P2P金融安全之投哪网一次内网探测

2017年3月22日02:46:02评论393 views字数 230阅读0分46秒阅读模式

摘要

2016-03-18：细节已通知厂商并且等待厂商处理中
2016-03-18：厂商已经确认，细节仅向厂商公开
2016-03-28：细节向核心白帽子及相关领域专家公开
2016-04-07：细节向普通白帽子公开
2016-04-17：细节向实习白帽子公开
2016-05-02：细节向公众公开

漏洞概要关注数(4) 关注此漏洞

缺陷编号： WooYun-2016-186101

漏洞标题： P2P金融安全之投哪网一次内网探测

漏洞作者：路人甲

提交时间： 2016-03-18 11:35

公开时间： 2016-05-02 13:12

漏洞类型：成功的入侵事件

危害等级：高

自评Rank： 20

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：任意文件上传安全意识不足任意文件上传安全意识不足

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

这几天投哪儿被刷了好几个洞，都是首页。

我也跟风随手提交一个

漏洞url：

code 区域

http://acc.rxdai.com:8585/LoginModule/Login.aspx
 http://acc.rxdai.com:8585/EmployeeQuery/Login.aspx

的 WooYun: p2p金融安全之投哪网漏洞打包（账户体系控制不严至多个系统沦陷、sql注入、替换官方app等）漏洞，成功进入

翻了翻，找到一堆注入

code 区域

========================================================
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
 back-end DBMS: Microsoft SQL Server 2008
 current user:    'sa'
 current database:    'HROA_TOUNA'
 current user is DBA:    True
 available databases [10]:
 [*] 0914
 [*] ADS
 [*] HEROA
 [*] HROA_TOUNA
 [*] master
 [*] model
 [*] msdb
 [*] ReportServer
 [*] ReportServerTempDB
 [*] tempdb
 
