BrigeOS cell bandwidth OA System Vulnerabilities
This platform has a log viewing network monitoring function. The default password of port 8080 admin can also be used to create Id_user bypass verification using the following method.
I will not talk about MongoDB. We can refer to the problem of this platform and get the source code of this platform through some methods.
Login Page login. php
$ SQL _select = "select * from staff where name = '". $ user_name. "'and password = '". $ user_password. "'"; $ dataset = yjwt_mysql_select ($ SQL _select); // echo "$ SQL _select"; if ($ dataset & $ row = mysql_fetch_array ($ dataset )) {setcookie ("php_user", $ row ["flag"], time () + 1800); // half an hour, this statement must be prefixed with html. // these two rows are God-set setcookie ("Id_user", $ row ["Id"], time () + 1800 );
After the verification is successful, write the browser cookie
Check out global verification for fun. php.
Longer_cookie ('php _ user'); longer_cookie ('Id _ user'); if ($ _ GET ['T'] = 'eg ') {echo "<script>"; echo "alert ('Please log in again! '); "; Echo" window. location. href = '? T = login '; "; echo" </script> ";} if ($ _ GET ['T'] ='') {echo "<script> "; echo "window. location. href = '? T = getid '; "; echo" </script> ";}
It can be seen that the login is indeed through cookie verification .. This can be forged.
Now you can go in and check out ram. php.
<?
header("Content-type: application/txt");header("Content-Disposition: attachment; filename=$_GET[name].txt");readfile("$_GET[path]");?>
God download .. Counterfeit raw. php? Path =/etc/cfg.php&name=1.txt to download the database configuration information and any files on the server ..
Let's take a look at ping. php.
$ To_ping = $ _ GET ["ip"]; $ count = 1; $ psize = 65; exec ("ping $ to_ping-n $ count-w 1 ", $ list); if ($ list [2] = "the request times out. ") Print" <div style = \ "background-color: #999999; height: 1000px; width: 1000px; color: # ffffff; \"> ". $ _ GET ["name"]. "</div>"; else print "<div style = \" background-color: #00ff00; height: 1000px; width: 1000px; color: # ffffff; \ "> ". $ _ GET ["name"]. "</div> ";
Execute...
Ignore the 10 thousand rows... other injections ..
This system uses BrigeOS, which is used by many communities. Once accessed and operated, the network security environment of the entire community is threatened.
Let's take a look at the official website:
There is a document to query
Http://reg.bri-os.com: 8080/php_center/cmd_help.php? Mode = key
The mode is injected and then smoothly enters the official OA system ..
Some of the data is rich, including the network topology. Among others, the devid should be installed with the BrigeOS client, so the usage corresponding to the above mentioned should not be small .. Completely a broadband access provider
Then we won shell in the file management office without any suspense ..
The official server ip address 125.39.155.32 was found by a search engine http://www.im286.com/thread-10960888-1-1.html that the broadband Chamber loaded ads in the user browser ..
The script information described above is indeed found in the/var/www/html/directory on the server .. If used? It's okay to give users in different communities a window or something.
Add another official New version of BrigeOS. We recommend that you upgrade the community to this version.
This is the end of the test.
Solution:
Upgrade and fix the system platform, restrict access to ip addresses, and handle various official vulnerabilities... The user's Internet access information is no longer monitored...