当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130131

漏洞标题:AAE全球专递某服务器未授权访问多台服务器沦陷并可漫游内网(涉及多家快递公司敏感数据)

相关厂商:AAE全球专递

漏洞作者: 路人甲

提交时间:2015-07-29 10:35

修复时间:2015-09-14 17:56

公开时间:2015-09-14 17:56

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-29: 细节已通知厂商并且等待厂商处理中
2015-07-31: 厂商已经确认,细节仅向厂商公开
2015-08-10: 细节向核心白帽子及相关领域专家公开
2015-08-20: 细节向普通白帽子公开
2015-08-30: 细节向实习白帽子公开
2015-09-14: 细节向公众公开

简要描述:

数据库比较多、涉及多个快递公司--有点乱

详细说明:

FTP未授权访问-泄漏数据库账户信息-关联一连串服务器

ftp://211.144.85.198/
ftp://211.144.85.198/Web.config


数据库连接是另一服务器
而解析到211.144.85.198是JET捷特快递 www.jet185.com

server=222.73.41.20;database=Zebra_EMI;uid=ncuser;pwd=netcansoft.com@lanny2013
server=58.32.234.118,12322;database=IT_DB;uid=it_user;pwd=it_user2012


数据库连接成功-涉及多个数据库

1.jpg


2.jpg


通过MSSQL 提权-执行命令-列出WEB目录-写shell

3.jpg


http://222.73.41.20:8080  运行缺陷管理平台 Mantis
WEB目录 c:\xampp\htdocs\


shell 成功

0.jpg


可执行命令-权限为管理员-顺利进入服务器远程桌面

1.png


00.png


运行着多个WEB程序-

http://222.73.41.20:8011
http://222.73.41.20:8085
http://222.73.41.20:8087
http://www.4haigou.com
http://acc.netcansoft.com
http://cash.netcansoft.com
http://222.73.41.20:8014
http://222.73.41.20:7044
http://222.73.41.20:9099
http://www.yhhaitao.com
http://oa.netcansoft.com
http://ship.netcansoft.com
http://222.73.41.20:8086
http://222.73.41.20:8001
http://222.73.41.20:8075
http://222.73.41.20:8099
http://222.73.41.20:8012
http://222.73.41.20:8888
http://222.73.41.20:8282
http://wechat.netcansoft.com
http://222.73.41.20:1213
http://222.73.41.20:8077
http://222.73.41.20:1212
http://222.73.41.20:8056
http://www.netcansoft.com


看图-太多服务器就此沦陷

5.png


001.png


002.jpg


同样在桌面保存着远程桌面管理程序
通过WEB目录下配置文件得到数据库连接信息
61.152.207.199 -可执行命令-列取目录-写shell-提权

4.jpg


2.jpg


上传ms-15-015 获取系统最高权限

1.jpg


3.jpg


看上图-保存着订单系统帐号信息-直接登录错误-利用密码规律-将后面2014改为2015登录成功
116.228.73.132

000.jpg


因时间问题-不深入。
涉及的快递公司有
360banma.net 斑马物流
aaeweb.com aae全球专递
lishi56.com 丽狮物流
www.jet185.com JET捷特快递
以及其他未细作统计

漏洞证明:

http://116.228.73.132/1.txt
http://61.152.207.199/update/1.aspx zx
http://61.152.207.199/update/1.txt
http://acc.aaeweb.com/admin/1.txt
http://222.73.41.20:8080/admin.bak/1.php zx