 Database: HROA_TOUNA
 [569 tables]
 +----------------------------+
 | BilChkWorkDayChg           |
 | BilChkWorkDayChg_All       |
 | BilChkWorkDayChg_All_D     |
 | BilChkWorkDayChg_D         |
 | CangKu                     |
 | CardStyle                  |
 | CcDj                       |
 | DD                         |
 | DataType                   |
 | Dept_BCGroup               |
 | ERPAnPai                   |
 | ERPBBSBanKuai              |
 | ERPBBSTieZi                |
 | ERPBaoJia                  |
 | ERPBaoXiao                 |
 | ERPBook                    |
 | ERPBookJieHuan             |
 | ERPBuMen                   |
 | ERPBuyChanPin              |
 | ERPBuyOrder                |
 | ERPCYDIC                   |
 | ERPCarBaoXian              |
 | ERPCarBaoYang              |
 | ERPCarInfo                 |
 | ERPCarJiaYou               |
 | ERPCarLog                  |
 | ERPCarShiYong              |
 | ERPCarWeiHu                |
 | ERPCarWeiZhang             |
 | ERPContract                |
 | ERPContractChanPin         |
 | ERPCrmSetting              |
 | ERPCustomFuWu              |
 | ERPCustomHuiFang           |
 | ERPCustomInfo              |
 | ERPCustomNeed              |
 | ERPDanWeiInfo              |
 | ERPDangAn                  |
 | ERPFileList                |
 | ERPGongGao                 |
 | ERPGoods                   |
 | ERPGoodsType               |
 | ERPGuDing                  |
 | ERPGuDingJiLu              |
 | ERPHuiBao                  |
 | ERPHuiYuan                 |
 | ERPInputStore              |
 | ERPJSDIC                   |
 | ERPJXDetails               |
 | ERPJiXiao                  |
 | ERPJiXiaoCanShu            |
 | ERPJianLi                  |
 | ERPJiangCheng              |
 | ERPJiangChengZhiDu         |
 | ERPJiaoSe                  |
 | ERPJinDu                   |
 | ERPJuanKu                  |
 | ERPKaoQin                  |
 | ERPKaoQinSetting           |
 | ERPLanEmail                |
 | ERPLiRun                   |
 | ERPLinkLog                 |
 | ERPLinkMan                 |
 | ERPMeeting                 |
 | ERPMianShi                 |
 | ERPMobile                  |
 | ERPNForm                   |
 | ERPNFormType               |
 | ERPNWorkCC                 |
 | ERPNWorkCCMessage          |
 | ERPNWorkDetails            |
 | ERPNWorkFlow               |
 | ERPNWorkFlowNode           |
 | ERPNWorkFlowWT             |
 | ERPNWorkToDo               |
 | ERPNWorkToDo1              |
 | ERPNWorkToDoDraftBox       |
 | ERPNetEmail                |
 | ERPOffice                  |
 | ERPOutputStore             |
 | ERPPeiXun                  |
 | ERPPeiXunRiJi              |
 | ERPPeiXunXiaoGuo           |
 | ERPPinShen                 |
 | ERPProduct                 |
 | ERPProject                 |
 | ERPRedHead                 |
 | ERPRenShiHeTong            |
 | ERPReport                  |
 | ERPReportParaSetItems      |
 | ERPReportParameterSet      |
 | ERPReportType              |
 | ERPRiZhi                   |
 | ERPSaveFileName            |
 | ERPSerils                  |
 | ERPSheBei                  |
 | ERPShenPi                  |
 | ERPShiShi                  |
 | ERPShouKuan                |
 | ERPSongYang                |
 | ERPStock                   |
 | ERPSupplyLink              |
 | ERPSupplys                 |
 | ERPSystemSetting           |
 | ERPTalkGroup               |
 | ERPTalkGroupJoiner         |
 | ERPTalkOnlineUser          |
 | ERPTalkRecord              |
 | ERPTalkSetting             |
 | ERPTaskFP                  |
 | ERPTelFile                 |
 | ERPTiKu                    |
 | ERPTiKuKaoShi              |
 | ERPTiKuKaoShiJieGuo        |
 | ERPTiKuShiJuan             |
 | ERPTiKuShiJuanSet          |
 | ERPTiKuType                |
 | ERPTongXunLu               |
 | ERPTouSu                   |
 | ERPTreeList                |
 | ERPUserDesk                |
 | ERPVote                    |
 | ERPVoteItem                |
 | ERPWorkPlan                |
 | ERPWorkRiZhi               |
 | ERPXCDetails               |
 | ERPXinChou                 |
 | ERPXinChouCanShu           |
 | ERPXueXi                   |
 | ERPXueXiXinDe              |
 | ERPYinZhang                |
 | ERPYinZhangLog             |
 | EmpTxHZ                    |
 | EmpTx_D                    |
 | HR360                      |
 | HR360Fen                   |
 | HR360Lv                    |
 | HR360title                 |
 | HRAbsentRegistration       |
 | HRAction                   |
 | HRAdjustRestDetails        |
 | HRAdjustRestRegistration   |
 | HRAsk4LvRegistration       |
 | HRAssessDetails            |
 | HRAssessDetailsRpt         |
 | HRAssessPreson             |
 | HRAssessRpt                |
 | HRAssessType               |
 | HRAttendanceSystem         |
 | HRAttendanceSystemPannel   |
 | HRAttrDayRpt               |
 | HRAttrDayRpt1              |
 | HRAttrDayRpt_D             |
 | HRAttrMonthRpt             |
 | HRAttrMonthRpt6            |
 | HRAward                    |
 | HRBCGroup                  |
 | HRBCZ_Rule_Emp             |
 | HRBKDJ                     |
 | HRBanCi                    |
 | HRBasChkWTOfDaySql         |
 | HRBasChkWTOfMonthSql       |
 | HRBasDorm                  |
 | HRBasDorm_D                |
 | HRBasDorm_D_D              |
 | HRBasEmpAddiField          |
 | HRBasSalaryRule            |
 | HRBasSetChkWTOfDay         |
 | HRBasSetChkWTOfMonth       |
 | HRBasSetSalCol             |
 | HRBasSetSalName            |
 | HRBasSetSalPara            |
 | HRBasSetWorkTime           |
 | HRBasSuSheWX               |
 | HRBasSuSheZP               |
 | HRBook                     |
 | HRBookMeal                 |
 | HRBormKF_D                 |
 | HRBuTieAmt                 |
 | HRBusinessRegistration     |
 | HRBusinessTjM              |
 | HRCalendar                 |
 | HRCategory                 |
 | HRClassGroup               |
 | HRClassGroupList           |
 | HRClassGroupRule           |
 | HRClassStage               |
 | HRClassesNumber            |
 | HRClockInEmp               |
