运营商安全之中国移动某支撑系统/交换机多漏洞可花式进内网 admin 139598文章 114评论 2017年4月21日10:05:52评论258 views字数 238阅读0分47秒阅读模式 摘要2016-03-01: 细节已通知厂商并且等待厂商处理中 2016-03-04: 厂商已经确认,细节仅向厂商公开 2016-03-14: 细节向核心白帽子及相关领域专家公开 2016-03-24: 细节向普通白帽子公开 2016-04-03: 细节向实习白帽子公开 2016-04-18: 细节向公众公开 漏洞概要 关注数(21) 关注此漏洞 缺陷编号: WooYun-2016-179801 漏洞标题: 运营商安全之中国移动某支撑系统/交换机多漏洞可花式进内网 相关厂商: 中国移动 漏洞作者: 李旭敏 提交时间: 2016-03-01 16:40 公开时间: 2016-04-18 17:48 漏洞类型: 系统/服务运维配置不当 危害等级: 高 自评Rank: 12 漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理 漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系 Tags标签: 无 0人收藏 漏洞详情 披露状态: 2016-03-01: 细节已通知厂商并且等待厂商处理中 2016-03-04: 厂商已经确认,细节仅向厂商公开 2016-03-14: 细节向核心白帽子及相关领域专家公开 2016-03-24: 细节向普通白帽子公开 2016-04-03: 细节向实习白帽子公开 2016-04-18: 细节向公众公开 简要描述: 移动走点心啊,花式getshell 详细说明: 某天逛论坛突然看到这么一段话。 code 区域 为做好下午的培训,请参加培训的同事做好以下准备: 一.请大家下载两个软件: (一)支撑100系统(手机上的BOSS):进入以下网址按提示完成安装 **.**.**.**:7270/HubeiESOPWEB/G3CRM_HuBei_Platform.apk, (二)实名认证:短信:SMRZ到10086。 杨佳 今天 12:56:20 更正:实名认证:短信:SMRZ到10085. 我整个人都懵逼了,但是我知道的展示过boss系统,好像移动一家吧。 找了测试机下载了apk,发现果然是移动湖北支撑系统 通过爆破,发现该服务器上有弱口令 code 区域 ssh**.**.**.**:61134 user:user 连进去发现是个交换机设备。哎不对哟你到底是干啥用的? code 区域 Switch is up 81 days, 12 hours, 57 minutes and 25 seconds. Last boot: 20:04:51 Thu Dec 10, 2015 (power cycle) Last apply: 16:23:14 Tue Feb 23, 2016 Last save: 16:23:14 Tue Feb 23, 2016 MAC Address : 2c:b6:93:03:9d:00 Hardware MainBoard No|Rev : YARKON-MB | C.21 Hardware DB No : Not Available Hardware Serial Number : 31407218 Note - When the measured temperature inside the switch EXCEEDs the anomaly threshold at 82 degree Celsius or the critical temperature at 93 degree Celsius different syslog messages will be generated. Software Version **.**.**.** Image ID 1, active configuration. HA State: ACTIVE Mode of operation: by Name code 区域 >> Alteon_02_33 - Standalone ADC - Information> slb ------------------------------------------------------------------ [Server Load Balancing Information Menu] real - Show real server information group - Show real server group information virt - Show virtual server information dump - Show all layer 4 information >> Alteon_02_33 - Standalone ADC - Server Load Balancing Information> real Enter Real server id: 1 Error: You do not own real server 1 >> Alteon_02_33 - Standalone ADC - Server Load Balancing Information> group Enter real server group id: 1 Real Server Group 1: name default-8080, metric leastconns health tcp (TCP), content Operation: enabled Virtual Server: 1, IP4 **.**.**.** Virtual Services: 0: vport http Real Servers: 1: **.**.**.**, server6-8080, e4:11:5b:ac:f8:b2, vlan 101, port 20, health port 8080(runtime TCP), 0 ms, UP 2: **.**.**.**, server7-8080, e4:11:5b:ac:d8:3c, vlan 101, port 20, health port 8080(runtime TCP), 8 ms, UP Virtual Server: 2, IP4 **.**.**.** Virtual Services: 0: vport https, pbind clientip content rule 1, content class servicenewresources, ena content rule 2, content class serviceresources, ena content rule 5, content class serviceresources_v2, ena content rule 7, content class servicemainhtml, ena content rule 8, content class resources_v2, ena content rule 10, content class SSOloginbox, ena content rule 16, content class imsportaladmin, ena content rule 28, content class tuan, ena content rule 33, content class smsdcsportal, dis content rule 36, content class powercmhbmanagement, ena content rule 66, content class adimages, ena content rule 77, content class awstats, ena content rule 79, content class cgi-bin, ena content rule 86, content class coke2013, ena content rule 98, content class 4G, ena content rule 400, content class MIFI, ena content rule 500, content class nokia638, ena content rule 600, content class iphone6, ena content rule 700, content class hongbao, ena Real Servers: 1: **.