A detailed analysis of Xtep security detection report (involving multiple backbone systems and numerous internal information data)
A detailed analysis of Xtep security detection report (involving multiple backbone systems/involving a large amount of internal information/spanning multiple Intranet network segments/obtaining more than 40 databases)
The task is still unauthorized from two jmx-consoles.
1.: // **. **. ** // cas.xtepchina.com /_
2. http: // **. **. **/code>
The successful deployment took the shell, and found that it was different network segments, 192.168.3.x and 192.168.6.x felt great. I checked the following domain.
The idea here was to scan the Business System in section C of the Intranet, and found a lot of configuration file information and source code + DB files of other business systems while reading the drive letter. In fact, at this time, the permissions are very large, and two mssql databases are configured.
Jdbc: jtds: sqlserver :/// 192.168.3.94: 1433/txtep
Net. sourceforge. jtds. jdbc. Driver
Sa
123456
CasDS
Jdbc: jtds: sqlserver: // 192.168.3.112: 1433/xtep
Net. sourceforge. jtds. jdbc. Driver
Sa
Kmdata
20
800
Found nearly 40 + Databases
Then, when scanning the C segment, we found a st2 Command Execution System,
1.: // **. **. ** // bi.xtepchina.com: 8090/loginIn. action
_
2. http: // **. **. **/selfhelp/Attendance. aspx Attendance system error Injection
As well as the attendance system, the attendance system is a list of data when I look at the database, and I find that the status of Xtep is huge. In the future, the attendance is XXXXXX. In fact, this is a big gain, let's take a look at the four backbone business systems. shell Permission: Intranet roaming permission for multiple CIDR blocks: 40 + database operation permission: Internal Address Book of the company, and other employee information, constantly wondering whether to forward data to the Intranet, after thinking about it, let's think about it. Here are some data results for demonstration. It's boring. You can try it quickly ~~
Http: // 192.168.3.21 >>> null >> Success
Http: // 192.168.3.27 >>> null >> Success
Http: // 192.168.3.29 >>> null >> Success
Http: // 192.168.3.25 >>> null >> Success
Http: // 192.168.3.23 >>> null >> Success
Http: // 192.168.3.7 >>>> Microsoft-IIS/7.5 >>> Success
Http: // 192.168.3.50> 302 Found> Apache> Success
Http: // 192.168.3.110> Index of/> Apache/2.2.9 (APMServ) PHP/5.2.6> Success
Http: // 192.168.3.46 >>>> Apache >> Success
Http: // 192.168.3.103 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.48 >>>> Apache >> Success
Http: // 192.168.3.49 >>>> Apache >> Success
Http: // 192.168.3.100 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.13 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.16 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.18 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.127> Index of/> Apache/2.2.22 (Unix) DAV/2 PHP/5.3.10> Success
Http: // 192.168.3.61 >>>> Lotus Expeditor Web Container/6.1 >>> Success
Http: // 192.168.3.28 >>> Apache/2.2.22 (Unix) DAV/2> Success
Http: // 192.168.3.130> Index of/> Apache/2.2.22 (Unix) DAV/2 PHP/5.3.10> Success
Http: // 192.168.3.small >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.20.>>> Apache/2.2.22 (Unix) DAV/2 PHP/5.3.10 >> Success
Http: // 192.168.3.136 >>> Apache/2.2.22 (Unix) DAV/2> Success
Http: // 192.168.3.52 >>> null >> Success
Http: // 192.168.3.51 >>> null >> Success
Http: // 192.168.3.31> Xtep official Mall _ specializes in Xtep sports shoes, Xtep sportswear, sports accessories-Xtep official flagship store> Apache/2.2.22 (Unix) DAV/2 PHP/5.3.10> Success
Http: // 192.168.3.189> logon-China Unicom EMAS> Apache-Coyote/1.1> Success
Http: // 192.168.3.204> CAS-Central Authentication Service> Apache-Coyote/1.1> Success
Http: // 192.168.3.252> 2015 ordering Conference iPad software installation> Microsoft-IIS/6.0> Success
Http: // 192.168.6.47> Women's shoes division _ video conference> Apache/2.0.59 (Win32) PHP/5.2.0> Success
* ***** | Wu Zheng | 135549 *****
* *** 0008290 | property *****
* ***** | 139603901 *****
* ***** | 159599993 *****
* ***** | 159800806 *****
* ***** | 155591775 *****
* RMB | 159800800 *****
* ***** | 137123466 *****
* ***** | 15980015222 *****
* *** 59999223 | Supply Chain *****
* *** 13905984142 | Operator *****
* *** 80008286 | woven pipe *****
***** | 15980080811 | *****
* ***** 8 | footwear product management *****
***** 05000307 | President *****
* *** 563311 | product system *****
* ***** | 18965533515 | *****
* *** 7188 | development technology *****
* *** 3600787977 | finance *****
* *** 05059922 | fund management *****
* *** 15959999363 | person *****
***** 3599163261 | information *****
* *** 0080899 | woven pipe *****
* *** 5860315599 | audit *****
* *** 3599222589 | supply *****
* *** 9088623 | item *****
* ***** 15980062388 | financial *****
* *** 15980010518 | research *****
* *** 026188 | R & D settings *****
* ***** 15959869999 | financial *****
* *** 13959877777 | Total *****
* *** 15060876633 | configuration *****
* *** 13808525723 | Server *****
* *** 15980080811 | things *****
* *** 5060878811 | dis *****
* *** 15060876633 | configuration *****
* *** 13905950679 | configuration *****
* *** 980008286 | clothing *****
* *** 13559088630 | Server *****
* *** 859511111 | clothing *****
* *** 15060818833 | shoes *****
* *** 18876389933 | shoes *****
* *** 13960390111 | shoes *****
* *** 880702180 | footwear *****
* *** 13905055778 | shoes *****
* *** 13559088601 | email *****
* ***** 15960561618 | financial *****
* ***** 13559074295 | financial *****
* ***** 13559088628 | person *****
* ***** 15959859999 | person *****
* *** 505959867 | group *****
* *** 13559088636 | Total *****
* *** 15859500000 | Total *****
* *** Member | 15959875508 | *****
* ***** Cod *****
1.: // **. **. ** // bi.xtepchina.com: 8090/loginIn. action _
2. http: // **. **. **/ma3/ma3.jsp _
3. http: // **. **. **/ma3/ma3.jspo = vLogin shell address carry