 | HRClocks                   |
 | HRClsRuleDetails           |
 | HRCompCalendar             |
 | HRCompWorkTime             |
 | HRConcurrent               |
 | HRCuCaiReg                 |
 | HRCuCaiReg1                |
 | HRDKData                   |
 | HRDKData1                  |
 | HRDataType                 |
 | HRDepartment               |
 | HRDepartment1              |
 | HRDepartmentPlan           |
 | HRDlcRecord                |
 | HRDlpPlatformColumns       |
 | HREatTime                  |
 | HREmpChgSalary             |
 | HREmpInterview             |
 | HREmpScheduling            |
 | HREmpScheduling_PL         |
 | HREmployee                 |
 | HREmployee1                |
 | HREmployeeFangtan          |
 | HRFixedSchedule            |
 | HRFreePunchCard            |
 | HRFreePunchCardDetails     |
 | HRFyType                   |
 | HRGongshang                |
 | HRGongshangRegistration    |
 | HRGoods                    |
 | HRGoodsBringback           |
 | HRGoodsInfo                |
 | HRGroupMenu                |
 | HRHolidayDetails           |
 | HRHolidayReg               |
 | HRInsuranceRegistration    |
 | HRInternalTaPool           |
 | HRJiXiaoPuDaoMianTan       |
 | HRJiaBanReg                |
 | HRKPIDetial                |
 | HRKPIlibrary               |
 | HRKPItype                  |
 | HRKQDaliyReport            |
 | HRKQsystem                 |
 | HRKQsystem_user            |
 | HRKaoHeZQ                  |
 | HRKouFeiAmt                |
 | HRKqZdEmp                  |
 | HRKqZdSd                   |
 | HRKqZdType                 |
 | HRLaborContract            |
 | HRLaborContract1           |
 | HRLearning                 |
 | HRLeaveRegistration        |
 | HRMDKReg                   |
 | HRMarketAnalysis           |
 | HRMarketAnalysisFenxi      |
 | HRMarketAnalysisType       |
 | HRMemberFamily             |
 | HRMenu                     |
 | HRMianDaKaReg              |
 | HRMjdk                     |
 | HRMjdkCount                |
 | HRMsAp                     |
 | HRMsMbList                 |
 | HRMsPerson                 |
 | HRMsProject                |
 | HRNbYp                     |
 | HRNengliYaoqiu             |
 | HRNengliYaoqiu1            |
 | HRNianJia                  |
 | HRNpGg                     |
 | HRNpPostInfo               |
 | HRPXchannel                |
 | HRPXclassMX                |
 | HRPXclassType              |
 | HRParaSettingItems         |
 | HRParameterSetting         |
 | HRPlan                     |
 | HRPlugin                   |
 | HRPost                     |
 | HRPostLevel                |
 | HRPostPlan                 |
 | HRPrize                    |
 | HRPro                      |
 | HRProManage                |
 | HRProjectType              |
 | HRQinJiaReg                |
 | HRQuanliZheren             |
 | HRRenzhiZhige              |
 | HRRenzhiZhige1             |
 | HRReplaceCard              |
 | HRRole                     |
 | HRRptEating                |
 | HRRwdOrPnish               |
 | HRSalProReg                |
 | HRSalStruct                |
 | HRSalZdEmp                 |
 | HRSaveFileName             |
 | HRSchedule                 |
 | HRScoringStandards         |
 | HRShebaoDetail             |
 | HRShebaozj                 |
 | HRShuoming                 |
 | HRShuoming1                |
 | HRStay                     |
 | HRSuSheSDDJ                |
 | HRSummaryPlan              |
 | HRSwot                     |
 | HRSwotFenxi                |
 | HRSwotType                 |
 | HRTeacher                  |
 | HRTempOTDetails            |
 | HRTempOTRegistration       |
 | HRTiaoXiuReg               |
 | HRTimeWork                 |
 | HRTjProject                |
 | HRTrainJingli              |
 | HRTreeList                 |
 | HRUsedCard                 |
 | HRUsedCardTransfer         |
 | HRUser                     |
 | HRWRBC                     |
 | HRWaiCu                    |
 | HRWbEmployeeInfo           |
 | HRWbGt                     |
 | HRWbLearning               |
 | HRWbRcK                    |
 | HRWbTrainJingli            |
 | HRWbWorkExperience         |
 | HRWbZj                     |
 | HRWorkExperience           |
 | HRWorkInjuries             |
 | HRWorkRule                 |
 | HRWorkTimeList             |
 | HRWorkTimeList_D           |
 | HRXFRecord                 |
 | HRXiaoJia                  |
 | HRXxTiKu                   |
 | HRXxTiKuKaoShi             |
 | HRXxTiKuKaoShiJieGuo       |
 | HRXxTiKuShiJuan            |
 | HRXxTiKuShiJuanSet         |
 | HRXxTiKuType               |
 | HRXzZjSd                   |
 | HRXzZjType                 |
 | HRYearJh                   |
 | HRYearZJh                  |
 | HRYgSq                     |
 | HRYgZJ                     |
 | HRYingzhi                  |
 | HRYingzhi1                 |
 | HRYsWorkTable              |
 | HRZhiweiJieti              |
 | HRZhiweiRelation           |
 | HRZhiweiRelation1          |
 | HRZpAction                 |
 | HRZpCyPerson               |
 | HRZpPostInfo               |
 | HRZpQd                     |
 | HRZpTiKu                   |
 | HRZpTiKuKaoShi             |
 | HRZpTiKuKaoShiJieGuo       |
 | HRZpTiKuShiJuan            |
 | HRZpTiKuShiJuanSet         |
 | HRZpTiKuType               |
 | HRassessobject             |
 | HRbixiukecheng             |
 | HRbixiukecheng1            |
 | HRfanganjixiao             |
 | HRfanganzbzd               |
 | HRfenshudengji             |
 | HRpeixunIdea               |
 | HRpeixunxuqiu              |
 | HRplandafen                |
 | HRyjx                      |
 | HrDEPTEMPPOS               |
 | HrItemsTable               |
 | HrKPIFenShu                |
 | HrKaoShiHiLu               |
 | HrKaoShiJilu               |
 | HrOrgUitdata               |
 | HrZidChengji               |
 | Hrkaohe360                 |
 | Hrkaohezhouqi              |
 | Hrmingxibiao               |
 | Hrshijuandafen             |
 | JQ                         |
 | JQZK                       |
 | JbSq                       |
