs.9wee.com, hjfd.bbs.9wee.com, kz.bbs.9wee.com, gj.bbs.9wee.com, tc.bbs.9wee.com, zq2.bbs.9wee.com, jf.bbs.9wee.com, hero.bbs.9wee.com, bbs.9wee.com, yxj.bbs.9wee.com, long.bbs.9wee.com, mc.bbs.9wee.com, 9.bbs.9wee.com, fd.bbs.9wee.com, fr.bbs.9wee.com, wly.bbs.9wee.com, sxd.bbs.9wee.com, s14.zq2.9wee.com, live.s14.zq2.9wee.com,s92.hero.9wee.com, s7.hero.9wee.com, s5.hero.9wee.com, s72.hero.9wee.com, s99.hero.9wee.com, s172.hero.9wee.com, s170.hero.9wee.com, upload9.hero.9wee.com, s185.hero.9wee.com, s54.9.9wee.com, s80.hero.9wee.com, z75.hero.9wee.com, s52.9.9wee.com, s49.9.9wee.com, s40.9.9wee.com, s46.9.9wee.com, s84.hero.9wee.com, s86.hero.9wee.com, upload176.hero.9wee.com, s31.hero.9wee.com, s37.hero.9wee.com, upload81.hero.9wee.com, passport.9wee.com, jth1.sg.9wee.com, wzh1.sg.9wee.com, wzh2.sg.9wee.com, lmw1.sg.9wee.com, zqj1.sg.9wee.com, lmj4.sg.9wee.com, s2.zq2.9wee.com, s20.zq2.9wee.com, s21.zq2.9wee.com, upload34.hero.9wee.com, upload169.hero.9wee.com, s161.hero.9wee.com, s3.9f-server.ledu.9wee.com, z79.hero.9wee.com, s14.hero.9wee.com, s15.hero.9wee.com, upload3.hero.9wee.com, s75.hero.9wee.com, s6.hero.9wee.com, s184.hero.9wee.com, z81.hero.9wee.com, s100.hero.9wee.com, s96.hero.9wee.com, s48.9.9wee.com, s8.hero.9wee.com, s59.9.9wee.com, s82.hero.9wee.com, s176.hero.9wee.com, s36.hero.9wee.com, upload162.hero.9wee.com, upload5.hero.9wee.com, s64.9.9wee.com, upload27.hero.9w,s38.hero.9wee.com, s3.hero.9wee.com, s2.hero.9wee.com, s28.9.9wee.com, s76.hero.9wee.com, s93.hero.9wee.com, s58.9.9wee.com, s21.9.9wee.com, s175.hero.9wee.com, upload30.hero.9wee.com, upload10.hero.9wee.com, z47.hero.9wee.com, z49.hero.9wee.com, upload19.hero.9wee.com, s24.hero.9wee.com, s50.9.9wee.com, s150.hero.9wee.com, s79.hero.9wee.com, upload14.hero.9wee.com, upload165.hero.9wee.com, s55.hero.9wee.com, s142.hero.9wee.com, z28.hero.9wee.com, s120.hero.9wee.com, s57.hero.9wee.com, s66.hero.9wee.com, s140.hero.9wee.com, s8.9.9wee.com, s111.hero.9wee.com, s65.hero.9wee.com, upload133.hero.9wee.com, tc2.9wee.com, static.cache.9wee.com, upload80.hero.9wee.com, upload24.hero.9wee.com, s78.hero.9wee.com, upload90.hero.9wee.com, z76.hero.9wee.com, s32.9.9wee.com, s36.9.9wee.com, s55.9.9wee.com, s29.9.9wee.com, s86.9.9wee.com, static.zq.9wee.com, mc.9wee.com,s1002.wly.9wee.com, game0.sh.9wee.com, yxj.9wee.com, upload48.hero.9wee.com, s61.hero.9wee.com, s145.hero.9wee.com, z38.hero.9wee.com, s134.hero.9wee.com, s113.hero.9wee.com, upload120.hero.9wee.com, upload142.hero.9wee.com, s131.hero.9wee.com, s64.hero.9wee.com, s104.hero.9wee.com, s129.hero.9wee.com, s187.hero.9wee.com, upload139.hero.9wee.com, upload180.hero.9wee.com, upload158.hero.9wee.com, pic.9wee.com, upload55.hero.9wee.com, s102.hero.9wee.com, upload75.hero.9wee.com, upload181.hero.9wee.com, s167.hero.9wee.com, upload147.hero.9wee.com, upload136.hero.9wee.com, s1.hero.9wee.com, z21.hero.9wee.com, s121.hero.9wee.com, upload66.hero.9wee.com, s128.hero.9wee.com, s108.hero.9wee.com, upload67.hero.9wee.com, yw1.tc.9wee.com, upload113.hero.9wee.com, upload58.hero.9wee.com, static2.tc.9wee.com, static.9wee.com,1168648.9wee.com, hy.9wee.com, jf.cms.9wee.com, jh3.tc.9wee.com, static30.zq2.9wee.com, tc2.cms.9wee.com, jh6.tc.9wee.com, jj1.tc.9wee.com, jj2.sg.9wee.com, 867674.9wee.com, jh4.tc.9wee.com, game.s98.9.9wee.com, dww.bbs.9wee.com, 