收集了下数据库连接信息及服务器密码信息

server=184.75.54.194;database=EXDB_Express;uid=aae_it_user;pwd=$gels@#zebra*303301
server=127.0.0.1;database=EXDB;uid=ncuser;pwd=netcansoft.com@lanny2013
server=186.188.1.254;database=EXDB;uid=aae_it_user;pwd=aae_it_user2012
data source=186.188.1.253,12321;Initial Catalog=CRM_DB;User ID=crm_user;Password=crm_user2014
UID=sa;[email protected];Data Source=218.80.226.140;Initial Catalog=GELSDB
uid=dev;pwd=nc123456;Data Source=222.73.41.20;Initial Catalog=Zebra_EMI
E:\web\erp.360zebra.com\CargoPictures\
host="smtp.sinanet.com" port="25" userName="[email protected]" password="shaaae2009
Data Source=222.73.41.20;Initial Catalog=BUYINAU_DB;User ID=ncuser;Password=netcansoft.com@lanny2013
Data Source=222.73.41.20;Initial Catalog=aaeweb;User ID=ncuser;Password=netcansoft.com@lanny2013
Server=222.73.41.20;Database=BUYINAU_DB; Uid=ncuser; Pwd=netcansoft.com@lanny2013
Data Source=116.228.73.133,1433;Initial Catalog=JSE_DB;User ID=ncuser;password=ncexpress.net@js
Data Source=222.73.41.20,1232;Initial Catalog=JSE_DB;User ID=ncuser;password=netcansoft.com@lanny2011
Data Source=61.152.207.199,80;Initial Catalog=JSE_DB;User ID=ncuser;password=ncexpress.net@js
Data Source=116.228.73.132;Initial Catalog=JSE_DDDB;User 
ID=ncuser;password=jes@2012
Data Source=NC-PC;Initial Catalog=N6DBJSE;User ID=sa;password=123
Data Source=61.152.207.199;Initial Catalog=JSE_DB;User ID=sa;password=123456
Data Source=116.228.73.132;Initial Catalog=JSE_DDDB;User ID=ncuser;password=jes@2012
Data Source=116.228.73.133,1433;Initial Catalog=JSE_DB;User ID=ncuser;password=ncexpress.net@js
UID=sa;pwd=kicalchen;Data Source=kicalchen\sql2005;Initial Catalog=AAEShip
Data Source=127.0.0.1,1232;Initial Catalog=N6DB_Demo;User ID=ncuser;[email protected]
[email protected]
FromName=第一快递
[email protected]
Password=shaaae2009
Host=www.56help.com
BakHost=www.gels2000.com
HostList=www.gels2000.com,wms.gels2000.us,218.80.226.140
[ServerImage]
Host=203.166.160.163
database=IMGAGES_DB
uid=TRANSFER_USER
pwd=AAETRANSFER_USER
[ServerOA]
Host=gels2000.com
database=aaeship
uid=TRANSFER_USER
pwd=AAETRANSFER_USER
[Server]
Host=www.56help.com
BakHost=www.gels2000.com
HostList=www.gels2000.com
;===========================================================
[SMSServerIP]
Host=211.155.23.205
UserID=90508
Pwd=8888
[ServerImage]
Host=203.166.160.163
database=IMGAGES_DB
uid=TRANSFER_USER
pwd=AAETRANSFER_USER
[ServerOA]
Host=12.9.233.36
database=oadb
uid=TRANSFER_USER
pwd=AAETRANSFER_USER
222.73.41.20
UID=ncuser;pwd=netcansoft.com@lanny2011;Data Source=127.0.0.1;Initial Catalog=aaeweb
UID=sa;pwd=jet185.com;Data Source=180.169.17.207;Initial Catalog=N6DB_JET
SOURCE=127.0.0.1,1232;UID=ncuser;PWD=netcansoft.com@lanny2011;DATABASE=aaeweb
Data Source=116.228.73.133,1433;Initial Catalog=JSE_DDDB;User ID=ncuser;password=ncexpress.net@js
Data Source=116.228.73.133,1433;Initial Catalog=JSE_DB;User ID=ncuser;password=ncexpress.net@js
Data Source=222.73.41.20;Initial Catalog=JSE_DDDB;User ID=ncuser;password=netcansoft.com@lanny2013
Data Source=222.73.41.20;Initial Catalog=JSE_DDDB;User ID=ncuser;password=netcansoft.com@lanny2013
Data Source=61.152.207.199,80;Initial Catalog=JSE_DB;User ID=ncuser;password=ncexpress.net@js
Data Source=116.228.73.132;Initial Catalog=JSE_DDDB;User ID=ncuser;password=jes@2012
Data Source=61.152.207.199;Initial Catalog=JSE_DB;User ID=sa;password=123456
Data Source=116.228.73.133,1433;Initial Catalog=JSE_DB;User ID=ncuser;password=ncexpress.net@js
UID=ncuser;pwd=netcansoft.com@lanny2011;Data Source=61.152.104.149;Initial Catalog=N6DB_LISH
UID=ncuser;pwd=netcansoft.com@lanny2011;Data Source=61.152.104.149;,1323;Initial Catalog=aaeweb
SOURCE=61.152.104.149;UID=ncuser;PWD=netcansoft.com@lanny2011;DATABASE=aaeweb
server=127.0.0.1;uid=NCTMS;pwd=NCTMS2007;database=aaeweb
server=184.75.54.194;database=EXDB_Express;uid=aae_it_user;pwd=$gels@#zebra*303301
server=216.132.188.27;database=EXDB_Express;uid=aae_it_user;pwd=$gels@#zebra*303301
server=222.73.41.20;database=EXDB;uid=ncuser;pwd=netcansoft.com@lanny2013
server=186.188.1.254;database=EXDB;uid=aae_it_user;pwd=aae_it_user2012
----------
222.73.41.21
UID=aae_webuser;pwd=aae@wapsmsl9t4006100400;Data Source=127.0.0.1,12321;Initial Catalog=EXDB
UID=sa;[email protected];Data Source=192.168.0.11;Initial Catalog=lcldata
UID=sa;[email protected];Data Source=ctc.aaeship.com;Initial Catalog=EXDB
UID=sa;pwd=aae@wapsmsl9t4006100400;Data Source=ctc.aaeship.com,12321;Initial Catalog=EXDB
UID=aae_web_user;pwd=aaeweb@wapsmsl9t4006100400;Data Source=218.80.226.136;Initial Catalog=aaeweb
------
server=184.75.54.194;database=EXDB_Express;uid=aae_it_user;pwd=$gels@#zebra*303301
216.132.188.27;database=EXDB_Express;uid=aae_it_user;pwd=$gels@#zebra*303301
server=127.0.0.1;database=EXDB_Express;uid=aae_it_user;pwd=$gels@#zebra*303301
server=192.168.1.10;database=EXDB_Express;uid=aae_it_user;pwd=$gels@#zebra*303301
server=222.73.41.20;database=EXDB;uid=ncuser;pwd=netcansoft.com@lanny2013
server=186.188.1.254;database=EXDB;uid=aae_it_user;pwd=aae_it_user2012
Data Source=192.168.1.200;Initial Catalog=EXDB_Express;User ID=sa;Password=sa123
Data Source=216.132.188.29;Initial Catalog=EXDB_Express;User ID=aae_webuser;Password=aae@wapsmsl9t4006100400
Source=222.73.41.20;Initial Catalog=EXDB_Express;Persist Security Info=True;User ID=aae_webuser;Password=aae@wapsmsl9t4006100400
-----------
test.aaeweb.com
server=127.0.0.1;database=EXDB_Express;uid=aae_it_user;pwd=$gels@#zebra*303301
UID=aae_webuser;pwd=aae@wapsmsl9t4006100400;Data Source=222.73.41.21;Initial Catalog=EXDB
UID=aae_webuser;pwd=aae@wapsmsl9t4006100400;Data Source=61.129.86.48;Initial Catalog=EXDB
----------
222.73.41.20
server=186.188.1.254;database=IT_DB;uid=it_user;pwd=it_user2012
server=222.73.41.20;database=Zebra_EMI;uid=ncuser;pwd=netcansoft.com@lanny2013
server=58.32.234.118,12322;database=IT_DB;uid=it_user;pwd=it_user2012
-------------------
server=192.168.137.1; User ID=sms;Password=Techown1;database=JiaJiSMSDB
server=127.0.0.1;User ID=sa;Password=Techown1;database=JiaJiSMSDB