 | LsJb                       |
 | LsJbZk                     |
 | Mdk                        |
 | MdkZK                      |
 | NJRpt                      |
 | NianJia                    |
 | OrgUitdata                 |
 | PanDianJiLu                |
 | QjDj                       |
 | RegCardRecord              |
 | RegCardRecord1             |
 | RptPrize                   |
 | RptSalary27                |
 | RptSalary28                |
 | RptSalary29                |
 | SalFixedItem               |
 | SalFixedItem_D             |
 | StudyRecord                |
 | TNStructExam               |
 | T_BlackList                |
 | T_CardChange               |
 | T_EmployeeTurnStandard     |
 | T_PrintCardSetting         |
 | TeachMedia                 |
 | TrainApply                 |
 | TrainArgumentType          |
 | TrainArgumentValue         |
 | TrainBook                  |
 | TrainBookExercises         |
 | TrainChannel               |
 | TrainClass                 |
 | TrainDemand                |
 | TrainNotice                |
 | TrainPlan                  |
 | TrainTeacher               |
 | TrainThoughts              |
 | TrainThoughtsDiscuss       |
 | V_BasDorm_D                |
 | V_BasEmp                   |
 | V_BilChkWorkDayChg         |
 | V_BilChkWorkDayChg_All     |
 | V_CardChange               |
 | V_CardRecord               |
 | V_CcDj                     |
 | V_Concurrent               |
 | V_CyNum                    |
 | V_DeptImg                  |
 | V_ERPInputStore            |
 | V_ERPNWorkCC               |
 | V_ERPNWorkToDo             |
 | V_ERPOutputStore           |
 | V_ERPStock                 |
 | V_ERPStockSummary          |
 | V_EmpCal                   |
 | V_EmpJQ                    |
 | V_EmployeeTurnStandard     |
 | V_HRAbsentRegistration     |
 | V_HRAdjustRestRegistration |
 | V_HRAsk4LvRegistration     |
 | V_HRAssessPreson           |
 | V_HRAttrDayRpt             |
 | V_HRAttrMonthRpt           |
 | V_HRAttrMonthRpt6          |
 | V_HRBasDorm_D_D            |
 | V_HRBasSuSheZP             |
 | V_HRBaseDorm               |
 | V_HRBook                   |
 | V_HRBormKF_D               |
 | V_HRBuTieAmt               |
 | V_HRBusinessRegistration   |
 | V_HRClassGroupList         |
 | V_HRClassGroupRule         |
 | V_HRClassStage             |
 | V_HRClsRuleDetails         |
 | V_HRCuCaiReg               |
 | V_HRDepartment             |
 | V_HREmpChgSalary           |
 | V_HREmpInterview           |
 | V_HREmpScheduling          |
 | V_HREmployee               |
 | V_HREmployeeHRDepartment   |
 | V_HRFixedSchedule          |
 | V_HRFreePunchCard          |
 | V_HRGongshang              |
 | V_HRGroupMenu              |
 | V_HRHolidayRegistration    |
 | V_HRInsuranceRegistration  |
 | V_HRInternalTaPool         |
 | V_HRJiaBanReg              |
 | V_HRKQDaliyReport          |
 | V_HRKouFeiAmt              |
 | V_HRKqZdEmp                |
 | V_HRLaborContract          |
 | V_HRLeaveRegistration      |
 | V_HRMianDaKa               |
 | V_HRMsAp                   |
 | V_HRMsPerson               |
 | V_HRPost                   |
 | V_HRQinJiaReg              |
 | V_HRRenzhiZhige            |
 | V_HRReplaceCard            |
 | V_HRRptEating              |
 | V_HRRwdOrPnish             |
 | V_HRSalProReg              |
 | V_HRSalStruct              |
 | V_HRSalary                 |
 | V_HRSchedule               |
 | V_HRShebaoDetail           |
 | V_HRShebaozj               |
 | V_HRTempOTRegistration     |
 | V_HRTiaoXiu                |
 | V_HRTiaoXiuReg             |
 | V_HRTimeWork               |
 | V_HRTrain                  |
 | V_HRTrainRecord            |
 | V_HRUsedCard               |
 | V_HRUsedCardTransfer       |
 | V_HRUser                   |
 | V_HRWaiCu                  |
 | V_HRWbRcK                  |
 | V_HRWorkInjuries           |
 | V_HRWorkTimeList           |
 | V_HRWorkTimeList_D         |
 | V_HRXiaoJia                |
 | V_HRXxTiKuKaoShi           |
 | V_HRYearJh                 |
 | V_HRZpTiKuKaoShi           |
 | V_HRbkdj                   |
 | V_HRdkdata                 |
 | V_JbSq                     |
 | V_LsJb                     |
 | V_MDKEmp                   |
 | V_MdkZK                    |
 | V_NianJia                  |
 | V_PanDianJiLu              |
 | V_PersonnelFiles           |
 | V_QjDj                     |
 | V_ReportData               |
 | V_RptBuTieAmt              |
 | V_RptKouFeiAmt             |
 | V_RptMjDkFx                |
 | V_RptSalary27              |
 | V_RptSalary28              |
 | V_RptSalary29              |
 | V_RptSalary_Dept           |
 | V_SalFixedItem             |
 | V_SalFixedItem_D           |
 | V_StudyRecord              |
 | V_TrainApply               |
 | V_TrainBook                |
 | V_TrainThoughts            |
 | V_WorkTimeList             |
 | V_WuPinDiaoDong            |
 | V_YLZY                     |
 | V_YLZY1                    |
 | V_gonglinReprot            |
 | V_mubiaopinggu             |
 | V_pc2machines              |
 | V_zpYonggong               |
 | WuPinDiaoDong              |
 | ZuSuEmpMinXi_GY            |
 | aaa_v                      |
 | assessobject               |
 | dept                       |
 | deptBianzhi                |
 | deptKaohe                  |
 | deptZhize                  |
 | deptZhize1                 |
 | empruzhu                   |
 | f78                        |
 | gjubhchaxun                |
 | hrlishifann                |
 | hrlishifannshiti           |
 | hrmubiaopug                |
 | kaohe360                   |
 | kaohshezhiezq              |
 | mubiaopinggu               |
 | pc2machines                |
 | postBianzhi                |
 | postKaohe                  |
 | postLiulan                 |
 | postZhize                  |
 | shijuandafen               |
 | suheruzhu                  |
 | t1                         |
 | tbSuccessUserSession       |
 | v_HRBasDorm_D1             |
 | v_objxiao                  |
 | web_machines               |
 | yearTree                   |
 +----------------------------+