85.bbs.9wee.com, www.hero.bbs.9wee.com, www.9wee.com, www.j1.sg.9wee.com, www.s133.hero.9wee.com, wwwadmin.9wee.com, images.cms.9wee.com, wz4.sg.9wee.com, xy.9wee.com, yx1.sg.9wee.com, test1.sg.9wee.com, ww.9wee.com, zp4.sg.9wee.com, yx2.sg.9wee.com, www.97.sese.cmhero.bbs.9wee.com, s12.tc2.9wee.com, s13.tc.9wee.com, mh.9wee.com, ogzu.9wee.com, s17.tc.9wee.com, lj.9wee.com, lm10.sg.9wee.com, lm12.sg.9wee.com, s1.tc2.9wee.com, s1.tank.9wee.com, lm13.sg.9wee.com, s10.tc2.9wee.com, lm20.sg.9wee.com, lm21.sg.9wee.com, s11.tc2.9wee.com, lm25.9wee.com, lm25.sg.9wee.com, wz16.sg.9wee.com, live.s34.zq2.9wee.com, wz1.tc.9wee.com, i.9wee.com, zqdh.bbs.9wee.com, s1.tc.9wee.com, kz.9wee.com, 1583733.9wee.com, 1621803.9wee.com, 1982181.9wee.com, 202740.9wee.com, 111.9wee.com, 219153.9wee.com, 225327.9wee.com, 360.bbs.9wee.com, 240284.9wee.com, 251422.9wee.,s1.fr.9wee.com, jh7.sg.9wee.com, static18.zq2.9wee.com, l2.sg.9wee.com, wz2.sg.9wee.com, wz1.sg.9wee.com, act.9wee.com, sq.bbs.9wee.com, www.s45.sg.9wee.com, www.s55.sg.9wee.com, z29.hero.9wee.com, user.9wee.com, www.cs.9wee.com, www1.9wee.com, lowwww.zq2.9wee.com, s15.tc.9wee.com, qlj.9wee.com, s2.kz.9wee.com, lm14.sg.9wee.com, lm15.sg.9wee.com, lm19.sg.9wee.com, s11.tc.9wee.com, s34.zq2.9wee.com, s9.hjfd.9wee.com, live.s16.zq2.9wee.com, ljh1.sg.9wee.com, sg.bbs.9wee.com, 1447595.9wee.com, dz.bbs.9wee.com, 418553.9wee.com, 472099.9wee.com, 554312.9wee.com, h10.sg.9wee.com, jh1.tc2.9wee.com, s2.letu.9wee.com, s32.zq2.9wee.com, s26.9wee.com, s7.tc.9wee.com, static.9.9wee.com, tc.cms.9wee.com, s2.tc2.9wee.com, 1041271.9wee.com, 1090717.9wee.com, j5.sg.9wee.com, jh1.tc.9wee.com, jj2.tc.9wee.com, 919513.9wee.com, 959086.9wee.com, s36.tc2.9wee.com, jf1.game.tiexue.9wee.com, www.s13.hero.9wee.com, wz5sg.9wee.com, eee.bbs.9wee.com, z13.hero.9wee.com, z12.hero.9wee.com, z11.hero.9wee.com, www.265610.9wee.com, www.9.9wee.com, 9wee.com, lm5.sg.9wee.com, lm7.sg.9wee.com, s13.tc2.,zq2.9wee.com, wly.9wee.com, sg.9wee.com, gamenew2.9.9wee.com, game2.fd.9wee.com, s7.wly.9wee.com, static.sg.9wee.com, static.tc2.9wee.com, game.sh.9wee.com, i0.9wee.com, hero.9wee.com, game.wllm.9wee.com, gamenew.9.9wee.com, static.hero.9wee.com, static.bbs.9wee.com, game.fd.9wee.com, gamenew.9.360buy.9wee.com, static.zq2.9wee.com,s8.long.9wee.com, s12.long.9wee.com, s5.long.9wee.com, s16.long.9wee.com, s40.long.9wee.com, s1.long.9wee.com, s36.long.9wee.com, s42.long.9wee.com,s17.hero.9wee.com, s35.hero.9wee.com, s163.hero.9wee.com, z67.hero.9wee.com, z48.hero.9wee.com, z74.hero.9wee.com, s10.hero.9wee.com, s77.hero.9wee.com, s94.hero.9wee.com, s97.hero.9wee.com,
171.8.79.37, 171.8.79.48,220.181.46.185, 220.181.46.188,220.181.66.134, 220.181.66.140,101.251.233.201,101.64.180.120,111.161.26.151,112.65.221.139,112.91.157.181,113.107.72.228,115.182.77.156,115.238.129.41,115.238.239.222,119.146.201.153,120.31.48.149,120.31.54.241,121.10.140.62,121.14.82.17,183.60.42.209,220.181.103.141,60.6.200.130,
#筛选归纳信息,确认了重要系统
bbs.9wee.com
做了memcache
122.226.206.28
IP负载整理:
122.226.206.85122.226.206.86122.226.206.89122.226.206.81
使用Nmap进行规模化扫描,发现webmin平台:
https://122.226.206.81:10000/
通过fuzzing用户名和密码,成功登陆:
admin / 123456
通过command shell成功拿到webshell可以看到还存在zabbix
traceroute
内网数据库:
bbs.9wee.com 9维游戏社区ucenter,数据库uc_key,shell
bbs.duoqu.com 多趣游戏社区
内网89机器上的数据库
webmin可以http turnel,内网直接探测可以暴露全部(over)
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)