**.**.**, server6-8080, e4:11:5b:ac:f8:b2, vlan 101, port 20 , health port 8080(runtime TCP), 0 ms, UP 2: **.**.**.**, server7-8080, e4:11:5b:ac:d8:3c, vlan 101, port 20 , health port 8080(runtime TCP), 8 ms, UP 0: vport http, pbind clientip content rule 1, content class servicenewresources, ena content rule 2, content class serviceresources, ena content rule 5, content class serviceresources_v2, ena content rule 7, content class servicemainhtml, ena content rule 8, content class resources_v2, ena content rule 10, content class SSOloginbox, ena content rule 16, content class imsportaladmin, ena content rule 18, content class imsportalgroup, ena content rule 28, content class tuan, ena content rule 33, content class smsdcsportal, dis content rule 36, content class powercmhbmanagement, ena content rule 66, content class adimages, ena content rule 77, content class awstats, ena content rule 79, content class cgi-bin, ena content rule 86, content class coke2013, ena content rule 98, content class 4G, ena content rule 400, content class MIFI, ena content rule 500, content class nokia638, ena content rule 600, content class iphone6, ena content rule 700, content class hongbao, ena content rule 833, content class csp-magent-clientindex2jsp, ena Real Servers: 1: **.**.**.**, server6-8080, e4:11:5b:ac:f8:b2, vlan 101, port 20 , health port 8080(runtime TCP), 0 ms, UP 2: **.**.**.**, server7-8080, e4:11:5b:ac:d8:3c, vlan 101, port 20 , health port 8080(runtime TCP), 8 ms, UP Virtual Server: 4, IP4 **.**.**.** Virtual Services: 0: vport http, pbind cookie content rule 100, content class method-P6T00, ena content rule 600, content class method-I9128, ena content rule 700, content class method-I9508, ena cookie persistence mode: insert inserted cookie expires after 0 days 0 hours 30 minutes Real Servers: 1: **.**.**.**, server6-8080, e4:11:5b:ac:f8:b2, vlan 101, port 20 2: **.**.**.**, server7-8080, e4:11:5b:ac:d8:3c, vlan 101, port 20 Virtual Server: 5, IP4 **.**.**.** Virtual Services: 0: vport http, pbind cookie content rule 7, content class method-P6T00, ena content rule 8, content class method-I9128, ena content rule 9, content class method-I9508, ena cookie persistence mode: insert inserted cookie expires after 0 days 0 hours 30 minutes Real Servers: 1: **.**.**.**, server6-8080, e4:11:5b:ac:f8:b2, vlan 101, port 20 2: **.**.**.**, server7-8080, e4:11:5b:ac:d8:3c, vlan 101, port 20 Virtual Server: 6, IP4 **.**.**.** Virtual Services: 0: vport http, pbind cookie content rule 7, content class method-P6T00, ena content rule 8, content class method-I9128, ena content rule 9, content class method-I9508, ena 漏洞证明: code 区域 **.**.**.**:7270//uddiexplorer/SearchPublicRegistries.jsp 同时又扫找到一处ssrf的点,这个或许略鸡肋。 但是,弱口令的地方不止一处 code 区域 **.**.**.**:7270/console/login/LoginForm.jsp weblogic:weblogic 通过http://**.**.**.**/tips/604园长的文章直接可以直接getshell。 通过查看hosts以及ifconfig得知ip段为7.1.2.* 配合SSRF可以慢慢玩了。 修复方案: 版权声明:转载请注明来源 李旭敏@乌云 漏洞回应 厂商回应: 危害等级:高 漏洞Rank:11 确认时间:2016-03-04 17:48 厂商回复: CNVD未复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置. 最新状态: 暂无 漏洞评价: 对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值 漏洞评价(共0人评价): 登陆后才能进行评分 评价 2016-03-02 08:34 | LoveSnow ( 实习白帽子 | Rank:85 漏洞数:20 | 以正和,以奇胜!) 2 整的有点炫和玄 1# 回复此人 2016-03-04 17:52 | whynot ( 普通白帽子 | Rank:678 漏洞数:136 | 为你解冻冰河 为你放弃世界有何不可) 2 狂拽炫酷叼炸天 2# 回复此人 免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。 点赞 https://cn-sec.com/archives/40652.html 复制链接 复制链接 左青龙 微信扫一扫 右白虎 微信扫一扫
评论