后台多处上传点

拿到shell

内网机器

数据库

============================================

内网信息

code 区域

ipconfig /all
 
 Windows IP 配置
 
    主机名  . . . . . . . . . . . . . : touna-EHR
    主 DNS 后缀 . . . . . . . . . . . : 
    节点类型  . . . . . . . . . . . . : 混合
    IP 路由已启用 . . . . . . . . . . : 否
    WINS 代理已启用 . . . . . . . . . : 否
 
 以太网适配器 本地连接 2:
 
    连接特定的 DNS 后缀 . . . . . . . : 
    描述. . . . . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
    物理地址. . . . . . . . . . . . . : C8-1F-66-CA-E7-5D
    DHCP 已启用 . . . . . . . . . . . : 是
    自动配置已启用. . . . . . . . . . : 是
    IPv4 地址 . . . . . . . . . . . . : 192.168.30.252(首选) 
    子网掩码  . . . . . . . . . . . . : 255.255.255.0
    获得租约的时间  . . . . . . . . . : 2015年10月26日 17:46:23
    租约过期的时间  . . . . . . . . . : 2015年11月28日 13:56:43
    默认网关. . . . . . . . . . . . . : 192.168.30.1
    DHCP 服务器 . . . . . . . . . . . : 192.168.30.1
    DNS 服务器  . . . . . . . . . . . : 202.96.134.133
                                        202.96.128.86
    TCPIP 上的 NetBIOS  . . . . . . . : 已启用
 
 以太网适配器 本地连接:
 
    连接特定的 DNS 后缀 . . . . . . . : 
    描述. . . . . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    物理地址. . . . . . . . . . . . . : C8-1F-66-CA-E7-5C
    DHCP 已启用 . . . . . . . . . . . : 否
    自动配置已启用. . . . . . . . . . : 是
    IPv4 地址 . . . . . . . . . . . . : 10.0.5.110(首选) 
    子网掩码  . . . . . . . . . . . . : 255.255.255.0
    默认网关. . . . . . . . . . . . . : 10.0.5.254
    DNS 服务器  . . . . . . . . . . . : 10.0.5.100
                                        202.96.134.133
    TCPIP 上的 NetBIOS  . . . . . . . : 已启用
 
 隧道适配器 isatap.{F7C56121-FE79-426F-BC24-08B2EB67C858}:
 
    媒体状态  . . . . . . . . . . . . : 媒体已断开
    连接特定的 DNS 后缀 . . . . . . . : 
    描述. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter
    物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP 已启用 . . . . . . . . . . . : 否
    自动配置已启用. . . . . . . . . . : 是
 
 隧道适配器 isatap.{18108E9C-A6E4-409F-BF41-CFDEE58A5556}:
 
    媒体状态  . . . . . . . . . . . . : 媒体已断开
    连接特定的 DNS 后缀 . . . . . . . : 
    描述. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #2
    物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP 已启用 . . . . . . . . . . . : 否
    自动配置已启用. . . . . . . . . . : 是
 
 隧道适配器 Teredo Tunneling Pseudo-Interface:
 
    连接特定的 DNS 后缀 . . . . . . . : 
    描述. . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP 已启用 . . . . . . . . . . . : 否
    自动配置已启用. . . . . . . . . . : 是
    IPv6 地址 . . . . . . . . . . . . : 2001:0:9d38:6abd:30ca:23fd:3f57:e103(首选) 
    本地链接 IPv6 地址. . . . . . . . : fe80::30ca:23fd:3f57:e103%15(首选) 
    默认网关. . . . . . . . . . . . . : ::
    TCPIP 上的 NetBIOS  . . . . . . . : 已禁用
 
