Penetration Testing of changba (entering several backend and O & M systems and configuring VPN)

Penetration Testing of changba (entering several backend and O & M systems and configuring VPN)

A penetration test of changba. Attackers can obtain a large amount of sensitive information, access several backend and O & M systems (wiki, cacti, erp, etc.), and dial in a VPN Server.

Entry point:

https://wiki.changba.com

OpenSSL heart bleeding exists. Capture the account and password through script monitoring.
 

vcGVuc3NsLnBuZw==" src="http://www.bkjia.com/uploads/allimg/150513/235H43637-0.png" width="600" />

I caught the basic Authentication account password and the account password of three employees.

Log on to the wiki (a wiki contains a large amount of sensitive information. Attackers can keep hiding in the CHANGBA network. I am unintentional ..):
 

Go to the CHANGBA background system:
 

 

Enter the email system:
 

 

According to the instructions on the wiki, the VPN is selected:
 

CHANGBA Without Borders:
 

CHANGBA erp:
 

Nothing about cacti:
 

So far, there is no time to continue. You can make a return visit later. :)
 

Solution:

First, Upgrade OpenSSL, and then strictly control other portals.