222.73.41.21:3389  Administrator  5GuVQofmu72dUeXt 中国OPS服务器
216.132.188.27 Administrator R3XnoluSFTCBfmrb 洛杉矶OPS服务器 美西
101.231.32.19 Administrator  785Fi6BgvSa1RkEF 纽约OPS服务器
222.73.41.20 Administrator [email protected] NC
61.152.104.149:10210 Administrator !#%&adgj1234 lishi
211.144.85.33:10210 Administrator squ10210 Hengmao
192.168.1.200 Administrator  Server2008 Hengmao
101.231.32.21 Administrator aae123 Hengmao
216.220.104.28 Corp.aaenyc.com\itech 3539westNYC Hengmao 
216.132.188.29 Administrator R3XnoluSFTCBfmrb Hengmao 
218.80.226.136 Administrator 785Fi6BgvSa1RkEF 纽约OPS服务器
222.73.41.21 Administrator 5GuVQofmu72dUeXt 中国OPS服务器
216.132.188.27 Administrator R3XnoluSFTCBfmrb 洛杉矶OPS服务器 美西
184.75.54.194 Corp.aaenyc.com\itech 3539westNYC 纽约OPS服务器美东
211.144.85.33:10210  Administrator squ10210 Hengmao
-----------
61.152.207.199 Administrator 982820.Aardjisu~2015
短信服务器帐号
192.168.137.21 administrator 982820.Ajiaji~2015 
订单系统帐号
116.228.73.132 administrator 982820.Aardjisu~2015
网址:http://3tong.net/login/login.jsp
用户名:dh1751
密码:982820.Aardjisu


数据库及服务器帐号管理员太多已修改密码-利用社工可进一步渗透-漫游内网-这里不多作测试
数据库泄漏信息未统计-涉及多家快递-敏感信息数量应该也不会太少

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-07-31 17:54

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无