 ===========================
 whoami
 nt authority/system

code 区域

Discovered open port 53/tcp on 10.0.5.100
 Discovered open port 80/tcp on 10.0.5.1
 Discovered open port 80/tcp on 10.0.5.2
 Discovered open port 3389/tcp on 10.0.5.100
 Discovered open port 636/tcp on 10.0.5.100
 Discovered open port 389/tcp on 10.0.5.100
 Discovered open port 23/tcp on 10.0.5.1
 Discovered open port 23/tcp on 10.0.5.2
 Discovered open port 88/tcp on 10.0.5.100
 Discovered open port 1057/tcp on 10.0.5.100
 Discovered open port 3268/tcp on 10.0.5.100
 Discovered open port 593/tcp on 10.0.5.100
 Discovered open port 1073/tcp on 10.0.5.100
 Discovered open port 1027/tcp on 10.0.5.100
 Discovered open port 42/tcp on 10.0.5.100
 Discovered open port 135/tcp on 10.0.5.100
 Discovered open port 139/tcp on 10.0.5.100
 Discovered open port 464/tcp on 10.0.5.100
 Discovered open port 1028/tcp on 10.0.5.100
 Discovered open port 1026/tcp on 10.0.5.100
 Discovered open port 3269/tcp on 10.0.5.100
 Discovered open port 445/tcp on 10.0.5.100
 Discovered open port 1058/tcp on 10.0.5.100
 Host 10.0.5.1 appears to be up ... good.
 Interesting ports on 10.0.5.1:
 Not shown: 65133 closed ports, 400 filtered ports
 PORT   STATE SERVICE VERSION
 23/tcp open  telnet?
 80/tcp open  http?
 MAC Address: 3C:8C:40:23:D5:89 (Unknown)
 Host 10.0.5.2 appears to be up ... good.
 Interesting ports on 10.0.5.2:
 Not shown: 65133 closed ports, 400 filtered ports
 PORT   STATE SERVICE VERSION
 23/tcp open  telnet?
 80/tcp open  http?
 MAC Address: 3C:8C:40:12:9C:81 (Unknown)
 Host 10.0.5.100 appears to be up ... good.
 Interesting ports on 10.0.5.100:
 Not shown: 65516 closed ports
 PORT     STATE SERVICE       VERSION
 42/tcp   open  wins          Microsoft Windows Wins
 53/tcp   open  domain        Microsoft DNS
 88/tcp   open  kerberos-sec  Microsoft Windows kerberos-sec
 135/tcp  open  msrpc         Microsoft Windows RPC
 139/tcp  open  netbios-ssn
 389/tcp  open  ldap          Microsoft LDAP server
 445/tcp  open  microsoft-ds  Microsoft Windows 2003 microsoft-ds
 464/tcp  open  kpasswd5?
 593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
 636/tcp  open  tcpwrapped
 1026/tcp open  msrpc         Microsoft Windows RPC
 1027/tcp open  msrpc         Microsoft Windows RPC
 1028/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
 1057/tcp open  msrpc         Microsoft Windows RPC
 1058/tcp open  msrpc         Microsoft Windows RPC
 1073/tcp open  msrpc         Microsoft Windows RPC
 3268/tcp open  ldap          Microsoft LDAP server
 3269/tcp open  tcpwrapped
 3389/tcp open  microsoft-rdp Microsoft Terminal Service
 MAC Address: 10:60:4B:84:AA:72 (Unknown)
 Service Info: OS: Windows
 Initiating ARP Ping Scan against 146 hosts [1 port/host] at 15:31
 The ARP Ping Scan took 1.44s to scan 146 total hosts.
 Initiating 
 Discovered open port 3306/tcp on 10.0.5.109
 Discovered open port 20080/tcp on 10.0.5.109
 Discovered open port 8080/tcp on 10.0.5.109
 Discovered open port 2211/tcp on 10.0.5.109
 The 
 Initiating service scan against 4 services on 10.0.5.109 at 15:31
 The service scan took 6.00s to scan 4 services on 1 host.
 Host 10.0.5.109 appears to be up ... good.
 Interesting ports on 10.0.5.109:
 Not shown: 65531 closed ports
 PORT      STATE SERVICE    VERSION
 2211/tcp  open  ssh        OpenSSH 4.3 (protocol 2.0)
 3306/tcp  open  mysql      MySQL 5.6.16
 8080/tcp  open  http       Apache Tomcat/Coyote JSP engine 1.1
 20080/tcp open  tcpwrapped
 Initiating 
 Discovered open port 80/tcp on 10.0.5.110
 Discovered open port 80/tcp on 10.0.5.199
 Discovered open port 80/tcp on 10.0.5.111
 Discovered open port 80/tcp on 10.0.5.113
 Discovered open port 80/tcp on 10.0.5.112
 Discovered open port 80/tcp on 10.0.5.116
 Discovered open port 80/tcp on 10.0.5.117
 Discovered open port 80/tcp on 10.0.5.115
 Discovered open port 80/tcp on 10.0.5.114
 Discovered open port 80/tcp on 10.0.5.118
 Discovered open port 80/tcp on 10.0.5.201
 Discovered open port 80/tcp on 10.0.5.200
 Discovered open port 3389/tcp on 10.0.5.199
 Discovered open port 3389/tcp on 10.0.5.201
 Discovered open port 3389/tcp on 10.0.5.200
 Discovered open port 23/tcp on 10.0.5.112
 Discovered open port 23/tcp on 10.0.5.114
 Discovered open port 23/tcp on 10.0.5.113
 Discovered open port 23/tcp on 10.0.5.115
 Discovered open port 23/tcp on 10.0.5.111
 Discovered open port 23/tcp on 10.0.5.117
 Discovered open port 23/tcp on 10.0.5.116
 Discovered open port 23/tcp on 10.0.5.118
 Discovered open port 3306/tcp on 10.0.5.201
 Discovered open port 3306/tcp on 10.0.5.200
 Discovered open port 8240/tcp on 10.0.5.199
 Discovered open port 49153/tcp on 10.0.5.110
