A detailed analysis of Xtep security detection report (involving multiple backbone systems and numerous internal information data)

Source: Internet
Author: User

A detailed analysis of Xtep security detection report (involving multiple backbone systems and numerous internal information data)

A detailed analysis of Xtep security detection report (involving multiple backbone systems/involving a large amount of internal information/spanning multiple Intranet network segments/obtaining more than 40 databases)

The task is still unauthorized from two jmx-consoles.
1.: // **. **. ** // cas.xtepchina.com /_
2. http: // **. **. **/code>
The successful deployment took the shell, and found that it was different network segments, 192.168.3.x and 192.168.6.x felt great. I checked the following domain.

The idea here was to scan the Business System in section C of the Intranet, and found a lot of configuration file information and source code + DB files of other business systems while reading the drive letter. In fact, at this time, the permissions are very large, and two mssql databases are configured.
Jdbc: jtds: sqlserver :/// 192.168.3.94: 1433/txtep
Net. sourceforge. jtds. jdbc. Driver
Sa

123456
CasDS
Jdbc: jtds: sqlserver: // 192.168.3.112: 1433/xtep
Net. sourceforge. jtds. jdbc. Driver
Sa

Kmdata
20
800
Found nearly 40 + Databases


Then, when scanning the C segment, we found a st2 Command Execution System,
1.: // **. **. ** // bi.xtepchina.com: 8090/loginIn. action
_
2. http: // **. **. **/selfhelp/Attendance. aspx Attendance system error Injection
As well as the attendance system, the attendance system is a list of data when I look at the database, and I find that the status of Xtep is huge. In the future, the attendance is XXXXXX. In fact, this is a big gain, let's take a look at the four backbone business systems. shell Permission: Intranet roaming permission for multiple CIDR blocks: 40 + database operation permission: Internal Address Book of the company, and other employee information, constantly wondering whether to forward data to the Intranet, after thinking about it, let's think about it. Here are some data results for demonstration. It's boring. You can try it quickly ~~







Http: // 192.168.3.21 >>> null >> Success
Http: // 192.168.3.27 >>> null >> Success
Http: // 192.168.3.29 >>> null >> Success
Http: // 192.168.3.25 >>> null >> Success
Http: // 192.168.3.23 >>> null >> Success
Http: // 192.168.3.7 >>>> Microsoft-IIS/7.5 >>> Success
Http: // 192.168.3.50> 302 Found> Apache> Success
Http: // 192.168.3.110> Index of/> Apache/2.2.9 (APMServ) PHP/5.2.6> Success
Http: // 192.168.3.46 >>>> Apache >> Success
Http: // 192.168.3.103 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.48 >>>> Apache >> Success
Http: // 192.168.3.49 >>>> Apache >> Success
Http: // 192.168.3.100 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.13 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.16 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.18 >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.127> Index of/> Apache/2.2.22 (Unix) DAV/2 PHP/5.3.10> Success
Http: // 192.168.3.61 >>>> Lotus Expeditor Web Container/6.1 >>> Success
Http: // 192.168.3.28 >>> Apache/2.2.22 (Unix) DAV/2> Success
Http: // 192.168.3.130> Index of/> Apache/2.2.22 (Unix) DAV/2 PHP/5.3.10> Success
Http: // 192.168.3.small >>>> Microsoft-IIS/6.0 >>> Success
Http: // 192.168.3.20.>>> Apache/2.2.22 (Unix) DAV/2 PHP/5.3.10 >> Success
Http: // 192.168.3.136 >>> Apache/2.2.22 (Unix) DAV/2> Success
Http: // 192.168.3.52 >>> null >> Success
Http: // 192.168.3.51 >>> null >> Success

Http: // 192.168.3.31> Xtep official Mall _ specializes in Xtep sports shoes, Xtep sportswear, sports accessories-Xtep official flagship store> Apache/2.2.22 (Unix) DAV/2 PHP/5.3.10> Success
Http: // 192.168.3.189> logon-China Unicom EMAS> Apache-Coyote/1.1> Success
Http: // 192.168.3.204> CAS-Central Authentication Service> Apache-Coyote/1.1> Success
Http: // 192.168.3.252> 2015 ordering Conference iPad software installation> Microsoft-IIS/6.0> Success
Http: // 192.168.6.47> Women's shoes division _ video conference> Apache/2.0.59 (Win32) PHP/5.2.0> Success
* ***** | Wu Zheng | 135549 *****
* *** 0008290 | property *****
* ***** | 139603901 *****
* ***** | 159599993 *****
* ***** | 159800806 *****
* ***** | 155591775 *****
* RMB | 159800800 *****
* ***** | 137123466 *****
* ***** | 15980015222 *****
* *** 59999223 | Supply Chain *****
* *** 13905984142 | Operator *****
* *** 80008286 | woven pipe *****
***** | 15980080811 | *****
* ***** 8 | footwear product management *****
***** 05000307 | President *****
* *** 563311 | product system *****
* ***** | 18965533515 | *****
* *** 7188 | development technology *****
* *** 3600787977 | finance *****
* *** 05059922 | fund management *****
* *** 15959999363 | person *****
***** 3599163261 | information *****
* *** 0080899 | woven pipe *****
* *** 5860315599 | audit *****
* *** 3599222589 | supply *****
* *** 9088623 | item *****
* ***** 15980062388 | financial *****
* *** 15980010518 | research *****
* *** 026188 | R & D settings *****
* ***** 15959869999 | financial *****
* *** 13959877777 | Total *****
* *** 15060876633 | configuration *****
* *** 13808525723 | Server *****
* *** 15980080811 | things *****
* *** 5060878811 | dis *****
* *** 15060876633 | configuration *****
* *** 13905950679 | configuration *****
* *** 980008286 | clothing *****
* *** 13559088630 | Server *****
* *** 859511111 | clothing *****
* *** 15060818833 | shoes *****
* *** 18876389933 | shoes *****
* *** 13960390111 | shoes *****
* *** 880702180 | footwear *****
* *** 13905055778 | shoes *****
* *** 13559088601 | email *****
* ***** 15960561618 | financial *****
* ***** 13559074295 | financial *****
* ***** 13559088628 | person *****
* ***** 15959859999 | person *****
* *** 505959867 | group *****
* *** 13559088636 | Total *****
* *** 15859500000 | Total *****
* *** Member | 15959875508 | *****
* ***** Cod *****
1.: // **. **. ** // bi.xtepchina.com: 8090/loginIn. action _
2. http: // **. **. **/ma3/ma3.jsp _
3. http: // **. **. **/ma3/ma3.jspo = vLogin shell address carry
 

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.