The SQL injection of a website in the chain home is not fixed, so getshell can penetrate through the Intranet.

The SQL injection of a website in the chain home is not fixed, so getshell can penetrate through the Intranet.

Getshell is caused by unrepaired SQL Injection on a website in the chain home, which can penetrate into the Intranet. A large number of employee accounts can be viewed !!!!!!!!

URL: http://tc.homelink.com.cn/,
 

#1 getshell and get the highest server Permissions

The account (jfdhb/jfdhb123456) obtained by the last shell (which has been in existence for several days and has not been modified yet. However, this vulnerability is still nearly disclosed and has not been fixed yet, if you don't fix it, let's look at the harm.

Http://tc.homelink.com.cn/Superagent/Reports02.aspx? UniqNo = 257 the UniqNo parameter has been injected, And the whole line is still very high.
 

Then write a sentence using shell commands.

Get shell, address http://tc.homelink.com.cn/Superagent/DefaultMaintain02.aspx (originally wanted to penetrate, want to lurk for a period of time, after want to still forget)
 

Looking at the directory, someone has already been there.
 

Http://tc.homelink.com.cn/aspspy.aspx

Provincial self-uploaded, direct admin/admin login (displayed in the upper left corner, also intranet)
 

Check the port. port 3389 is not open to the public. Upload the reduh server, create a tunnel, and log on to the server.

Reduh server: http://tc.homelink.com.cn/Superagent/web.aspx

Java-jar unzip hclient. jar http://tc.homelink.com.cn/Superagent/web.aspx
 

Then nc listens to the local port 1010: nc-vv localhost 1010, and then creates a tunnel.

[CreateTunnel] 1234: 127.0.0.1: 3389
 

Then open the Remote Desktop Connection.
 

(Not activated yet, chain home. Microsoft calls you home to activate the system !)
 

We can see that many data backups are not active.



#2 Databases

Find the configuration file under the root directory of the website
 

server=172.16.4.15,1433;UID=sa;PWD=*******;database=*******Center

 

Find the secusers table and check the account and password of more than three thousand employees and organizations.

Emphasize that your weak password is too serious. If you know an account, the password can be cracked and changed to the last six or more digits of your ID card.
 

 

 

A pony: http://tc.homelink.com.cn/Superagent/DefaultMaintain02.aspx

Reduh server: http://tc.homelink.com.cn/Superagent/web.aspx

There are several other files in the root directory, which cannot be deleted.

Solution:

Filter