 Discovered open port 9610/tcp on 10.0.5.200
 Discovered open port 49153/tcp on 10.0.5.201
 Discovered open port 49153/tcp on 10.0.5.200
 Discovered open port 49155/tcp on 10.0.5.110
 Discovered open port 8785/tcp on 10.0.5.110
 Discovered open port 49155/tcp on 10.0.5.201
 Discovered open port 49155/tcp on 10.0.5.200
 Discovered open port 8244/tcp on 10.0.5.199
 Discovered open port 8253/tcp on 10.0.5.199
 Discovered open port 8484/tcp on 10.0.5.110
 Discovered open port 47001/tcp on 10.0.5.110
 Discovered open port 47001/tcp on 10.0.5.200
 Discovered open port 49162/tcp on 10.0.5.110
 Discovered open port 49163/tcp on 10.0.5.110
 Discovered open port 135/tcp on 10.0.5.110
 Discovered open port 135/tcp on 10.0.5.199
 Discovered open port 9622/tcp on 10.0.5.200
 Discovered open port 135/tcp on 10.0.5.201
 Discovered open port 135/tcp on 10.0.5.200
 Discovered open port 1029/tcp on 10.0.5.199
 Discovered open port 8237/tcp on 10.0.5.199
 Discovered open port 49152/tcp on 10.0.5.110
 Discovered open port 1433/tcp on 10.0.5.110
 Discovered open port 49152/tcp on 10.0.5.201
 Discovered open port 49152/tcp on 10.0.5.200
 Discovered open port 9627/tcp on 10.0.5.200
 Discovered open port 49156/tcp on 10.0.5.200
 Discovered open port 49156/tcp on 10.0.5.201
 Discovered open port 139/tcp on 10.0.5.110
 Discovered open port 139/tcp on 10.0.5.199
 Discovered open port 139/tcp on 10.0.5.201
 Discovered open port 139/tcp on 10.0.5.200
 Discovered open port 8236/tcp on 10.0.5.199
 Discovered open port 8585/tcp on 10.0.5.110
 Discovered open port 8254/tcp on 10.0.5.199
 Discovered open port 49154/tcp on 10.0.5.110
 Discovered open port 1025/tcp on 10.0.5.199
 Discovered open port 49157/tcp on 10.0.5.201
 Discovered open port 49157/tcp on 10.0.5.200
 Discovered open port 4368/tcp on 10.0.5.111
 Discovered open port 4368/tcp on 10.0.5.116
 Discovered open port 4368/tcp on 10.0.5.118
 Discovered open port 4368/tcp on 10.0.5.117
 Discovered open port 49154/tcp on 10.0.5.200
 Discovered open port 49154/tcp on 10.0.5.201
 Discovered open port 8888/tcp on 10.0.5.110
 Discovered open port 4368/tcp on 10.0.5.113
 Discovered open port 4368/tcp on 10.0.5.112
 Discovered open port 4368/tcp on 10.0.5.114
 Discovered open port 4368/tcp on 10.0.5.115
 Discovered open port 2383/tcp on 10.0.5.110
 Discovered open port 1026/tcp on 10.0.5.199
 Discovered open port 8270/tcp on 10.0.5.199
 Discovered open port 9623/tcp on 10.0.5.200
 Discovered open port 8172/tcp on 10.0.5.200
 Discovered open port 8022/tcp on 10.0.5.110
 Discovered open port 8686/tcp on 10.0.5.110
 Discovered open port 445/tcp on 10.0.5.199
 Discovered open port 445/tcp on 10.0.5.201
 Discovered open port 445/tcp on 10.0.5.200
 Discovered open port 5500/tcp on 10.0.5.200
 Initiating service scan against 89 services on 12 hosts at 15:32
 Service scan Timing: About 11.24% done; ETC: 15:36 (0:03:58 remaining)
 The service scan took 259.61s to scan 89 services on 12 hosts.
 Host 10.0.5.110 appears to be up ... good.
 Interesting ports on 10.0.5.110:
 Not shown: 65517 closed ports
 PORT      STATE SERVICE       VERSION
 80/tcp    open  http?
 135/tcp   open  msrpc         Microsoft Windows RPC
 139/tcp   open  netbios-ssn
 1433/tcp  open  ms-sql-s?
 2383/tcp  open  unknown
 8022/tcp  open  unknown
 8484/tcp  open  unknown
 8585/tcp  open  unknown
 8686/tcp  open  http          Microsoft IIS webserver 7.5
 8785/tcp  open  unknown
 8888/tcp  open  microsoft-rdp Microsoft Terminal Service
 47001/tcp open  unknown
 49152/tcp open  msrpc         Microsoft Windows RPC
 49153/tcp open  msrpc         Microsoft Windows RPC
 49154/tcp open  msrpc         Microsoft Windows RPC
 49155/tcp open  msrpc         Microsoft Windows RPC
 49162/tcp open  msrpc         Microsoft Windows RPC
 49163/tcp open  msrpc         Microsoft Windows RPC
 MAC Address: C8:1F:66:CA:E7:5C (Unknown)
 Service Info: OS: Windows
 Host 10.0.5.111 appears to be up ... good.
 Interesting ports on 10.0.5.111:
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 23/tcp   open  telnet?
 80/tcp   open  http?
 4368/tcp open  unknown
 MAC Address: 00:17:61:10:58:51 (ZKSoftware)
 Host 10.0.5.112 appears to be up ... good.
 Interesting ports on 10.0.5.112:
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 23/tcp   open  telnet?
 80/tcp   open  http?
 4368/tcp open  unknown
 MAC Address: 00:17:61:10:58:96 (ZKSoftware)
 Host 10.0.5.113 appears to be up ... good.
 Interesting ports on 10.0.5.113:
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 23/tcp   open  telnet?
 80/tcp   open  http?
 4368/tcp open  unknown
 MAC Address: 00:17:61:10:5D:6A (ZKSoftware)
 Host 10.0.5.114 appears to be up ... good.
 Interesting ports on 10.0.5.114:
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 23/tcp   open  telnet?
 80/tcp   open  http?
 4368/tcp open  unknown
 MAC Address: 00:17:61:10:66:3C (ZKSoftware)
 Host 10.0.5.115 appears to be up ... good.
 Interesting ports on 10.0.5.115:
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 23/tcp   open  telnet?
 80/tcp   open  http?
 4368/tcp open  unknown
 MAC Address: 00:17:61:10:5C:E4 (ZKSoftware)
 Host 10.0.5.116 appears to be up ... good.
 Interesting ports on 10.0.5.116:
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 23/tcp   open  telnet?
 80/tcp   open  http?
 4368/tcp open  unknown
 MAC Address: 00:17:61:12:2F:68 (ZKSoftware)
 Host 10.0.5.117 appears to be up ... good.
 Interesting ports on 10.0.5.117:
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 23/tcp   open  telnet?
 80/tcp   open  http?
 4368/tcp open  unknown
 MAC Address: 00:17:61:12:30:C8 (ZKSoftware)
 Host 10.0.5.118 appears to be up ... good.
 Interesting ports on 10.0.5.118:
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 23/tcp   open  telnet?
 80/tcp   open  http?
 4368/tcp open  unknown
 MAC Address: 00:17:61:10:5D:87 (ZKSoftware)
 Host 10.0.5.199 appears to be up ... good.
 Interesting ports on 10.0.5.199:
 Not shown: 65520 closed ports
 PORT     STATE SERVICE       VERSION
 80/tcp   open  http          Microsoft IIS webserver 6.0
 135/tcp  open  msrpc         Microsoft Windows RPC
 139/tcp  open  netbios-ssn
 445/tcp  open  microsoft-ds  Microsoft Windows 2003 microsoft-ds
 1025/tcp open  msrpc         Microsoft Windows RPC
 1026/tcp open  msrpc         Microsoft Windows RPC
 1029/tcp open  msrpc         Microsoft Windows RPC
 3389/tcp open  microsoft-rdp Microsoft Terminal Service
 8236/tcp open  unknown
 8237/tcp open  unknown
 8240/tcp open  tcpwrapped
 8244/tcp open  tcpwrapped
 8253/tcp open  unknown
 8254/tcp open  unknown
 8270/tcp open  unknown
 MAC Address: E0:3F:49:48:5C:55 (Unknown)
 Service Info: OS: Windows
 Host 10.0.5.200 appears to be up ... good.
 Interesting ports on 10.0.5.200:
 Not shown: 65515 closed ports
 PORT      STATE SERVICE       VERSION
 80/tcp    open  http          Microsoft IIS webserver 7.5
 135/tcp   open  msrpc         Microsoft Windows RPC
 139/tcp   open  netbios-ssn
 445/tcp   open  netbios-ssn
 3306/tcp  open  mysql         MySQL (unauthorized)
 3389/tcp  open  microsoft-rdp Microsoft Terminal Service
 5500/tcp  open  unknown
 8172/tcp  open  ssl/http      Microsoft IIS httpd 7.5
 9610/tcp  open  tcpwrapped
 9621/tcp  open  unknown
 9622/tcp  open  unknown
 9623/tcp  open  printer
 9627/tcp  open  tcpwrapped
 47001/tcp open  unknown
 49152/tcp open  msrpc         Microsoft Windows RPC
 49153/tcp open  msrpc         Microsoft Windows RPC
 49154/tcp open  msrpc         Microsoft Windows RPC
 49155/tcp open  msrpc         Microsoft Windows RPC
 49156/tcp open  msrpc         Microsoft Windows RPC
 49157/tcp open  msrpc         Microsoft Windows RPC
 MAC Address: 74:D4:35:B8:F8:7C (Unknown)
 Service Info: OS: Windows
 Host 10.0.5.201 appears to be up ... good.
 Interesting ports on 10.0.5.201:
 Not shown: 65523 closed ports
 PORT      STATE SERVICE       VERSION
 80/tcp    open  http          Microsoft IIS webserver 7.5
 135/tcp   open  msrpc         Microsoft Windows RPC
 139/tcp   open  netbios-ssn
 445/tcp   open  netbios-ssn
 3306/tcp  open  mysql         MySQL (unauthorized)
 3389/tcp  open  microsoft-rdp Microsoft Terminal Service
 49152/tcp open  msrpc         Microsoft Windows RPC
 49153/tcp open  msrpc         Microsoft Windows RPC
 49154/tcp open  msrpc         Microsoft Windows RPC
 49155/tcp open  msrpc         Microsoft Windows RPC
 49156/tcp open  msrpc         Microsoft Windows RPC
 49157/tcp open  msrpc         Microsoft Windows RPC
 MAC Address: FC:AA:14:BD:26:84 (Unknown)
 Service Info: OS: Windows

测试拿下另外一台linux

code 区域

内网一台：
 10.0.5.109 root 3****!

其他未深入

声明：仅测试，点到为止，无任何破坏。

漏洞证明：

如上

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2016-03-18 13:12

厂商回复：

该网段非投哪网业务网络，为内部办公网络。感谢白帽子的测试！（各位别再报这个漏洞了……）

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞概要 关注数(4) 关注此漏洞

缺陷编号： WooYun-2016-186101

漏洞标题： P2P金融安全之投哪网一次内网探测

相关厂商： 深圳投哪金融服务有限公司

漏洞作者： 路人甲

提交时间： 2016-03-18 11:35

公开时间： 2016-05-02 13:12

漏洞类型： 成功的入侵事件

危害等级： 高

自评Rank： 20

漏洞状态： 厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 任意文件上传 安全意识不足 任意文件上传 安全意识不足

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(4) 关注此漏洞

相关厂商：深圳投哪金融服务有限公司

漏洞作者：路人甲

漏洞类型：成功的入侵事件

危害等级：高

漏洞状态：厂商已经确认

Tags标签：任意文件上传安全意识不足任意文件上传安全意识不足

版权声明：转载请注明来源路人甲@乌云

漏洞评价(共0人评价):

登陆后才能进行评分